Malware Analysis Report

2024-12-07 02:15

Sample ID 241117-dbzs4stlgm
Target f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe
SHA256 f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938c
Tags
mydoom discovery persistence upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938c

Threat Level: Known bad

The file f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe was found to be: Known bad.

Malicious Activity Summary

mydoom discovery persistence upx worm

Detects MyDoom family

MyDoom

Mydoom family

Executes dropped EXE

Adds Run key to start application

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 02:50

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 02:50

Reported

2024-11-17 02:52

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Mydoom family

mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe

"C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.128.8.216:1034 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 10.93.103.153:1034 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
N/A 10.150.78.55:1034 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
N/A 10.202.221.84:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
DE 142.251.9.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.194.15:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 search.lycos.com udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 www.google.com udp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.134.137:80 r11.o.lencr.org tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 199.89.3.120:25 mail.mailroute.net tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 137.134.221.88.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
N/A 172.16.1.124:1034 tcp
US 8.8.8.8:53 aspmx.l.google.com udp
BE 74.125.71.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 104.17.79.30:25 acm.org tcp
N/A 10.226.153.157:1034 tcp
US 8.8.8.8:53 aspmx5.googlemail.com udp
SG 74.125.200.26:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.11.4:25 outlook-com.olc.protection.outlook.com tcp
US 8.8.8.8:53 mx.gzip.org udp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 mx.acm.org udp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 smtp.acm.org udp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 tcp
US 209.202.254.10:443 tcp
US 209.202.254.10:443 tcp
GB 172.217.16.228:80 tcp

Files

memory/3904-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1720-6-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3904-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1720-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1720-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1720-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1720-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1720-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1720-33-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3904-37-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1720-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3904-39-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1720-40-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 1298f75f7dbf49bccddf08b13bae7602
SHA1 19670733afdfe80e1cd0fd1f8d184e90194b94eb
SHA256 8f8e53f853a18d5c9ae668dc9406464b36166fe0170403f33f30e8f136ee9b29
SHA512 51e181a21df6bec82378c86b567ada499fe4a5f3634533b3f3a03d26f63f3ad1d874abe8108fa124f8f0f68d14efe58f65d748ea967f449b0b006d5db828bb66

C:\Users\Admin\AppData\Local\Temp\tmpA15E.tmp

MD5 6fa4efd405fc38cd0819f50d668b4e50
SHA1 58d6556b7693189b0de97f7e24545ce1380b1a0a
SHA256 45b95a4105fc8352988b5dd82a9b0506507c2ff3f4481f8beda5b43a0aa30738
SHA512 3473c073e2499328d8780499d6ef5d0f921c5dbaee571d1607a1702119ea182f091a20559baece1bc6e3a0f5f5c6de9d982d5d99b75f4b2b385be0ea7f9905c0

C:\Users\Admin\AppData\Local\Temp\tmpA1BF.tmp

MD5 829c37aaa23e131f356773ba049a2c4e
SHA1 107d5d55326f7f90e20f5d8813fc8c46c5f01fa3
SHA256 e3da71749c138db926e7457af32e270030096b64d09dbb14ece215cea8211201
SHA512 05e5ed098847b8d18f8e81c9fa7cc0f8a0151709661cb0f9dd60f0a7c8f18e7c56f6e70b93affb2b155c7972d4a8324530e5adc4cc26471c83271c1d63f4fd17

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 5bfa6e2af4a2574e77676a0866ebb08a
SHA1 78254864ba338d82e5ac69a83b3a6fe1b8bce368
SHA256 de9b8fdcf2d070d9f26e31cf378f825ea50d541a7f08385ce88a98321fea7675
SHA512 def096d449d6bfb2668b7f12f652f40528fb175d1369443759c8b49853beb9ae97da1231c25cec8c67f1e0999ded8d1b7e48373414877b6209420c357791e41d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\I486A2K1.htm

MD5 6c6eba6df667e1e4d8efa2b4491b29ed
SHA1 037cdc1617cc48f689254c7bd6918a832b8baa0e
SHA256 9ae70ecad8659e715d87a40f863d5e1f7a88cc10e33a1d370e9388227432bae8
SHA512 94892cd5c46a4436260d0c815c98e7a4f87db6b284aaed9e23ff967ad213933c6550d835dca3aead6a7fb21f8670061a8ca1a333c2f7257881b99620f664d94c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\search[2].htm

MD5 80fd59b92c1ea955f48029561be0fd95
SHA1 544ec51bac1f8bf102629fa8f60abbcebd9486f2
SHA256 35a9f7725a6b3d1828aa399d1df9dcbd2f07fe3cdf79cbeb8ff40b5cb5a02166
SHA512 c981219e0f1b6e2b0b6a738bf41199ff4fba74b4b86b71c81760ecdb50425c370db056adf72615b10ce82a080f1cd39f45059aeb8d10634540591b93c43760e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9PMCFZKU\search[1].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

memory/3904-166-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1720-167-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3904-179-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1720-180-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1720-182-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3904-186-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1720-187-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 7c633b5752550ab16f4cc627a4801d7e
SHA1 1e64c4cdda14b1cee40b702a7a2b4897f21fb4f2
SHA256 ae81be2fb984d9935dbb629d0803c33520ca9e2a1dc6fefc9625fe4a0097513f
SHA512 e5c6c190e5095483bcbfdbdc4ae5e41c0a4a4f44d46b54631c3027f08fdfe3dfe02704875d680eeea059a03e487582cb00e2536c39b92e6c4ea6d3d1ca71ece6

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 02:50

Reported

2024-11-17 02:52

Platform

win7-20240903-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Mydoom family

mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe

"C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.128.8.216:1034 tcp
N/A 10.93.103.153:1034 tcp
N/A 10.150.78.55:1034 tcp
N/A 10.202.221.84:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.9.17:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 172.16.1.124:1034 tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
N/A 10.226.153.157:1034 tcp

Files

memory/2568-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2376-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2568-10-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2568-9-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2568-17-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2568-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2568-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2376-20-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2376-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2376-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2376-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2376-34-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2376-39-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2376-44-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2568-45-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2376-46-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2376-51-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 e734bb68db127dbbdca36fcdb889b5ca
SHA1 fdad5f1527fe68e62e1f2e9b85b507d7466e93a9
SHA256 f25ea56088124a0e2ba98f0b8fce9e60be89cb94b40a07f73ed6477801658f37
SHA512 d1d70615eb939cc656c4c68a866e00f5101c6d964016a9d647a8ec1b2699b786b131af6fe34a7fe6ba1d0a33ad6b39d406064ca702bacf15153204d828779c47

C:\Users\Admin\AppData\Local\Temp\tmpF911.tmp

MD5 3ddcccc63c4789978c44d8e69a4507f9
SHA1 b5f3ec736231fea9533833f215cab4e8bad2d38e
SHA256 bcaaa7aa82fc52d5ac48d11f7833d8c1684da12cfcbac2374b5521e8f29b527c
SHA512 0bbd2cf140ff822d43e69779a509b0d305d9de3b518f97ffbf7b9340b0611f065be045d1be047ed0adb2467f806e10864d667511a81af47823b5ea502170fc46

memory/2568-74-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2376-75-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2568-76-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2376-77-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2568-81-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2376-82-0x0000000000400000-0x0000000000408000-memory.dmp