Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 12:31
Behavioral task
behavioral1
Sample
7014544ec053d21c7aa0ad076bb91dc34ce98ef6de1fe1b3393efeb36ec8e522.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7014544ec053d21c7aa0ad076bb91dc34ce98ef6de1fe1b3393efeb36ec8e522.exe
Resource
win10v2004-20241007-en
General
-
Target
7014544ec053d21c7aa0ad076bb91dc34ce98ef6de1fe1b3393efeb36ec8e522.exe
-
Size
29KB
-
MD5
ccb9e8d3b4d3656dede8c109cec4c87c
-
SHA1
b17ab6d5b0027b75def2ee02a7318ab4c5bc5d24
-
SHA256
7014544ec053d21c7aa0ad076bb91dc34ce98ef6de1fe1b3393efeb36ec8e522
-
SHA512
8919e456bf030a8d273236658f0bce9c6d073f2220529aed81abf7753b7e5486f091ad88fa95d169e1e9b448b9e8b49eab6203ce1231f49eb4568e5f7bf20de5
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/wh:AEwVs+0jNDY1qi/qK
Malware Config
Signatures
-
Detects MyDoom family 4 IoCs
resource yara_rule behavioral2/memory/4824-13-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/4824-49-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/4824-51-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/4824-144-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom -
Mydoom family
-
Executes dropped EXE 1 IoCs
pid Process 4368 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 7014544ec053d21c7aa0ad076bb91dc34ce98ef6de1fe1b3393efeb36ec8e522.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral2/memory/4824-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/files/0x000b000000023b8f-4.dat upx behavioral2/memory/4368-5-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4824-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4368-15-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4368-16-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4368-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4368-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4368-28-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4368-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4368-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4368-40-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4368-45-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4824-49-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4368-50-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4824-51-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4368-52-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x0004000000000707-62.dat upx behavioral2/memory/4824-144-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4368-150-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 7014544ec053d21c7aa0ad076bb91dc34ce98ef6de1fe1b3393efeb36ec8e522.exe File opened for modification C:\Windows\java.exe 7014544ec053d21c7aa0ad076bb91dc34ce98ef6de1fe1b3393efeb36ec8e522.exe File created C:\Windows\java.exe 7014544ec053d21c7aa0ad076bb91dc34ce98ef6de1fe1b3393efeb36ec8e522.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7014544ec053d21c7aa0ad076bb91dc34ce98ef6de1fe1b3393efeb36ec8e522.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4824 wrote to memory of 4368 4824 7014544ec053d21c7aa0ad076bb91dc34ce98ef6de1fe1b3393efeb36ec8e522.exe 83 PID 4824 wrote to memory of 4368 4824 7014544ec053d21c7aa0ad076bb91dc34ce98ef6de1fe1b3393efeb36ec8e522.exe 83 PID 4824 wrote to memory of 4368 4824 7014544ec053d21c7aa0ad076bb91dc34ce98ef6de1fe1b3393efeb36ec8e522.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\7014544ec053d21c7aa0ad076bb91dc34ce98ef6de1fe1b3393efeb36ec8e522.exe"C:\Users\Admin\AppData\Local\Temp\7014544ec053d21c7aa0ad076bb91dc34ce98ef6de1fe1b3393efeb36ec8e522.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4368
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
320B
MD57100622a3bf7e8ce0d52125fe8580d44
SHA11f06a2f07e20eeda39ac1c3e072cafe813ef50a3
SHA256cfcfadca8197d5e533f30bfc4f14da360c4877aec729b19e8fd68b3df3a2be65
SHA5127a6a3e7dfbcd21e6be19418fb7a89cdfe70ebe5a2f17ef85b94f96551d524fd520af42772726aec94a9f394a5db2f8ee56605ca6b30fb78c7330345163f25ea1
-
Filesize
29KB
MD5f00308bf32856a9ff9482f214ec24a7c
SHA11e35579e3881510faaa68a39ea04171f27de7048
SHA256cfc5a1195feb83837c24e1e2ecbf47f149deb9b7689a4b2d68e577ece3696ff6
SHA5127383f04b810742c4696ea2d4fae73060f3c0b1dfefe47fce2d4018f2b2a4954afdbfebdf3b4bbd872b36c86918945e967ed5953744bcc300639edb6f79b41357
-
Filesize
352B
MD5751b28b09267c7543575950f4b4df193
SHA1c5c9570c35f5e0fa9441a9d0c638a500d74616a0
SHA256fe877342433e393b94dab3a794f0a96efe96cda37a0d8c90b0aa889cc0f59e1c
SHA512654123bb3191e6cf48ba7207a782fedfda57e671960efcb2c4a9ba1fae04061f0318d577599f503aa86a2993034357ca403a5a3fc2bec317b1dbae761d10fdff
-
Filesize
352B
MD5bf30141bd0c5c0c3934ac571385c0534
SHA11d5cd04cd7439c732d3942b8093874cecf7b26ca
SHA2565e6ea90f0020776a2ba9ea739ee83ad57c37a55a6013bff17b643554fd133c38
SHA512329e2a6864decccab1185bbed076da6e5edcaf89bc69476d2fdcff410ee0b48cc74d40d6e21f0073f52c065f0ccd0f7f2735c5801ae0438a2d116b87bff3952a
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2