Analysis Overview
SHA256
6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003
Threat Level: Known bad
The file 6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N was found to be: Known bad.
Malicious Activity Summary
Detects MyDoom family
MyDoom
Executes dropped EXE
Adds Run key to start application
UPX packed file
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-30 22:43
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-30 22:43
Reported
2024-09-30 22:45
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Detects MyDoom family
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MyDoom
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\services.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2408 wrote to memory of 2540 | N/A | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | C:\Windows\services.exe |
| PID 2408 wrote to memory of 2540 | N/A | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | C:\Windows\services.exe |
| PID 2408 wrote to memory of 2540 | N/A | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | C:\Windows\services.exe |
| PID 2408 wrote to memory of 2540 | N/A | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe
"C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.156.133.4:1034 | tcp | |
| N/A | 10.213.60.59:1034 | tcp | |
| N/A | 10.128.8.216:1034 | tcp | |
| N/A | 10.0.0.36:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 52.101.9.14:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 192.168.0.255:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 204.13.239.180:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 172.16.1.136:1034 | tcp | |
| US | 8.8.8.8:53 | mx.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mail.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | smtp.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mx.gzip.org | udp |
| US | 8.8.8.8:53 | mail.gzip.org | udp |
| US | 85.187.148.2:25 | mail.gzip.org | tcp |
Files
memory/2408-0-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2408-4-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/2540-10-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2408-16-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2408-17-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2540-19-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2540-20-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2540-25-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2540-30-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2540-32-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2540-37-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2408-41-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2540-42-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2408-43-0x0000000000500000-0x0000000000510200-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 140f77434302c1e1791284244bc5ae37 |
| SHA1 | 08bab20c6c0404122284a22cac6833f217a524c0 |
| SHA256 | edf327c7bca98f1399425bcf7ee34cc896f6e2dbdbd8bcde8a9ad54230afea52 |
| SHA512 | eb7b8161eb462270425b58001808cae2dfa693ca522ad604f3df474c4e8c52dc4658011c7b7be49e017ddc856ba5ee85c0b41828511a0694f81bde5402655a1b |
C:\Users\Admin\AppData\Local\Temp\tmpE12D.tmp
| MD5 | d01714e664f1bc26feed3d0f68bfb64e |
| SHA1 | 5e464c4dc0e2f4922a9029a9ac65d7b80528a525 |
| SHA256 | 120da9c76581e6df33c7d5c2b6c41d601e5e0dcb467c87bb5cb38dabfe145f65 |
| SHA512 | 13ad05e6c0fe8c9450352bcf38e7aab5bfa3511230c95b387a135468a3631e48fe1b700785e55779e3dd24a61f15223bbcd68d6ea6eff14098ed9e41a603dc5b |
memory/2540-61-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2408-64-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2540-65-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2408-69-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2540-70-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2408-71-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2540-72-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2540-77-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2408-76-0x0000000000500000-0x0000000000510200-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-30 22:43
Reported
2024-09-30 22:45
Platform
win10v2004-20240802-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Detects MyDoom family
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MyDoom
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\services.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4060 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | C:\Windows\services.exe |
| PID 4060 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | C:\Windows\services.exe |
| PID 4060 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe
"C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.156.133.4:1034 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| N/A | 10.213.60.59:1034 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 10.128.8.216:1034 | tcp | |
| N/A | 10.0.0.36:1034 | tcp | |
| US | 52.111.227.13:443 | tcp | |
| N/A | 192.168.0.255:1034 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| N/A | 172.16.1.136:1034 | tcp | |
| US | 8.8.8.8:53 | m-ou.se | udp |
| US | 8.8.8.8:53 | alt2.aspmx.l.google.com | udp |
| SG | 74.125.200.27:25 | alt2.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 8.8.8.8:53 | mail.mailroute.net | udp |
| US | 199.89.1.120:25 | mail.mailroute.net | tcp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 8.8.8.8:53 | smtp1.cs.stanford.edu | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mx.burtleburtle.net | udp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 65.254.254.50:25 | mx.burtleburtle.net | tcp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 52.101.41.26:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | 137.100.82.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | udp | |
| SE | 192.229.221.95:80 | tcp | |
| N/A | 209.202.254.10:80 | tcp | |
| IE | 212.82.100.137:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 209.202.254.10:443 | tcp | |
| IE | 212.82.100.137:443 | tcp | |
| IE | 212.82.100.137:80 | tcp |
Files
memory/4060-0-0x0000000000500000-0x0000000000510200-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/3024-5-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4060-13-0x0000000000500000-0x0000000000510200-memory.dmp
memory/3024-15-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3024-16-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3024-21-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3024-26-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3024-28-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3024-33-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3024-38-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3024-40-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3024-45-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3024-50-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3024-52-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4060-56-0x0000000000500000-0x0000000000510200-memory.dmp
memory/3024-57-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 22c5ed66afec64fc6b955d29b8c6b404 |
| SHA1 | 5aa4c27a1e00178117d0335b900c9d738ded94d3 |
| SHA256 | ae1c51e840ae5b26ca5aedcf3d6fe12caea02af901dd4fe424ab9548cbe55088 |
| SHA512 | 623327a3384ee0236a9b8de8aa8420a5f5c25981992a2346069411fe8e45628a1240425239603748bcc8f52549b857bb89117794ed396354c6a2e940c2c0e7ac |
C:\Users\Admin\AppData\Local\Temp\tmp70C3.tmp
| MD5 | 6bdf42803f6d9cc6c23896817a9771c0 |
| SHA1 | 4f262024577c63d91003f21db0420b3871a0c3d5 |
| SHA256 | b1122a77575a28ec66b7ac9e33fe6f07bdd3dd0d57a30c44411d24a62c0a13b0 |
| SHA512 | 4519347d834934e66b23a1cc90a22de381481ca0b08b51bcf7aec38cdfda7c40fdf0f4d872774308688753c18156a7ec115071f8393e6a1893b645e63609d3cc |
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 90d1e75a58a5568d3040cfd8a9d1fd66 |
| SHA1 | 4e1671a313cdcc673efc5ae3ec6d4e43a3763682 |
| SHA256 | 82f0b30ce7527e03928bf967211f81932012b47f38b037211f987238583f7ac7 |
| SHA512 | 9337a67ae2a9ce875256d2ecf955a1ef10f13ab4505a4959e153fe4ebecb4f91fdd11d150fda7c0d79e72958c7bac9361bd72208881a1b3f53d4ccd7d0743461 |