mydoom | d2a49b1402b672c150efae3230bea784e5c5d0980e7cbb8be4d2dd36bb119127

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe
Size

28KB
MD5

e2182793a9f4ba517a4722e5a3ceb14a
SHA1

5bb7b18574e2a5e6721a23ce1e9f98a2f2faee22
SHA256

d2a49b1402b672c150efae3230bea784e5c5d0980e7cbb8be4d2dd36bb119127
SHA512

1cdb47433f2add36ef9f23a41f949e9805e6fb30a7483a578d1d00065f2fb3bc7cebf6cf270743f18274cfe3f18a0f0a574e96d40680e593c901cf48d700074e
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNH:Dv8IRRdsxq1DjJcqfI

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 10 IoCs

resource	yara_rule
behavioral1/memory/2072-17-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2072-32-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2072-37-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2072-55-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2072-62-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2072-67-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2072-69-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2072-214-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2072-364-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2072-451-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2548	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2072-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2072-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/files/0x000f00000001866e-7.dat	upx
behavioral1/memory/2548-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2072-9-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/memory/2072-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2548-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2548-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2548-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2548-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2072-32-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2548-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2072-37-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2548-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0003000000013d08-43.dat	upx
behavioral1/memory/2072-55-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2548-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2548-58-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2072-62-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2548-63-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2072-67-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2548-68-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2072-69-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2548-70-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2548-75-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2072-214-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2548-217-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2072-364-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2548-365-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2072-451-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2548-452-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe
File created	C:\Windows\java.exe	e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2548	2072	e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2548	2072	e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2548	2072	e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2548	2072	e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2182793a9f4ba517a4722e5a3ceb14a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a478227df4c4ebe9034f36f229a8695

SHA1
18a8d121965c4c7a2d9146367bdb31e93630ba17

SHA256
7522cee792f19d0e9f353629d2aa68fb59c3e00267b520e81ee8728d3a506d35

SHA512
f162e9c58dd28460ed849988c0580be21a97ac25787ea031966f341b834c64d1e4af17931da1491acd5e070ae4295ecd409391d5563681d411b0e9672c4aefcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b85feb18e90ee2a3657be23ef1ca4503

SHA1
4912d98b35bc20dee20362c61f681158c2cb94fe

SHA256
333ac7490d7fb1662177ec40733b4a465be39d64a73bd9df649f1da01d51dc57

SHA512
af63604a7cda461a4aec3b7c554e421f5fd5bb8989a722b95ff01a86071067da6866e129dfac730714bcb2ad62a487c3a30fc85ea7a302091f1cd48e453aadc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\01LB6K3J\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\01LB6K3J\search[3].htm

Filesize
115KB

MD5
01849637c4549b652a5d195fcb9a9ca3

SHA1
97200ca964a39c2d3dcb4829d47787c74332f7ca

SHA256
888e412ed801429ba100766dc6e70a2ca48f3b538ec4f672e051f389c2041702

SHA512
03bb2419ddbbc452ed0de7facc7cd6d396d41fd4b42b3b0d80d97f4cf45eeb13605b3cf2ffedf929ada322487e2802f57b73171770b73859ef7350747dcfab6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\search[2].htm

Filesize
115KB

MD5
15f95c09483f9b887ec174586c9d7097

SHA1
8917d2cbf9a9a952c0725712c662478c3bbb90cc

SHA256
616db68ae6018e9bba500c3b93f6fbd4ae2ffba3e186e35aecd78278ea1c9367

SHA512
35fbdcd12d58d99552b865a25d48e693064d8ab56f222b905ddc377d6955278fcb01d6a715238806ab4767f19af5ffd755973f9ce2f57ac4a42cb24908d74014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\search[6].htm

Filesize
132KB

MD5
79aa1aaa76e3e4dc9e6896f984936a75

SHA1
a4081196710f936291e6d3424bbd5bf52513832d

SHA256
52387b34cf0bbed57c521469614ade7177d3bdbf96092521f7ad5387b36d7fa3

SHA512
67755364fc2eef468cc72b994ebacc760f85ca9972799209291c7909a191d43a3f0adceac29380cb2f391de25ecd6b6bdebdbfba60c20183427df8ebd80fdafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA76F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA7DF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C7E.tmp

Filesize
28KB

MD5
16c7df265e9398b2e7fd3a4651987775

SHA1
91b9fdc1c826bc158921f9a37ee5c37666df4ffe

SHA256
47528cae2c0eaac18d4b331ce2ee15099210d061c6bad2b8a35b1ccb1d0e65d0

SHA512
fd27c751b138178caa296584450d26a0fee8df4e9d37c4a69e28d5ce05c5daa0a13d27aefea403be6a14ea9e93269582e7e644a43317b6d97b718ed0cf84fe1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
28b06647dcfdf30b4d615c3d8544216a

SHA1
0ea24206beaf24278560e9be4bad52b62c2ebb66

SHA256
51acee622b0d4455f2a30a01bcbff235108ad004671661a5ba391add81ab34a6

SHA512
6881df5ee83a64990975adb916124a6cfa2796f0771adeaf69c10c22414b97ed095d30cb165bd8a18ff4757d4ff08804136b9d892a365bebdec2b6fd961a876a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
a7f34039b8815d69b6bccd31f0fd08c0

SHA1
235654cd059e310901c1eff886edef3c9085c731

SHA256
43748c29360eed9f33f6ff35396682c2d3190ceddeccf54d42e38c0db282e2ff

SHA512
05fe035fb6ca987387c05f29629d263bd5ad877d11c98a803d84b4d8a9cd0257bcba0516ec56155bcd456cc07dd6e9759d5d0194e7af005cdb4df65e8c97c8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
3d4d68921cbe9a33db5ed7d9c64b7b27

SHA1
0e36c80814e1d68f794cb66718757ab8861dbf3b

SHA256
8cdc6c25fceff34d2783fc4b32fd7e03902fdeec7937e8d4ff62d5230fee8b8f

SHA512
e475707b7e01c49411581b399cb4929a5544a1f0353886170c62fbec64c2d68414d5e14b11ad2f42654381a9e871781ab1a6f3b4409edcbd8765b88ca339a71f

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2072-37-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2072-32-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2072-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2072-364-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2072-55-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2072-214-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2072-451-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2072-62-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2072-18-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2072-67-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2072-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2072-69-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2072-9-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2072-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2548-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-217-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-365-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-452-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads