mydoom | 5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe
Size

29KB
MD5

4ab7453ea106b224b57179a8497ec1d8
SHA1

07ea73fc8b094e52d2b6a8d9a154622769e57025
SHA256

5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f
SHA512

3c6108aa2ad4a014d2245d0cc71034affe66ed40f77884a474147a9155a69a5c923fd8585853b133259c8c661d025fc6308e0bafef5a89e29d2b6d67244a3981
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/3:AEwVs+0jNDY1qi/q/

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1236-16-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1236-43-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1236-65-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1236-69-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1236-71-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1236-81-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1236-83-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1236-88-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

3052 services.exe

pid	process
3052	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

services.exe5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1236-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1236-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral1/memory/3052-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1236-16-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3052-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3052-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3052-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3052-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3052-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3052-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3052-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1236-43-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3052-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpF9CC.tmp	upx
behavioral1/memory/3052-66-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1236-65-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3052-70-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1236-69-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3052-72-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1236-71-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3052-77-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3052-82-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1236-81-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1236-83-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3052-84-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3052-89-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1236-88-0x0000000000500000-0x0000000000510200-memory.dmp	upx

Drops file in Windows directory 3 IoCs

Processes:

5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe

description	ioc	process
File created	C:\Windows\services.exe	5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe
File opened for modification	C:\Windows\java.exe	5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe
File created	C:\Windows\java.exe	5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exeservices.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe

description	pid	process	target process
PID 1236 wrote to memory of 3052	1236	5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe	services.exe
PID 1236 wrote to memory of 3052	1236	5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe	services.exe
PID 1236 wrote to memory of 3052	1236	5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe	services.exe
PID 1236 wrote to memory of 3052	1236	5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe
"C:\Users\Admin\AppData\Local\Temp\5c48527bcf68c7c824fc4b8c0e79397ee2d75e56eb896ce438d4633c734ac59f.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65ad7529512f97c886e2cf543ad177d3

SHA1
9583c1352b4449e689b215a29fac4f855d6dc75d

SHA256
1325bcd8143f4799f1a511b72597301e65edea4f079a2acdada01be4af073640

SHA512
a0a56c797d172919e0b1b9a3cafc01fae7a0106f2d0d29ad0a8e15af6ebe7539ce986d851fd9593b013f020adc411e44a3472202c3cbd3a248e1f446566df013

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd292b42a93be2c10fa8b64434c27108

SHA1
6653fc607681d09c6074233834a614af6b999ff4

SHA256
cd1873010bfda62396b7e817b741769c528930a549cc4b578a1e27d778111135

SHA512
83f09468bba9084046b0097e329325ce23bb9cfe4cf0a028007205829f8303aae3ef518c0829060635ea17102d36b3a2e0559b4566f08f39b1dd6fe8b0670775

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee7dc41c2fe33fbab03e469fa1ffcb1b

SHA1
b1a8df2d0d9b913d53d68cf073c399da436924bd

SHA256
f545852165ae459e207593e4b93c3f58956c68908e7a5742274ccdacc0566558

SHA512
6624d5d03081078137949e20d96a517a353701965d4f425f348cda743fd08c5bf4515f02793b8bf78218f79b58e789437603a3d56cf7391e0d31c844fd521685

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
259c8d2a7d2e602c53b43827df57d4e1

SHA1
c29b3462a61ca2f165de526f08ddcdc85563c50d

SHA256
98fb022ff1b39c8578427343f2be63d81b708b9787f7c2f53976bc432a7dea32

SHA512
682c00dd92b47fde5cbe90a0767eddf652a0fe16b74ca503fef4a3ccac68fdc8161e88b7dece92992a375ac54e501be45003b1258b4aaf216094c3666f383886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab151.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar200.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF9CC.tmp

Filesize
29KB

MD5
004780050a772ef63190d1597eac1397

SHA1
c900167f1db145bf40c4f4ca2db9a04549ef86a2

SHA256
ab33b05d7aaf9c996d13fb410f439969c372c40a10bc29c449d153fe4388ad74

SHA512
67210274a52e5906df17569f568c8123513ffa0e299451c80366e5e795f8f9bbf048b4f6b2dd1a29c7e2e4ca79a3a7530e1d760e2836a16b175406fbc5b3a907

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
9f7b4dcee3490b391ce2a4acfcab06f7

SHA1
06fa77ece744b20b9065541de36441d996994d21

SHA256
efbd94b150e343eeea7759533d851f7b45b672b80203631a752580c4c90d66d9

SHA512
19e95f0af4178e4e7b5a5a07a17d5ffe3eddd2f97266eb4baf57bfa8e1247ac404395bbddbb728864eabf4555d9d22e60fd0f3b6a1108df116e0ad8b65dbb3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
a4c8006e2c0a61fa93bda388b95a4771

SHA1
431cfcf494610eef406d8f95c117320e116c9d1b

SHA256
feec65f935fecbd9bb5d6f724d9db7911ac30290ea9219fe66199c331a196648

SHA512
42396e159b2cdfe68776574e625681e1e62d7825d93728ba77d704914cdc10b02b1911a5700163978c449e9a4174c60ccdcff2c113f50eb45626247223d81e46

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1236-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1236-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1236-16-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1236-43-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1236-71-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1236-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1236-88-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1236-65-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1236-83-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1236-69-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1236-81-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3052-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-82-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-89-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download