Analysis Overview
SHA256
771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626b
Threat Level: Known bad
The file 771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe was found to be: Known bad.
Malicious Activity Summary
MyDoom
Mydoom family
Detects MyDoom family
Executes dropped EXE
Adds Run key to start application
UPX packed file
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 06:29
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 06:29
Reported
2024-11-17 06:32
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Detects MyDoom family
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MyDoom
Mydoom family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | N/A |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 904 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | C:\Windows\services.exe |
| PID 904 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | C:\Windows\services.exe |
| PID 904 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe
"C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| N/A | 10.128.8.216:1034 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| N/A | 10.93.103.153:1034 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| N/A | 10.150.78.55:1034 | tcp | |
| US | 8.8.8.8:53 | m-ou.se | udp |
| US | 8.8.8.8:53 | aspmx.l.google.com | udp |
| US | 8.8.8.8:53 | acm.org | udp |
| GB | 173.194.76.26:25 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | mail.mailroute.net | udp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 199.89.3.120:25 | mail.mailroute.net | tcp |
| US | 8.8.8.8:53 | smtp2.cs.stanford.edu | udp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mx.burtleburtle.net | udp |
| US | 65.254.254.50:25 | mx.burtleburtle.net | tcp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 52.101.10.18:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | www.altavista.com | udp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| US | 8.8.8.8:53 | search.lycos.com | udp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 88.221.135.115:80 | r11.o.lencr.org | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | 137.100.82.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.254.202.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.135.221.88.in-addr.arpa | udp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| N/A | 10.202.221.84:1034 | tcp | |
| US | 8.8.8.8:53 | aspmx5.googlemail.com | udp |
| US | 8.8.8.8:53 | acm.org | udp |
| SG | 74.125.200.26:25 | aspmx5.googlemail.com | tcp |
| US | 104.17.78.30:25 | acm.org | tcp |
| US | 8.8.8.8:53 | smtp1.cs.stanford.edu | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 65.254.227.224:25 | burtleburtle.net | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 204.13.239.180:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| N/A | 172.16.1.124:1034 | tcp | |
| US | 8.8.8.8:53 | mx.acm.org | udp |
| US | 8.8.8.8:53 | alt1.aspmx.l.google.com | udp |
| US | 8.8.8.8:53 | mail.acm.org | udp |
| NL | 142.250.153.26:25 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 8.8.8.8:53 | smtp.acm.org | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 65.254.254.50:25 | mx.burtleburtle.net | tcp |
| US | 8.8.8.8:53 | outlook.com | udp |
| US | 8.8.8.8:53 | outlook-com.olc.protection.outlook.com | udp |
| US | 8.8.8.8:53 | mau.se | udp |
| US | 52.101.194.2:25 | outlook-com.olc.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | mau-se.mail.protection.outlook.com | udp |
| NL | 52.101.73.15:25 | mau-se.mail.protection.outlook.com | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| N/A | 10.226.153.157:1034 | tcp | |
| US | 8.8.8.8:53 | alt2.aspmx.l.google.com | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| DE | 142.251.9.26:25 | alt2.aspmx.l.google.com | tcp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mail.burtleburtle.net | udp |
| US | 65.254.250.102:25 | mail.burtleburtle.net | tcp |
| US | 8.8.8.8:53 | outlook.com | udp |
| US | 52.96.214.50:25 | outlook.com | tcp |
| US | 8.8.8.8:53 | mau.se | udp |
| SE | 195.178.229.20:25 | mau.se | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
Files
memory/904-0-0x0000000000500000-0x0000000000510200-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/1976-5-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/904-13-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1976-15-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1976-16-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1976-21-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1976-26-0x0000000000400000-0x0000000000408000-memory.dmp
memory/904-27-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1976-28-0x0000000000400000-0x0000000000408000-memory.dmp
memory/904-32-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1976-33-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 18478fe7a8d8b1c9aacc89c4811a28bd |
| SHA1 | 0af34d7691031478ebf2756fa21395fc57144bbb |
| SHA256 | 018c1b3bd7d5bf64be909229a5c46a99bc48737d802a67762b53e4912a653742 |
| SHA512 | 98ce0792c13246650c5727adc641193ad44988c5352d3850fef9d2fb8735416b69da33bcf5816a196fd3b7dd1af2731ddc7e55e2e768a139be6254d7f17b06d8 |
C:\Users\Admin\AppData\Local\Temp\tmp8EFC.tmp
| MD5 | 3f00cc3ce050ad935febe9d4a250cca5 |
| SHA1 | 2128828432c5247ce913190cfbb1907e0e3e1966 |
| SHA256 | 6d04d11aa4d1a9305c25e3154d19a50d2c8d3cd164010de6fb9dacd7dfe233cc |
| SHA512 | c1f5fcf24170ea152e169b3746ef4c193c575bc95262c2b60d52a80f65bafecb007ca05b4055bc4133405df86bdaf3712bc4acc6a6b9f1002d33d2a72f4b8624 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WQOY74U4\N7HG2JJX.htm
| MD5 | 469aa76dc70ccb11bac6b044fe2690f2 |
| SHA1 | 97a374f481033a57ad13e42cba9e48d24f03f360 |
| SHA256 | c24b0d15c6b98480e1113f52dcb4b3dd074c0a32a929bd2d2929aa561ba236cc |
| SHA512 | b30bdcd38305030052aef1d78bc47817723d1cd7d3c3782b048570b5b9083f5442d2a3dd20047d1ed441dee4925373ebbbaf2fde6f4c6330844f2f24a6cb2800 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZA7RG4JF\search[3].htm
| MD5 | 8ba61a16b71609a08bfa35bc213fce49 |
| SHA1 | 8374dddcc6b2ede14b0ea00a5870a11b57ced33f |
| SHA256 | 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1 |
| SHA512 | 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IQ93NPJ1\BVPN9KT1.htm
| MD5 | c1c54adcbb51525ba7dc7442cadcccd8 |
| SHA1 | 7fb5e1b63ed67017f69a3c6386e78f4cb350ce94 |
| SHA256 | ef8688ca86bb4bdcc13ceac1cd03b805cf68ce90fe6e3a4350c5a54f6794ca97 |
| SHA512 | 6cc2326b8c796549d9bcb4013777c6d53ac6a2ccc59029f21aa9a9315351dee86dda3255d26419be72c9ab57f1a0605c2d5f8eebe625825b06d5df83fd10d861 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\search[2].htm
| MD5 | ffec2063cf4f08f325be8dedc2c7ae38 |
| SHA1 | 6e120af49a9f3b44491f33c77b0b302b221675f6 |
| SHA256 | 091a8674687212bbce254e77d2c514d502fe139d7a23067090750c5996518546 |
| SHA512 | 117327e126e109184251d82cfa44636a7c082af018f698397e9f7952fd8e9f299781acc8e939a7bd802dcb6b388dd53294cd2896e63137299fded0ee90a99994 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\search[4].htm
| MD5 | 7d99ca97dab694b67f57c3ffcd1d3428 |
| SHA1 | 276f9940a9c52a05d028ed4d4a3c825fa9bfe1d6 |
| SHA256 | 38ab3c949836bbd1e1ef4e3a8cf57a47115338fdfa050d77f064cf8bf2fee7e7 |
| SHA512 | 18ea498327b8f468aabddc3d35efd7a4404b95765ce69c42f95f45dcf5d3ce4d4745da5a43d18f1e7d4aca67164e0d0c9460502f164ec8f0298e78270c0ff262 |
memory/904-195-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1976-196-0x0000000000400000-0x0000000000408000-memory.dmp
memory/904-197-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1976-198-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1976-203-0x0000000000400000-0x0000000000408000-memory.dmp
memory/904-207-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1976-208-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 3192e60911797c80ec2826ffd4e8e3fa |
| SHA1 | 161886ca11e7b03a7aacc53ae3aa6ddec6a44e92 |
| SHA256 | 35639904d89d4355f5b5da731e8c3fcf651be1d128c685120b20710d54e160cc |
| SHA512 | 4d9584c715c694e9200c02481ad24013d07eeeb5b226c6a88534cd9f98e9bc2c58446c0d1fbc9b5eefd118343d1c86b885a1926f2512af17b2e6b35052f29201 |
memory/904-231-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1976-232-0x0000000000400000-0x0000000000408000-memory.dmp
memory/904-235-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1976-236-0x0000000000400000-0x0000000000408000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 06:29
Reported
2024-11-17 06:32
Platform
win7-20240903-en
Max time kernel
120s
Max time network
116s
Command Line
Signatures
Detects MyDoom family
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MyDoom
Mydoom family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\services.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1680 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | C:\Windows\services.exe |
| PID 1680 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | C:\Windows\services.exe |
| PID 1680 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | C:\Windows\services.exe |
| PID 1680 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe
"C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.128.8.216:1034 | tcp | |
| N/A | 10.93.103.153:1034 | tcp | |
| N/A | 10.150.78.55:1034 | tcp | |
| N/A | 10.202.221.84:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 52.101.42.14:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 172.16.1.124:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 204.13.239.180:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 10.226.153.157:1034 | tcp | |
| US | 8.8.8.8:53 | mx.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mail.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mx.gzip.org | udp |
| US | 8.8.8.8:53 | smtp.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mail.gzip.org | udp |
| US | 85.187.148.2:25 | mail.gzip.org | tcp |
Files
memory/1680-0-0x0000000000500000-0x0000000000510200-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/2972-11-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1680-10-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1680-9-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1680-17-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1680-18-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1680-19-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2972-20-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2972-22-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2972-27-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2972-32-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2972-34-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1680-38-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2972-39-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2972-44-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 1c66c55553c29e1f721b038867c6d390 |
| SHA1 | 1564e6145988b0ae8ce909f20ea87c939d9f275e |
| SHA256 | a38841e93b1ddf5891e39a30ea243c826e7df2eaa87d4e116a8e824446be9f14 |
| SHA512 | 95e4ef2e21b452f2e89e3a1ba87d4b6767da36c1766fdad9c04b2d3d8b54def3173b604b0719c517e4d737a33668c8cae4280ddd938aa5966d690c6a68c4603e |
C:\Users\Admin\AppData\Local\Temp\tmpC19A.tmp
| MD5 | 5c183af5aafdb13f9b7dc9f5b1e420b5 |
| SHA1 | 79731e2270e952ee93bbdfed43014b9c39d37a84 |
| SHA256 | a3108140c67842fd2c8dcd2a845dc9209011df8e914a49254b735fb835d6f866 |
| SHA512 | 4994db237f00f5534285fed90aa646edbf045a261020a8597dc4567c50aa2028163cc03781a8129fc128a2cd18888ccbb1c77c5607fbc1ffc0923c66e6419908 |
memory/1680-62-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2972-63-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1680-66-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2972-67-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1680-71-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2972-72-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2972-74-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1680-78-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2972-79-0x0000000000400000-0x0000000000408000-memory.dmp