Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 00:01
Behavioral task
behavioral1
Sample
7732eb15f5a05fe28978c5756cd42e795efa4092a850bb3ed17f2f834b7e7eed.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7732eb15f5a05fe28978c5756cd42e795efa4092a850bb3ed17f2f834b7e7eed.exe
Resource
win10v2004-20241007-en
General
-
Target
7732eb15f5a05fe28978c5756cd42e795efa4092a850bb3ed17f2f834b7e7eed.exe
-
Size
29KB
-
MD5
9eca1b514e9ad6aa0a7f5f441a316dcb
-
SHA1
2199661de2a6629ff44d78f3197be023adee17cf
-
SHA256
7732eb15f5a05fe28978c5756cd42e795efa4092a850bb3ed17f2f834b7e7eed
-
SHA512
c780ae8f9a069907f5966a6caa7ba98b23e6a78b3e1f9dd2e3df4ef99f770faae9fc6e309d5f78b599a36034e40c0ff51bed4494b27340d000f52fb91a5cc8ed
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/2hQ:AEwVs+0jNDY1qi/qem
Malware Config
Signatures
-
Detects MyDoom family 4 IoCs
resource yara_rule behavioral2/memory/4016-13-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/4016-56-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/4016-135-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/4016-164-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom -
Mydoom family
-
Executes dropped EXE 1 IoCs
pid Process 3592 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 7732eb15f5a05fe28978c5756cd42e795efa4092a850bb3ed17f2f834b7e7eed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral2/memory/4016-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/files/0x000b000000023b77-4.dat upx behavioral2/memory/3592-5-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4016-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3592-15-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3592-16-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3592-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3592-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3592-28-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3592-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3592-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3592-40-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3592-45-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3592-50-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3592-52-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4016-56-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3592-57-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x0004000000000709-67.dat upx behavioral2/memory/4016-135-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3592-141-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4016-164-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3592-165-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3592-169-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 7732eb15f5a05fe28978c5756cd42e795efa4092a850bb3ed17f2f834b7e7eed.exe File opened for modification C:\Windows\java.exe 7732eb15f5a05fe28978c5756cd42e795efa4092a850bb3ed17f2f834b7e7eed.exe File created C:\Windows\java.exe 7732eb15f5a05fe28978c5756cd42e795efa4092a850bb3ed17f2f834b7e7eed.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7732eb15f5a05fe28978c5756cd42e795efa4092a850bb3ed17f2f834b7e7eed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4016 wrote to memory of 3592 4016 7732eb15f5a05fe28978c5756cd42e795efa4092a850bb3ed17f2f834b7e7eed.exe 82 PID 4016 wrote to memory of 3592 4016 7732eb15f5a05fe28978c5756cd42e795efa4092a850bb3ed17f2f834b7e7eed.exe 82 PID 4016 wrote to memory of 3592 4016 7732eb15f5a05fe28978c5756cd42e795efa4092a850bb3ed17f2f834b7e7eed.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\7732eb15f5a05fe28978c5756cd42e795efa4092a850bb3ed17f2f834b7e7eed.exe"C:\Users\Admin\AppData\Local\Temp\7732eb15f5a05fe28978c5756cd42e795efa4092a850bb3ed17f2f834b7e7eed.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
29KB
MD52a905be4f3b74f43646c2a353e334a45
SHA1c75170631f889b30265b471019e70bf57bae50d9
SHA25617e9ed6000ced1baa2d142e435af767bf2226158b0629ff87d14fdbfe858c00b
SHA5122cf810a6241072662ed122558c97a1405ef5e35e42b3e15f3269b0bdfcf155332f5ae0ec52366caa60169ee0d01721e0ce854e2688dd57ef47244d2371890a1d
-
Filesize
320B
MD537472b58ddd031bf9ee84520a0a89b36
SHA1e6167dc5514c32245466c1bdd6e7d5c80dadca0f
SHA256cf26ed3512cae73c7db6149a87213f0f393f0802bd6a080c2ab221c206d79ba1
SHA512317b5ca29b1c79ec1f95cf97c0c1c473da4575b0b695bd23f11e4160e8dbc66b195697782a3462e6aa4fc83b54f0ec13e4171b52ca597c4afbd04f2fecee75f4
-
Filesize
320B
MD52da99637d3c19c3d41bc0979ee9d24ef
SHA1768e9d959aaa191f6504d6fb7f63447b744371bc
SHA256b47c3ac2eba4b46429eb5e0b2be28c499b324793d9c809de6ff6bd8f540aad37
SHA51289d6f8f7a2d0a7533e43f8739ac4816cfaf3a1a5abdffde3903ac5f8a03a828acf054cbb1a54cc1552912035cd3d2ea40cc062e789f64674369e71e95007fe6c
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2