Analysis Overview
SHA256
f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938c
Threat Level: Known bad
The file f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe was found to be: Known bad.
Malicious Activity Summary
Detects MyDoom family
MyDoom
Mydoom family
Executes dropped EXE
Adds Run key to start application
UPX packed file
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 02:50
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 02:50
Reported
2024-11-17 02:52
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Detects MyDoom family
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MyDoom
Mydoom family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | N/A |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\services.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3904 wrote to memory of 1720 | N/A | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | C:\Windows\services.exe |
| PID 3904 wrote to memory of 1720 | N/A | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | C:\Windows\services.exe |
| PID 3904 wrote to memory of 1720 | N/A | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe
"C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.128.8.216:1034 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| N/A | 10.93.103.153:1034 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| N/A | 10.150.78.55:1034 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| N/A | 10.202.221.84:1034 | tcp | |
| US | 8.8.8.8:53 | m-ou.se | udp |
| US | 8.8.8.8:53 | alt2.aspmx.l.google.com | udp |
| DE | 142.251.9.26:25 | alt2.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 8.8.8.8:53 | mail.mailroute.net | udp |
| US | 199.89.3.120:25 | mail.mailroute.net | tcp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 8.8.8.8:53 | smtp1.cs.stanford.edu | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 8.8.8.8:53 | mx.burtleburtle.net | udp |
| US | 65.254.254.52:25 | mx.burtleburtle.net | tcp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 52.101.194.15:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 8.8.8.8:53 | search.lycos.com | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | www.altavista.com | udp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | 137.100.82.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.254.202.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 88.221.134.137:80 | r11.o.lencr.org | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 199.89.3.120:25 | mail.mailroute.net | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.134.221.88.in-addr.arpa | udp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| N/A | 172.16.1.124:1034 | tcp | |
| US | 8.8.8.8:53 | aspmx.l.google.com | udp |
| BE | 74.125.71.27:25 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 104.17.79.30:25 | acm.org | tcp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 65.254.227.224:25 | burtleburtle.net | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 204.13.239.180:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 104.17.79.30:25 | acm.org | tcp |
| N/A | 10.226.153.157:1034 | tcp | |
| US | 8.8.8.8:53 | aspmx5.googlemail.com | udp |
| SG | 74.125.200.26:25 | aspmx5.googlemail.com | tcp |
| US | 8.8.8.8:53 | smtp2.cs.stanford.edu | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 65.254.254.52:25 | mx.burtleburtle.net | tcp |
| US | 8.8.8.8:53 | outlook.com | udp |
| US | 8.8.8.8:53 | outlook-com.olc.protection.outlook.com | udp |
| US | 52.101.11.4:25 | outlook-com.olc.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | mx.gzip.org | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | mail.gzip.org | udp |
| US | 85.187.148.2:25 | mail.gzip.org | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | mx.acm.org | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | mail.acm.org | udp |
| US | 8.8.8.8:53 | smtp.acm.org | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | tcp | |
| US | 209.202.254.10:443 | tcp | |
| US | 209.202.254.10:443 | tcp | |
| GB | 172.217.16.228:80 | tcp |
Files
memory/3904-0-0x0000000000500000-0x0000000000510200-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/1720-6-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3904-13-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1720-15-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1720-16-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1720-21-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1720-26-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1720-28-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1720-33-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3904-37-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1720-38-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3904-39-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1720-40-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 1298f75f7dbf49bccddf08b13bae7602 |
| SHA1 | 19670733afdfe80e1cd0fd1f8d184e90194b94eb |
| SHA256 | 8f8e53f853a18d5c9ae668dc9406464b36166fe0170403f33f30e8f136ee9b29 |
| SHA512 | 51e181a21df6bec82378c86b567ada499fe4a5f3634533b3f3a03d26f63f3ad1d874abe8108fa124f8f0f68d14efe58f65d748ea967f449b0b006d5db828bb66 |
C:\Users\Admin\AppData\Local\Temp\tmpA15E.tmp
| MD5 | 6fa4efd405fc38cd0819f50d668b4e50 |
| SHA1 | 58d6556b7693189b0de97f7e24545ce1380b1a0a |
| SHA256 | 45b95a4105fc8352988b5dd82a9b0506507c2ff3f4481f8beda5b43a0aa30738 |
| SHA512 | 3473c073e2499328d8780499d6ef5d0f921c5dbaee571d1607a1702119ea182f091a20559baece1bc6e3a0f5f5c6de9d982d5d99b75f4b2b385be0ea7f9905c0 |
C:\Users\Admin\AppData\Local\Temp\tmpA1BF.tmp
| MD5 | 829c37aaa23e131f356773ba049a2c4e |
| SHA1 | 107d5d55326f7f90e20f5d8813fc8c46c5f01fa3 |
| SHA256 | e3da71749c138db926e7457af32e270030096b64d09dbb14ece215cea8211201 |
| SHA512 | 05e5ed098847b8d18f8e81c9fa7cc0f8a0151709661cb0f9dd60f0a7c8f18e7c56f6e70b93affb2b155c7972d4a8324530e5adc4cc26471c83271c1d63f4fd17 |
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 5bfa6e2af4a2574e77676a0866ebb08a |
| SHA1 | 78254864ba338d82e5ac69a83b3a6fe1b8bce368 |
| SHA256 | de9b8fdcf2d070d9f26e31cf378f825ea50d541a7f08385ce88a98321fea7675 |
| SHA512 | def096d449d6bfb2668b7f12f652f40528fb175d1369443759c8b49853beb9ae97da1231c25cec8c67f1e0999ded8d1b7e48373414877b6209420c357791e41d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\I486A2K1.htm
| MD5 | 6c6eba6df667e1e4d8efa2b4491b29ed |
| SHA1 | 037cdc1617cc48f689254c7bd6918a832b8baa0e |
| SHA256 | 9ae70ecad8659e715d87a40f863d5e1f7a88cc10e33a1d370e9388227432bae8 |
| SHA512 | 94892cd5c46a4436260d0c815c98e7a4f87db6b284aaed9e23ff967ad213933c6550d835dca3aead6a7fb21f8670061a8ca1a333c2f7257881b99620f664d94c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\search[2].htm
| MD5 | 80fd59b92c1ea955f48029561be0fd95 |
| SHA1 | 544ec51bac1f8bf102629fa8f60abbcebd9486f2 |
| SHA256 | 35a9f7725a6b3d1828aa399d1df9dcbd2f07fe3cdf79cbeb8ff40b5cb5a02166 |
| SHA512 | c981219e0f1b6e2b0b6a738bf41199ff4fba74b4b86b71c81760ecdb50425c370db056adf72615b10ce82a080f1cd39f45059aeb8d10634540591b93c43760e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9PMCFZKU\search[1].htm
| MD5 | 8ba61a16b71609a08bfa35bc213fce49 |
| SHA1 | 8374dddcc6b2ede14b0ea00a5870a11b57ced33f |
| SHA256 | 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1 |
| SHA512 | 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1 |
memory/3904-166-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1720-167-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3904-179-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1720-180-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1720-182-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3904-186-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1720-187-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 7c633b5752550ab16f4cc627a4801d7e |
| SHA1 | 1e64c4cdda14b1cee40b702a7a2b4897f21fb4f2 |
| SHA256 | ae81be2fb984d9935dbb629d0803c33520ca9e2a1dc6fefc9625fe4a0097513f |
| SHA512 | e5c6c190e5095483bcbfdbdc4ae5e41c0a4a4f44d46b54631c3027f08fdfe3dfe02704875d680eeea059a03e487582cb00e2536c39b92e6c4ea6d3d1ca71ece6 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 02:50
Reported
2024-11-17 02:52
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Detects MyDoom family
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MyDoom
Mydoom family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\services.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2568 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | C:\Windows\services.exe |
| PID 2568 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | C:\Windows\services.exe |
| PID 2568 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | C:\Windows\services.exe |
| PID 2568 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe
"C:\Users\Admin\AppData\Local\Temp\f157c773e8bfc43ae44ce9cc78582d016a4d6b8cb1faba850c33667de53d938cN.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.128.8.216:1034 | tcp | |
| N/A | 10.93.103.153:1034 | tcp | |
| N/A | 10.150.78.55:1034 | tcp | |
| N/A | 10.202.221.84:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 52.101.9.17:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 172.16.1.124:1034 | tcp | |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 204.13.239.180:25 | alumni.caltech.edu | tcp |
| N/A | 10.226.153.157:1034 | tcp |
Files
memory/2568-0-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2376-11-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2568-10-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2568-9-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2568-17-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2568-19-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2568-18-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2376-20-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2376-22-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2376-27-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2376-32-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2376-34-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2376-39-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2376-44-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2568-45-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2376-46-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2376-51-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | e734bb68db127dbbdca36fcdb889b5ca |
| SHA1 | fdad5f1527fe68e62e1f2e9b85b507d7466e93a9 |
| SHA256 | f25ea56088124a0e2ba98f0b8fce9e60be89cb94b40a07f73ed6477801658f37 |
| SHA512 | d1d70615eb939cc656c4c68a866e00f5101c6d964016a9d647a8ec1b2699b786b131af6fe34a7fe6ba1d0a33ad6b39d406064ca702bacf15153204d828779c47 |
C:\Users\Admin\AppData\Local\Temp\tmpF911.tmp
| MD5 | 3ddcccc63c4789978c44d8e69a4507f9 |
| SHA1 | b5f3ec736231fea9533833f215cab4e8bad2d38e |
| SHA256 | bcaaa7aa82fc52d5ac48d11f7833d8c1684da12cfcbac2374b5521e8f29b527c |
| SHA512 | 0bbd2cf140ff822d43e69779a509b0d305d9de3b518f97ffbf7b9340b0611f065be045d1be047ed0adb2467f806e10864d667511a81af47823b5ea502170fc46 |
memory/2568-74-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2376-75-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2568-76-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2376-77-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2568-81-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2376-82-0x0000000000400000-0x0000000000408000-memory.dmp