Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 14:35
Behavioral task
behavioral1
Sample
95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe
Resource
win10v2004-20241007-en
General
-
Target
95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe
-
Size
29KB
-
MD5
f61dbaa03cc6a9b0a51cd76d3181cc00
-
SHA1
1b414131bffc995cc9d4028046c622940a1d20a0
-
SHA256
95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4d
-
SHA512
2e8cdd45cbfaca6f53f850dd195210fa7f522d81ea3154b1ebe96f5fccc8e6adb6a2abda6d7dc86de91af2c946efe9ccfe21800cd1fb2667d9ae6a58deb907be
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/ZK:AEwVs+0jNDY1qi/q0
Malware Config
Signatures
-
Detects MyDoom family 7 IoCs
resource yara_rule behavioral2/memory/3588-13-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/3588-32-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/3588-117-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/3588-153-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/3588-162-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/3588-175-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/3588-211-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom -
Mydoom family
-
Executes dropped EXE 1 IoCs
pid Process 4472 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral2/memory/3588-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/files/0x000b000000023b8d-4.dat upx behavioral2/memory/4472-5-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3588-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4472-15-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4472-16-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4472-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4472-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4472-28-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3588-32-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4472-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x000a000000023bca-43.dat upx behavioral2/memory/3588-117-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4472-118-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3588-153-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4472-154-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4472-158-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3588-162-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4472-163-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3588-175-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4472-176-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3588-211-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4472-212-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe File opened for modification C:\Windows\java.exe 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe File created C:\Windows\java.exe 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3588 wrote to memory of 4472 3588 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe 83 PID 3588 wrote to memory of 4472 3588 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe 83 PID 3588 wrote to memory of 4472 3588 95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe"C:\Users\Admin\AppData\Local\Temp\95f95981296cfb24133b2c9b4e089630409df80a4c5e0bdcedaa4db91fca0f4dN.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
Filesize
315B
MD514b82aec966e8e370a28053db081f4e9
SHA1a0f30ebbdb4c69947d3bd41fa63ec4929dddd649
SHA256202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf
SHA512ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7
-
Filesize
310B
MD52a8026547dafd0504845f41881ed3ab4
SHA1bedb776ce5eb9d61e602562a926d0fe182d499db
SHA256231fe7c979332b82ceccc3b3c0c2446bc2c3cab5c46fb7687c4bb579a8bba7ce
SHA5121f6fa43fc0cf5cbdb22649a156f36914b2479a93d220bf0e23a32c086da46dd37e8f3a789e7a405abef0782e7b3151087d253c63c6cefcad10fd47c699fbcf97
-
Filesize
302B
MD5e3ce7b4e89668aaf9e0a6de317575af8
SHA1a08cffbde120781baf281f4a7653980197283971
SHA256e014684b9f80308ceb8807a3580fcf948923f3a1b8a3ea84982c664362feda1b
SHA5129d7e129ea739ff87eca236ff117afaa09eb0f71bae9af9d22b7cadf5c8a71054c35561df744c9d335579f4b6980d2722a316b9720420003efa684ababb9ee9c4
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
320B
MD563fb51dc7f97a6bf1860cbe7bb206138
SHA1108f596a153c3f117c469ea511a918eb17d74383
SHA2561dcd72a295c9eedba8de55456cbbc24c164c0b820a19fd59f4796c5c41668836
SHA51227e9dcb18a8f7b3fb9338e800de85ce639a0c00398e4775198259fea5916c5132af3a1f1cbf5d3eeb51bd4b1190887daed7f841fac30c7724ee37aa26ce3b11e
-
Filesize
29KB
MD5bbb09298b11d80d810eef8be1abb0830
SHA1739984021570c8ca003abe2966d5ccb607f406f3
SHA256a292903d02e6756eefc26c36a358a74aca09379eb66e8b8b7e012d03d49bf895
SHA51204a8d673e6a2ea8139cf6746a63d4cbbf037c98f66526e0b0c57b8d572cca68d323c070f69aebd4d930ba1d27ecb555051159cf43b3f6ba712a28f68f719dc7c
-
Filesize
352B
MD506143a379c09490399d0c73af664ed13
SHA129ef1abe7fef8530a23bd62abe7e67d5f02dd662
SHA2568c27889ab239a1c6a4165449f3d3acd9ac863193ce65eae012603b170d01a5ba
SHA512fb6bf9355fc1a48ae051d08a592d4820e4d0f644f313fc1fc7ed5935dcb20b3c047a53c55b3afe337811e1f0b1ab548b24ed90c32e523948e50517e2fe5bd067
-
Filesize
352B
MD50c58d5c15998d55c0f713508de326ef6
SHA1825b1877dd6ad245e3d47c715c385a3504031c88
SHA256dec8c8a7928fb3673f514a713276fab889779f3dfaa49d5b59b3622b2764d027
SHA5122ce5fd16a5578a7890259cba904afc196e754d0107ae08996316f8d5671d8ea981792e7a7083c7d4340882b79037227342783106951fcc8c51e052a73a75f470
-
Filesize
352B
MD5d36778f04991360f76b476ad29c9bab1
SHA1f180797560483a575513122db6549b98b6701601
SHA256c30a969c8c009ee094df365e8e558cece9028accf1de5517d8a0e6d875a0d2dd
SHA512a7fedfe489d22bb664901bbf11b19f5bf6c88a19ca88d428f879fcdc243dfead1dc0b3f8907560203857c22921e059a78f54c1a643101b08b99100326433e898
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2