Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 14:35
Behavioral task
behavioral1
Sample
95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe
Resource
win10v2004-20241007-en
General
-
Target
95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe
-
Size
29KB
-
MD5
f61dbaa03cc6a9b0a51cd76d3181cc00
-
SHA1
1b414131bffc995cc9d4028046c622940a1d20a0
-
SHA256
95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4d
-
SHA512
2e8cdd45cbfaca6f53f850dd195210fa7f522d81ea3154b1ebe96f5fccc8e6adb6a2abda6d7dc86de91af2c946efe9ccfe21800cd1fb2667d9ae6a58deb907be
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/ZK:AEwVs+0jNDY1qi/q0
Malware Config
Signatures
-
Detects MyDoom family 6 IoCs
resource yara_rule behavioral1/memory/824-2-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/824-9-0x0000000000230000-0x0000000000238000-memory.dmp family_mydoom behavioral1/memory/824-17-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/824-53-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/824-66-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/824-70-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom -
Mydoom family
-
Executes dropped EXE 1 IoCs
pid Process 2208 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral1/memory/824-2-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/824-4-0x0000000000230000-0x0000000000238000-memory.dmp upx behavioral1/files/0x0008000000018634-7.dat upx behavioral1/memory/824-9-0x0000000000230000-0x0000000000238000-memory.dmp upx behavioral1/memory/2208-11-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/824-17-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2208-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2208-20-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2208-25-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2208-30-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2208-32-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2208-37-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2208-42-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2208-44-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2208-49-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/824-53-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2208-54-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x0004000000004ed7-59.dat upx behavioral1/memory/824-66-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2208-67-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/824-70-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2208-71-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe File opened for modification C:\Windows\java.exe 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe File created C:\Windows\java.exe 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 824 wrote to memory of 2208 824 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe 31 PID 824 wrote to memory of 2208 824 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe 31 PID 824 wrote to memory of 2208 824 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe 31 PID 824 wrote to memory of 2208 824 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe"C:\Users\Admin\AppData\Local\Temp\95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2208
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320B
MD59873af07c97551e6d52eeb953b2dd095
SHA1cafc8b1e65ccab9437ad40e789e01c4c0a16a6eb
SHA256723ec04d98da1863b55428483985630511ab37b977723e6bea7da3ca771e00ab
SHA512612f3e8948e3c29af9cd4fffc02862747febf5a1f3992387afd7b0776b68ab2222009199e6c6b41fae5124a2504a42f194b8feb0d00f0e405a458bdd2dfca141
-
Filesize
29KB
MD5c2b6f954d3919932581947f7dad4aba8
SHA1b9fce1c28eebb9e195012a32f8c83492e39b8b76
SHA2566d07aa6ba4d5e8c8ba95aa3e39afefccc9dc510a3ee50cfdf4d56840bb621639
SHA5125d780d790e0bd9405681a63058bcdcca0c20467fad5776485a9b0cdbbe07af03cb72e0dc02b0d257bff096746fb45184e87e32e4c50c74c92cb2213848805b0c
-
Filesize
352B
MD573a8ba82b9f43ba219491d79a323c2c4
SHA18173d64b7870a145aed508c95d963a3d9fd1514a
SHA2566b8501f034ca633882016cac2f5085f6c90af2c8c18a62444bb215d2a87bb228
SHA512c72c74ac5571248cb8074c5c462a740f62d6cf5ab27239d4cbeb39a3f485d7066b2ea104a5870abba83143fe6db388b53476b81b906b7d5de3fafcbd1ca703ca
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2