Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 14:48
Behavioral task
behavioral1
Sample
7678efcfb69d0dd7d6789b02a831efd89efad6c35a1f20c200b91d456f16b6e7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7678efcfb69d0dd7d6789b02a831efd89efad6c35a1f20c200b91d456f16b6e7.exe
Resource
win10v2004-20241007-en
General
-
Target
7678efcfb69d0dd7d6789b02a831efd89efad6c35a1f20c200b91d456f16b6e7.exe
-
Size
29KB
-
MD5
e10e6219ecf63df5fce71648e59cd4a1
-
SHA1
1f037abd90ec0ca6f1969d331f7525d4f3b85214
-
SHA256
7678efcfb69d0dd7d6789b02a831efd89efad6c35a1f20c200b91d456f16b6e7
-
SHA512
a1fba27ff942822cc30e4f344edb0a871352307e6306e8f48944f07f19ed6ee67bc6cfa1a548299cc11be6cc2b06a8010548cf5b93379a907d9de42371c6ab61
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Tr:AEwVs+0jNDY1qi/qH
Malware Config
Signatures
-
Detects MyDoom family 8 IoCs
resource yara_rule behavioral2/memory/1572-13-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/1572-27-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/1572-93-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/1572-147-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/1572-149-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/1572-158-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/1572-196-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/1572-220-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom -
Mydoom family
-
Executes dropped EXE 1 IoCs
pid Process 3444 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 7678efcfb69d0dd7d6789b02a831efd89efad6c35a1f20c200b91d456f16b6e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral2/memory/1572-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3444-5-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x000c000000023ba1-4.dat upx behavioral2/memory/1572-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3444-15-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3444-16-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3444-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3444-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1572-27-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3444-28-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x0018000000023c3a-41.dat upx behavioral2/memory/1572-93-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3444-94-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1572-147-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3444-148-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1572-149-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3444-150-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3444-154-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1572-158-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3444-159-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1572-196-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3444-197-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1572-220-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3444-225-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\java.exe 7678efcfb69d0dd7d6789b02a831efd89efad6c35a1f20c200b91d456f16b6e7.exe File created C:\Windows\java.exe 7678efcfb69d0dd7d6789b02a831efd89efad6c35a1f20c200b91d456f16b6e7.exe File created C:\Windows\services.exe 7678efcfb69d0dd7d6789b02a831efd89efad6c35a1f20c200b91d456f16b6e7.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7678efcfb69d0dd7d6789b02a831efd89efad6c35a1f20c200b91d456f16b6e7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1572 wrote to memory of 3444 1572 7678efcfb69d0dd7d6789b02a831efd89efad6c35a1f20c200b91d456f16b6e7.exe 83 PID 1572 wrote to memory of 3444 1572 7678efcfb69d0dd7d6789b02a831efd89efad6c35a1f20c200b91d456f16b6e7.exe 83 PID 1572 wrote to memory of 3444 1572 7678efcfb69d0dd7d6789b02a831efd89efad6c35a1f20c200b91d456f16b6e7.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\7678efcfb69d0dd7d6789b02a831efd89efad6c35a1f20c200b91d456f16b6e7.exe"C:\Users\Admin\AppData\Local\Temp\7678efcfb69d0dd7d6789b02a831efd89efad6c35a1f20c200b91d456f16b6e7.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
Filesize
29KB
MD5a923e47bc68d27eb7cd28fffed056897
SHA144bcfcaa5d09ce53567f2212bc3b4b4eb50a4e7a
SHA25641dd4c42cf62289087d6fd4bd81552a3ff3075346d4b9a3406995424ca8c4952
SHA5123f120e423d1962fe9240ccedbc309a9ad3d9bd42a38f5ac1547193dbc7fc730e690829dfe3331ca600f7ae1bdcdb2dadec4081f7239d6191a85ff96a6cdd28c6
-
Filesize
384B
MD5e81ec31eeec715e5e3ae5d4c894c8481
SHA177d80bd9a8615ebed9e5198de1dc56e27c4cdb92
SHA256045f66b0861b0025d3d2e16ed91fe63b6b4b5cbef2a1fe52a7ae7704ee7af4d9
SHA51287f00f05451d9c7ca3bb7e422d03ed1e6df19c48feec1c697ec1a8fc7c4403724c46b3471254632ccffa9d63159ce610f6dd5a22b14e35028ff56e82fdf34b78
-
Filesize
384B
MD5a830895ffef189612fee4569feca1441
SHA1019879a20dffcf6ca9f066bddc51158e037d63e9
SHA25660c9dae42f633e205d31b0bbc5c0b50b720e50d7416b73bd5efe9b1365630068
SHA51283b5c2d629406e40c21731df2f80de2ef8661205c14bccfe0e511e6cc2a01a1b85c49247454e6a060cde0807119d2ac9e43fecd1ceb0b9264be17d9a66cd2156
-
Filesize
384B
MD5c7d9893a1ea862ba256f4f9d894383a5
SHA1b98e42d3c565d450bee636c5b5ab13fb3c3d279e
SHA2566a495ae9758c7516e6b9e2da775701a4f41164e46c1063ff358aab1301e0250b
SHA512d7227c8d93ba512af4ddb5ff69681a1cb7e7be5e4e239bac13e00e3734d99a547270a848b1f078f34090c763044031b36d6a1b37d1b868db3d251b3726fcdf44
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2