Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-01-2025 12:33
Behavioral task
behavioral1
Sample
a6140875ef4d219d2be5a6b7a10312d8758f1bcd63387884e2738e0409c466fc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a6140875ef4d219d2be5a6b7a10312d8758f1bcd63387884e2738e0409c466fc.exe
Resource
win10v2004-20241007-en
General
-
Target
a6140875ef4d219d2be5a6b7a10312d8758f1bcd63387884e2738e0409c466fc.exe
-
Size
29KB
-
MD5
11e9ad3de21a04a016cd15c9aafac011
-
SHA1
53cfbbe6648d30f05ed084268fc63fd0051ba0cf
-
SHA256
a6140875ef4d219d2be5a6b7a10312d8758f1bcd63387884e2738e0409c466fc
-
SHA512
fa32c70154036775957cb4883ed87dff1aa6b4014eb48a4247192fc68802097455d54e1f7f30f183220bf6c73a0a4ebf6e5068b532e6f5505b7b59faf9e24dae
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/za:AEwVs+0jNDY1qi/qO
Malware Config
Signatures
-
Detects MyDoom family 6 IoCs
resource yara_rule behavioral2/memory/3132-13-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/3132-49-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/3132-51-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/3132-146-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/3132-169-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/3132-176-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom -
Mydoom family
-
Executes dropped EXE 1 IoCs
pid Process 5092 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" a6140875ef4d219d2be5a6b7a10312d8758f1bcd63387884e2738e0409c466fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral2/memory/3132-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/files/0x000b000000023b6f-4.dat upx behavioral2/memory/5092-5-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3132-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/5092-15-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5092-16-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5092-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5092-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5092-28-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5092-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5092-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5092-40-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5092-45-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3132-49-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/5092-50-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3132-51-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/5092-52-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x0004000000000705-65.dat upx behavioral2/memory/3132-146-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/5092-149-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3132-169-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/5092-170-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5092-172-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3132-176-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/5092-177-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe a6140875ef4d219d2be5a6b7a10312d8758f1bcd63387884e2738e0409c466fc.exe File opened for modification C:\Windows\java.exe a6140875ef4d219d2be5a6b7a10312d8758f1bcd63387884e2738e0409c466fc.exe File created C:\Windows\java.exe a6140875ef4d219d2be5a6b7a10312d8758f1bcd63387884e2738e0409c466fc.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6140875ef4d219d2be5a6b7a10312d8758f1bcd63387884e2738e0409c466fc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3132 wrote to memory of 5092 3132 a6140875ef4d219d2be5a6b7a10312d8758f1bcd63387884e2738e0409c466fc.exe 83 PID 3132 wrote to memory of 5092 3132 a6140875ef4d219d2be5a6b7a10312d8758f1bcd63387884e2738e0409c466fc.exe 83 PID 3132 wrote to memory of 5092 3132 a6140875ef4d219d2be5a6b7a10312d8758f1bcd63387884e2738e0409c466fc.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6140875ef4d219d2be5a6b7a10312d8758f1bcd63387884e2738e0409c466fc.exe"C:\Users\Admin\AppData\Local\Temp\a6140875ef4d219d2be5a6b7a10312d8758f1bcd63387884e2738e0409c466fc.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5092
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
29KB
MD54cddad69b24c766a11261eee786631f3
SHA10a646404bf3a196d394bd4b652dedde0befc1aca
SHA256806c6b59e963a2e05d3671fb4dfc7c0a0a16d320a5ace5376ddf9d6597ed9f6c
SHA5120211e45dad365d5017be6ac7a3a311c434090d70de0f4254e46530d1f954d1838278497eeb8447e10ca59198bc43c0e61eea2a27841da75d6f08d87bc9ef51e3
-
Filesize
29KB
MD57021ef8eb9eab721ff75055667dda41e
SHA17fcd1a201b469c4a8e4d6a87e99acc14ec9b992c
SHA256c4a046ca2b008e51e0ef05e5f95cc857cb45db5df4b891fba5ecda8d694f1277
SHA512a9443e9acc89a362654bf08dbfd26758abfa2b5828b6320aecba2977ada3762b9f75577aeca6470a25e9bd3c41c7c1fdd4f55561f3c1a2342cd63c718de1f90e
-
Filesize
352B
MD5162c351d521a64f38f3d7800f523d56c
SHA1145dec00944fb67a5b1a511ed0b8dac8f099c115
SHA2561500008752f10dc6b0382ec23ecaa5b225e42c6ead0b8d48c812818c753ce01f
SHA512d81a54dfd687c46b213a7281532bf26ce980626d5e4d8b46127f98c44bcffa440122b8463d964a55a7f22f30dfdc93e9e6eb395afe3db9512e222792953667a6
-
Filesize
352B
MD5d6a6f31948a96daa87a8a6abde89a253
SHA10663b62141e1d43b5a88c0b8daeee1bb1e3f10d6
SHA256ad77ee94d7d5d6a06d79180bca9da421345e324e2b0d13cc8d43f5f66d1785b8
SHA51272cc36567054181f76f43bec79a1ecb90a4f9ecf38e8599c82a6a949d131abf85a11919a02c895bc96617919b4f5f853d2d79d8563da037e75055ed93ff49750
-
Filesize
352B
MD54b25bfcb0b5b8746dc6dedb7eac4c8e1
SHA10428d6ff3e52a28829af709e111d3481f43818f2
SHA2566218d7c4cfe31458ca05c696ca1ec442dfd595710e868ce95a12d8d00611e6b4
SHA5127bb2d06178adb59db7cd7c50b4667e6c6064a9d751c857109602ce9ec7084db5607879d2db0dbcabf653fc22eb3f17501453e994f02c6ac7e83af79887aa12da
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2