Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 19:06
Behavioral task
behavioral1
Sample
f76339c3bd5bd1f806d237fd3c5b1cbbd2b5113763c6fa085d7fcec820d97e7aN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f76339c3bd5bd1f806d237fd3c5b1cbbd2b5113763c6fa085d7fcec820d97e7aN.exe
Resource
win10v2004-20241007-en
General
-
Target
f76339c3bd5bd1f806d237fd3c5b1cbbd2b5113763c6fa085d7fcec820d97e7aN.exe
-
Size
29KB
-
MD5
1e0b9bdd5fbdfef2561d50ce3093ce60
-
SHA1
0626ac81e5bc6f06995deefe946215dbf48b505c
-
SHA256
f76339c3bd5bd1f806d237fd3c5b1cbbd2b5113763c6fa085d7fcec820d97e7a
-
SHA512
9c2e1f8ef8af6a48ee25c2b5e26d1a2d50a781d47c6950e960a59179ae0e650945b26b28433be63a02d0f69e293509ddc7c212aa255bc5b89bfdbc12b74f3255
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/2:AEwVs+0jNDY1qi/qO
Malware Config
Signatures
-
Detects MyDoom family 6 IoCs
resource yara_rule behavioral1/memory/1064-17-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/1064-32-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/1064-58-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/1064-60-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/1064-65-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/1064-72-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom -
Mydoom family
-
Executes dropped EXE 1 IoCs
pid Process 1932 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" f76339c3bd5bd1f806d237fd3c5b1cbbd2b5113763c6fa085d7fcec820d97e7aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral1/memory/1064-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/1064-4-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x0008000000016c7c-7.dat upx behavioral1/memory/1932-11-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1064-17-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/1932-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1932-20-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1932-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1932-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1064-32-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/1932-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1932-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x0005000000004ed7-48.dat upx behavioral1/memory/1064-58-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/1932-59-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1064-60-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/1932-61-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1932-66-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1064-65-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/1932-71-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1932-73-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1064-72-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/1932-78-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\java.exe f76339c3bd5bd1f806d237fd3c5b1cbbd2b5113763c6fa085d7fcec820d97e7aN.exe File created C:\Windows\java.exe f76339c3bd5bd1f806d237fd3c5b1cbbd2b5113763c6fa085d7fcec820d97e7aN.exe File created C:\Windows\services.exe f76339c3bd5bd1f806d237fd3c5b1cbbd2b5113763c6fa085d7fcec820d97e7aN.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76339c3bd5bd1f806d237fd3c5b1cbbd2b5113763c6fa085d7fcec820d97e7aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1064 wrote to memory of 1932 1064 f76339c3bd5bd1f806d237fd3c5b1cbbd2b5113763c6fa085d7fcec820d97e7aN.exe 30 PID 1064 wrote to memory of 1932 1064 f76339c3bd5bd1f806d237fd3c5b1cbbd2b5113763c6fa085d7fcec820d97e7aN.exe 30 PID 1064 wrote to memory of 1932 1064 f76339c3bd5bd1f806d237fd3c5b1cbbd2b5113763c6fa085d7fcec820d97e7aN.exe 30 PID 1064 wrote to memory of 1932 1064 f76339c3bd5bd1f806d237fd3c5b1cbbd2b5113763c6fa085d7fcec820d97e7aN.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\f76339c3bd5bd1f806d237fd3c5b1cbbd2b5113763c6fa085d7fcec820d97e7aN.exe"C:\Users\Admin\AppData\Local\Temp\f76339c3bd5bd1f806d237fd3c5b1cbbd2b5113763c6fa085d7fcec820d97e7aN.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD51e0b9bdd5fbdfef2561d50ce3093ce60
SHA10626ac81e5bc6f06995deefe946215dbf48b505c
SHA256f76339c3bd5bd1f806d237fd3c5b1cbbd2b5113763c6fa085d7fcec820d97e7a
SHA5129c2e1f8ef8af6a48ee25c2b5e26d1a2d50a781d47c6950e960a59179ae0e650945b26b28433be63a02d0f69e293509ddc7c212aa255bc5b89bfdbc12b74f3255
-
Filesize
352B
MD53aff13218321f3b528828a8e2ae8aabd
SHA16e0441015e1b740b1aeb3767d006aa9090d45cbe
SHA256be85b2d88b320306b0c9a515e5d09df336c0c8b47637dfd9820b8ab6fb50fbbe
SHA51201a4b58f8c0ad0a938bdcdeb3d4477dfd8db5a21e0324ce5350c5e73a85f6684387c2aa1768c5fe96f6dcd1c85ec30710c6d2c2f4251e86505a53e7a7fb717ec
-
Filesize
352B
MD5748bf579bda8dc4e98f17128b05f24dd
SHA1b0a0b98a39a8a85afe1214e0befe357adfa30d87
SHA256146cee60048acc27c9e97a3ae7e6a58045333c115a75e89c9414b0ed4c7a3318
SHA512b5de7ee63ef851ad30e248d9030788329b5d96acf574369fbd4f5eddb2dcdb773a57bcd2c649f33603f4af1a38ad939048a06efee4940109a67f20db0358a9d9
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2