Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2024 08:06

General

  • Target

    Info.5394.htm .exe

  • Size

    31KB

  • MD5

    47cc271e765e6cdf0562e692ce805b35

  • SHA1

    0f40032c4deeee340b959c919222e255a63e1043

  • SHA256

    de9bf3159bd5a7b663e8d8a4dc9f9dd921c044bf0564a795a085f9b730d0cfb5

  • SHA512

    5ebbd9b7ef65771c9d95ff12c855da7731f5c4831179e0352841876d71236197596b4d75022f9248fe6bb06c5d166735a825f6af002467cffb6a5ed75bfb61a8

  • SSDEEP

    768:OYuwqgY48mWxEgfXmBN0ldWxOFfXFQ30ABVv:OYwIWT+BqldWxUSESv

Malware Config

Signatures

  • Detects MyDoom family 1 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • MyDoom

    MyDoom is a Worm that is written in C++.

  • Mydoom family
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Info.5394.htm .exe
    "C:\Users\Admin\AppData\Local\Temp\Info.5394.htm .exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\SysWOW64\notepad.exe
      notepad "C:\Users\Admin\AppData\Local\Temp\Message"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4252
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4512
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Message

    Filesize

    4KB

    MD5

    c4c3bdd9f890469b9320c63547373199

    SHA1

    ad1f934f582aa821b7c17abcba87104f55ac0de7

    SHA256

    4938f4ffd593de8886084f78f54dabd919eeade4246b08227425f68674aefd98

    SHA512

    914c5f56b717fa155e32bd83968a47b880417dfc7b5dca9c920b4bd01f18675d7120f29a3b8d6e22a0fa2c4390f3507b48d665473af488015fa7b07d0dc75622

  • C:\Windows\SysWOW64\gvwt.dll

    Filesize

    13KB

    MD5

    4cf56cc7ec3238735793448cbe55f0a8

    SHA1

    174062094df27481348af3307f13e193854ae996

    SHA256

    45462214450b8366e4b0ae072200f3dd9f634b08da119dd7497235a81d315e20

    SHA512

    addd57f097695e1f32d769b1795eacbac5107e9b751d4235ec5c4ede9671ec79d43c0807409e0816889242925a19fbb22dcd8af07012171424d5aee644ea3b78

  • memory/2724-0-0x00000000004A0000-0x00000000004B1000-memory.dmp

    Filesize

    68KB

  • memory/2724-8-0x00000000721F0000-0x00000000721F8000-memory.dmp

    Filesize

    32KB

  • memory/2724-11-0x00000000004A0000-0x00000000004B1000-memory.dmp

    Filesize

    68KB

  • memory/2724-13-0x00000000721F0000-0x00000000721F8000-memory.dmp

    Filesize

    32KB