Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 05:06
Behavioral task
behavioral1
Sample
bfb98d24293760c802f4ae01983510ca7428d748a41ce5701b0e6329fa1e82c3.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
bfb98d24293760c802f4ae01983510ca7428d748a41ce5701b0e6329fa1e82c3.exe
Resource
win10v2004-20241007-en
General
-
Target
bfb98d24293760c802f4ae01983510ca7428d748a41ce5701b0e6329fa1e82c3.exe
-
Size
29KB
-
MD5
16a19a015797fcc308b68d18cfbd1cb3
-
SHA1
188a3fba954565d4dea5ecb57a3f2a38b10e7982
-
SHA256
bfb98d24293760c802f4ae01983510ca7428d748a41ce5701b0e6329fa1e82c3
-
SHA512
20f08e793ba4d53216b7a1755b6d40f7f0bd9c5b9c509e9ff5c642d7a69cf1ba064eed9d0b9b5b11e6caa9232eca0b0cfbada7968c0ac57c3a1f0bff8941b929
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/hm:AEwVs+0jNDY1qi/q8
Malware Config
Signatures
-
Detects MyDoom family 6 IoCs
resource yara_rule behavioral1/memory/2836-16-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/2836-49-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/2836-73-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/2836-77-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/2836-82-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/2836-89-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom -
Mydoom family
-
Executes dropped EXE 1 IoCs
pid Process 3064 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" bfb98d24293760c802f4ae01983510ca7428d748a41ce5701b0e6329fa1e82c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral1/memory/2836-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/files/0x0008000000015ec4-10.dat upx behavioral1/memory/2836-4-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2836-16-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2836-17-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3064-20-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3064-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3064-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3064-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3064-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3064-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3064-43-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3064-45-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2836-49-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/3064-50-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3064-55-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x0004000000004ed7-60.dat upx behavioral1/memory/2836-73-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/3064-74-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2836-77-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/3064-78-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2836-82-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/3064-83-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3064-85-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2836-89-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/3064-90-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe bfb98d24293760c802f4ae01983510ca7428d748a41ce5701b0e6329fa1e82c3.exe File opened for modification C:\Windows\java.exe bfb98d24293760c802f4ae01983510ca7428d748a41ce5701b0e6329fa1e82c3.exe File created C:\Windows\java.exe bfb98d24293760c802f4ae01983510ca7428d748a41ce5701b0e6329fa1e82c3.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfb98d24293760c802f4ae01983510ca7428d748a41ce5701b0e6329fa1e82c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2836 wrote to memory of 3064 2836 bfb98d24293760c802f4ae01983510ca7428d748a41ce5701b0e6329fa1e82c3.exe 30 PID 2836 wrote to memory of 3064 2836 bfb98d24293760c802f4ae01983510ca7428d748a41ce5701b0e6329fa1e82c3.exe 30 PID 2836 wrote to memory of 3064 2836 bfb98d24293760c802f4ae01983510ca7428d748a41ce5701b0e6329fa1e82c3.exe 30 PID 2836 wrote to memory of 3064 2836 bfb98d24293760c802f4ae01983510ca7428d748a41ce5701b0e6329fa1e82c3.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfb98d24293760c802f4ae01983510ca7428d748a41ce5701b0e6329fa1e82c3.exe"C:\Users\Admin\AppData\Local\Temp\bfb98d24293760c802f4ae01983510ca7428d748a41ce5701b0e6329fa1e82c3.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5402b6b30510456080d58026fc26c6423
SHA1ea74389d025059fd293fa3baad1032b08ad119f9
SHA256da20db3cd8688dd49bc3d3bcb9626b088faf40952d43232435651273a9564158
SHA51297550c3e1569a467da339e9c5e160fc19ae38534ae7a0e2888daa4e5d1928ada6dd92c757e5c034644292995777bf522e890c1b0b6c3618b32b9e67d9ac46cc4
-
Filesize
384B
MD53e7a3d99fc421f4715d285827ccafc82
SHA18c9b820f91fb7c9d677d05aec4ccab4e41b1b01b
SHA25602c5f5fd94ed19d92b32bd4555e81f4c1b58bcae017057a4579408ca89642fa7
SHA5120d53bc4a2fb02c017a3676df286d566f109b140ad2fadb019b8a6687c476c1f74059c0b53e627cad2d5b6f2bf14d66284a80883feb1d537e38a147f9591ba8d5
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2