mydoom | a5596043e1fa7482959e6cdca5a11f9fefb531ae2c81f283758c87547aeb5e60

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/12/2024, 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe
Size

28KB
MD5

d95739cef11996b0af65b53e7629937c
SHA1

3a28897302117de3282b0ed63bd0eb48a94bbc53
SHA256

a5596043e1fa7482959e6cdca5a11f9fefb531ae2c81f283758c87547aeb5e60
SHA512

44cc8cceb711200224c8097cfd5576397b1411350d493351da22375d2131ac2f0e21076696cc31c72fc1392f0b894a5627513e71ad427ab6c7e554f111cac47e
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN55N+kos:Dv8IRRdsxq1DjJcqf8p9

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 10 IoCs

resource	yara_rule
behavioral1/memory/2316-16-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2316-31-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2316-36-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2316-54-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2316-56-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2316-61-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2316-68-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2316-91-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2316-355-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2316-416-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
3040	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2316-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2316-4-0x00000000001F0000-0x00000000001F8000-memory.dmp	upx
behavioral1/files/0x0007000000019214-9.dat	upx
behavioral1/memory/2316-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3040-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3040-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3040-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3040-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2316-31-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3040-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3040-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2316-36-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-47.dat	upx
behavioral1/memory/2316-54-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3040-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2316-56-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3040-57-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3040-62-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2316-61-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3040-67-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3040-69-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2316-68-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3040-74-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3040-92-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2316-91-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2316-355-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3040-357-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2316-416-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3040-417-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe
File created	C:\Windows\java.exe	d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 3040	2316	d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe	30
PID 2316 wrote to memory of 3040	2316	d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe	30
PID 2316 wrote to memory of 3040	2316	d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe	30
PID 2316 wrote to memory of 3040	2316	d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d95739cef11996b0af65b53e7629937c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fce4929c3013b49ade9e339cf21e3643

SHA1
a5ec4217ed53103716ea040e18778494dd95c969

SHA256
568b9f417977c09e36f134e8ce4fa7f7e8c9e2879c186e9134b3ab0b5b8d76a8

SHA512
aa52fafcfdf38fa78966c5b3258d68085a57ba98ddc40c36ab93800d7b656026b5affd3c7ad6e30e89110b6ca1879d1a194bd05ccaacd70915844a8e5ebd2cea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59413485a0a8b1d5f30a8122ba6592a3

SHA1
7485b935eea10d33ff25b604ce3e6c2a83883b7b

SHA256
0c676189df4d2cb456bb3f0d9b8571121a8f956989d3b17125daca9061944764

SHA512
53984f7af5ae860271e06e01aa12f4abeb9a9e21c487614ef3b336e96861f90468d52f616dbb2164dd9a8cedcb998c3784e1cfc19d110bc1858d5ba4f6e67298

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c39851a3e2c3cd823238ae4e76ae7b22

SHA1
7b3a09136062a73dc702974f922de585ce43ddea

SHA256
f243bc1ccf44c2332cbfdba0b76f494993cb0c1b0c0f313ba593eb1fcc6afd8b

SHA512
014abdbfd8908b33ca1bcf68e8135a79df1a2e4954d157c79070bf62dda029bd39ad1099e53e4350b3b95a09f949af4595f7457e251b971303fccb4ef344897b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb6de3bcea472a038eb29c2081aeff53

SHA1
f3d22f86bea55ca03d9416185f7c154b76ef87c7

SHA256
b52d4f1bb71ec08d4943fd9ea3e4411edfb3b474087d55c0cc9591079760c394

SHA512
e5250275ed4e8446af89182db9378408cbc2957246ee01e34af0cbe6c816c47771761b41447b73b68b15d50adb23b2e50b19a3001050fbe1517ad426c21727d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\default[1].htm

Filesize
315B

MD5
14b82aec966e8e370a28053db081f4e9

SHA1
a0f30ebbdb4c69947d3bd41fa63ec4929dddd649

SHA256
202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf

SHA512
ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab991B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar99EA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8DD0.tmp

Filesize
28KB

MD5
93730fc0f335769d1fd6de1774b17a17

SHA1
0f1e37dc3e054990f8cfcfbc4f904d8e077424f0

SHA256
aa0ebe724b3d5fcd8eb13eb04e204f790a8f20f7b1222cbadb96296df62965dd

SHA512
6b36d28f7d804cdb632b74afe090d61c6984242bd641767b9cb3bca4c229e5a1f9f736472d5a356964bc8fe20bbb3b5ab9619ca64e82ad3de71e2ab827933f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
d218d1d46c668e804333a3a7e5ea3fc8

SHA1
663903bb0f16d4341229108b0f77e8c84ca34ab4

SHA256
cb1b48deeab93f61bc22cad591d691fdf0d0aa6e104f301b4b6b311187323554

SHA512
d622797591bc7e31e988f59384da98fe36c7a610e9ff96ef208ccf029844e613cb44640b4f308befee90fb6a3bc0d62c8e540ada3ceb2b02d5b1497e9d4dd8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
9ad2b1d84553c83a541c463f2f1cedc9

SHA1
9daa10912d8ebff05357733912865a21fa19c6cb

SHA256
0710b539d8faa593a01d03cc63e1f386a26a2f187f6a9ca97fcfb65aa0b55865

SHA512
c84a387cbac6fa147d6ca0ed0e75552d89c747e5a3e54e6a01e8a4a8b59143ef0fd59d07f4f455b1cc96b75f4479ea86b82ca283ab876c74256d49cbb790ce81

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2316-31-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2316-8-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/2316-17-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/2316-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2316-54-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2316-355-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2316-56-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2316-36-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2316-4-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/2316-61-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2316-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2316-416-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2316-68-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2316-91-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3040-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3040-92-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3040-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3040-69-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3040-67-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3040-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3040-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3040-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3040-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3040-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3040-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3040-357-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3040-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3040-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3040-417-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads