Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2024 14:25
Behavioral task
behavioral1
Sample
8538b2f58e8c0b9e14192833661626032c0efa425eae8c967f660087be66ae6c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8538b2f58e8c0b9e14192833661626032c0efa425eae8c967f660087be66ae6c.exe
Resource
win10v2004-20241007-en
General
-
Target
8538b2f58e8c0b9e14192833661626032c0efa425eae8c967f660087be66ae6c.exe
-
Size
29KB
-
MD5
c2fe041f42002d1ea1b7665dfce0dbce
-
SHA1
0b70e37f58a158d166b0dc56fdcd690e1eef757c
-
SHA256
8538b2f58e8c0b9e14192833661626032c0efa425eae8c967f660087be66ae6c
-
SHA512
fdcc11ec9f25e9b2e7c765e519654b2903a5527e0d67170737688da2359822c6c4c49f9996ee59dd5529c065be16b5c158664525f90eac656d3013e34c809426
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/x:AEwVs+0jNDY1qi/qJ
Malware Config
Signatures
-
Detects MyDoom family 4 IoCs
resource yara_rule behavioral2/memory/2820-13-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/2820-49-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/2820-51-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/2820-144-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom -
Mydoom family
-
Executes dropped EXE 1 IoCs
pid Process 3120 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 8538b2f58e8c0b9e14192833661626032c0efa425eae8c967f660087be66ae6c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral2/memory/2820-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/files/0x0008000000023c97-4.dat upx behavioral2/memory/3120-6-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2820-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3120-15-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3120-16-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3120-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3120-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3120-28-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3120-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3120-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3120-40-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3120-45-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2820-49-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3120-50-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2820-51-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3120-52-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x0004000000000709-62.dat upx behavioral2/memory/2820-144-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3120-145-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\java.exe 8538b2f58e8c0b9e14192833661626032c0efa425eae8c967f660087be66ae6c.exe File created C:\Windows\services.exe 8538b2f58e8c0b9e14192833661626032c0efa425eae8c967f660087be66ae6c.exe File opened for modification C:\Windows\java.exe 8538b2f58e8c0b9e14192833661626032c0efa425eae8c967f660087be66ae6c.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8538b2f58e8c0b9e14192833661626032c0efa425eae8c967f660087be66ae6c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2820 wrote to memory of 3120 2820 8538b2f58e8c0b9e14192833661626032c0efa425eae8c967f660087be66ae6c.exe 82 PID 2820 wrote to memory of 3120 2820 8538b2f58e8c0b9e14192833661626032c0efa425eae8c967f660087be66ae6c.exe 82 PID 2820 wrote to memory of 3120 2820 8538b2f58e8c0b9e14192833661626032c0efa425eae8c967f660087be66ae6c.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\8538b2f58e8c0b9e14192833661626032c0efa425eae8c967f660087be66ae6c.exe"C:\Users\Admin\AppData\Local\Temp\8538b2f58e8c0b9e14192833661626032c0efa425eae8c967f660087be66ae6c.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3120
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
320B
MD57058a3c7574e1bbd4205993a01e40d1a
SHA1604abf3f8a01c1b4f1378df9604d91b76b92eb1d
SHA256a5e4c0de577b19f4b4e13a451aa56b8ebd00e79b254db312fb6f121c605525b0
SHA5123d98eae30ef3d200d81443adab82073bf4e8e6b6bb016efad554f12adcdbd940362c16378db3509d2ac8ea366aaeb2709bd64b6a5179eae72eccde96b071d5ed
-
Filesize
29KB
MD5f2b1e656266c7ccab905d91934fde7b2
SHA14e068315bdc6e0e8080e3c980ba033a9f80ba915
SHA256802d6bc4d8967ac5610edec0c96abe2515d61b8e543e1cc25db5d5513a163fd8
SHA512ca07f11baa1426cf926fb28fbbe61fbd1cabb6d693458c322f44e0600369a90ae8c85c028b7784de353419c242d946e880018cd27496b7d97bfbb590031bc7a7
-
Filesize
352B
MD5aa5a6cd5085b97e45481c6446e8a0e60
SHA1346cb018c8bc2a838dcd94622c6b65ede87a7679
SHA256776cf2fdb3fa39abc1e4de9296cf1f59f8b705c35e3cc0cb122287c3d825f46e
SHA5128c6b88b862c5501d2b3b79a09d61058548bad75adf423e6df5a3de98403ba2bab26c3acb3be2641522ee2c66501d925cc3af7085e3d9f71f5b6e70fcdd48782e
-
Filesize
352B
MD5baebfd1cdbacc9aad59f374da980e623
SHA15360008fea5a0124b24ec54ca1d374d916200c0f
SHA2564c3526fc582ef261301279496688c02b7e63c6689ef0ba6b54612b6b8dc301bd
SHA51287e23e5d1a6fd368eaf460b064b3ee30e1531bc5063a8c9fcf6fe83d0b129bef636e17cdf5cacb4574957c688a5ad2515aa476f207755be52a1f12b176ab2971
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2