mydoom | 286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe
Size

29KB
MD5

a4eade9dcb27ac0aaa77321d89c86ae0
SHA1

c7e49f2cb474d9b0624c39db724ae5469287f4f2
SHA256

286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13
SHA512

19bb11b648e188ff1dd2d2586dccf2d7bbcab383fd54f53f7eb000ffe084fb9a3c322865d9a78d5c194665d8bc592c327d7a7798fec496f8e54403fa3e868a81
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/MhQ:AEwVs+0jNDY1qi/qEm

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 8 IoCs

resource	yara_rule
behavioral1/memory/2032-15-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2032-30-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2032-55-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2032-59-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2032-61-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2032-66-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2032-71-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2032-73-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
3060	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2032-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2032-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/files/0x0007000000016a47-9.dat	upx
behavioral1/memory/2032-15-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3060-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3060-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3060-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3060-29-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2032-30-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3060-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-47.dat	upx
behavioral1/memory/2032-55-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3060-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2032-59-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3060-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2032-61-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3060-62-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2032-66-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3060-67-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2032-71-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3060-72-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2032-73-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3060-74-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3060-79-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe
File opened for modification	C:\Windows\java.exe	286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe
File created	C:\Windows\java.exe	286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 3060	2032	286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe	31
PID 2032 wrote to memory of 3060	2032	286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe	31
PID 2032 wrote to memory of 3060	2032	286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe	31
PID 2032 wrote to memory of 3060	2032	286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe	31

C:\Users\Admin\AppData\Local\Temp\286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe
"C:\Users\Admin\AppData\Local\Temp\286b68e95c130c20c4dc47d27af4158a48a339ea225c2c0a944cb892d8df5d13N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e71a0bf137449c2e555d61b45d1f9e4d

SHA1
f8619e234be82124ed2bcbc2e20e370358df8c8a

SHA256
6a88db63f8d01ffd4e75b8ea5c4bc441117bbbbaa1334f91fd454612f899779d

SHA512
8cc10518d7d54666ca9b2c8a429174cde44b3e87d48adec7fc5ee5b85739fbe9008ab3faa96ef487e99c0ac752579b2f725c2c56501c604480b0db5c74afc432

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
761946203724560461bce9acee609ee6

SHA1
d854defb231262cb74a13686ac041190eb80fef8

SHA256
45eb123f79f012f6e03f075b9c1427f84eff5422b3614ae904dc186c4c5adb1c

SHA512
4737bfa7eb31e421dcc6aef115d7cd9dc659ec8587b88895c784eb3b5bf7eb07760666e9017f54aa811275b7f1369d3962c69c73acac359d98ffb50a11f486f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47e1a456415414532d2c805d03387315

SHA1
15c4497fdd455dbc7cf3dbf3f0cc448c92d07eae

SHA256
a0595e9b70ef2bf5f03446dcc409c0d52c97261175003c8af35f58e204169975

SHA512
e23e1746398f8ac0e43c283a0fe1aaf795ad710e2812914f00c7c9fabaef92202270b7dbc0f65f158d3e265dc2aac864b66dde58ff22793aa81ccf185dc0d612

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc53fa0bcaea6b40a699916c65c7ab50

SHA1
d39e73e2777b3578aecac91bb25875b317b52f92

SHA256
2977a98664ed3d35de503a2c4bc09aeb58be83d0dcaccca8f2aaca121810239e

SHA512
82ec87e2f2ce6251aa1045842fd194d560c899397ee2cd32a6b77c7753e60e0ab3814644adf645e98d1ac5c3b6e12d7f8474536cd2df1317c8d0e69dba0b3f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA9A4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAA15.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA20C.tmp

Filesize
29KB

MD5
014adc6f805ffe505420441c4fdd0ec2

SHA1
ab0a31d0a948da398940f8226fe8008b851bc49a

SHA256
51731360db58098f67d01e6304e929b31131e7a3434f9e9b840b87fd3f668c72

SHA512
d167b0b8d5443848c725d305a4f302922f9ab2d517ab7fe138098c5eb5e6eab9ac376cbc9a6c3547cf7cb7ab068f4422aa4a1bd043cc1ac41777f4fa2ec39231

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
070414357256f4525d1f4e07022a2d92

SHA1
63716f61bd8288b633b6942946cbf38f2c6b3216

SHA256
e3217a602f56d0e2ba494f4c898ef80f14de3e564583d22bdda9bd123381a801

SHA512
8ff63a6e58a99ce2d92f1dede3941db67b3c5bbc7031f35f5f0bda2f15c81dd60b6979b46d4b0000c242f647682d4f15229fb618a0b17c2a91a3573d077e3f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
5b850932455ba45543521989b1d9c463

SHA1
1b4e3cec262b078d73eb354971f501ff10949995

SHA256
85fdc0f7ef0a50cb4cc50f7cae7944efbaeedcb96b362466db19c5f981a92208

SHA512
29fbbd16132a77b52f42388a59a959d8cea83a2e23ef13bcd4ca7aa3d7da43fe46a71be30cb3611d8c6c577848d518b5d89b9d187ed145be54964668f37306bd

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2032-73-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2032-71-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2032-30-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2032-55-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2032-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2032-59-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2032-15-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2032-61-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2032-16-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2032-66-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2032-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3060-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3060-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3060-67-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3060-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3060-79-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3060-29-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3060-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3060-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3060-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3060-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3060-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3060-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads