Overview

overview

10

Static

static

5

605a7e9ff8...09.exe

windows10-2004-x64

10

Resubmissions

09-01-2025 16:49

250109-vbmxzsxjej 10

09-01-2025 00:56

250109-batvcs1lay 10

Analysis

  • max time kernel
    57s
  • max time network
    59s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2025 16:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    605a7e9ff88673d278fe5146464280ac7a9601b48ab71bc816f5db3c0ba86609.exe

  • Size

    29KB

  • MD5

    3b2dc4dad3c5ce4ea2eb8a9605d406cd

  • SHA1

    d894f18cc5e3b2d75fdfa60eb8ed9c8ddf922792

  • SHA256

    605a7e9ff88673d278fe5146464280ac7a9601b48ab71bc816f5db3c0ba86609

  • SHA512

    2ccbda37d4bffce082f01136b4a928124e7bedf6695f825e0c874bf913d36e342c5f899d829513480ef5626763451326adbeef5afb36ebf05428a005360e7bdd

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/7hQ:AEwVs+0jNDY1qi/qDm

Score
10/10
mydoomdiscoverypersistenceupxworm

Malware Config

Signatures

  • Detects MyDoom family 1 IoCs
  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom
  • Mydoom family
    mydoom
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 19 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\605a7e9ff88673d278fe5146464280ac7a9601b48ab71bc816f5db3c0ba86609.exe
    "C:\Users\Admin\AppData\Local\Temp\605a7e9ff88673d278fe5146464280ac7a9601b48ab71bc816f5db3c0ba86609.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:572
  • C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RevokeBackup.wmf"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:4656
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
    1⤵
      PID:568
    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
      1⤵
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3304
      • C:\Windows\SysWOW64\unregmp2.exe
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3184
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
          3⤵
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          PID:1352
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 2892
        2⤵
        • Program crash
        PID:2516
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
      1⤵
      • Drops file in Windows directory
      PID:4872
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3304 -ip 3304
      1⤵
        PID:1624
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ResumeExport.gif
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4868
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4868 CREDAT:17410 /prefetch:2
          2⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4956
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:4212
        • C:\Windows\system32\mspaint.exe
          "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\PingInvoke.rle"
          1⤵
          • Drops file in Windows directory
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2564

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
          Filesize

          256KB

          MD5

          563088ad0f20fabf9dd62c6ba8ae1636

          SHA1

          f9cd2fd153afa1a12ff990cf27c32b8c9c44e878

          SHA256

          eb897bf202d32f067728f1b666eb16e9926557efa8676b72db11411013030184

          SHA512

          8229dfb1d96b6a34b91b1e5c463833e7859331be880f585c48af1ba0ace0465ac755c7f22a9e6f30284266165f850e8f85af76157eea8136b2d6f79db02d3092

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
          Filesize

          1024KB

          MD5

          da08b94b2762b37d3c23f3833334aa3d

          SHA1

          3b0a81a3a5713d271161f8d2189eab32ced36f4d

          SHA256

          d242dce741c571fa915bef1c590cab06a581e9e71609cfc7ac38835a2f87f175

          SHA512

          8f3e54ccbe18a409bb366474128db937db708d9dff6423aa29a855becd562b2c0d2da7372300922d0efe214af11e2dca60f5cfb1feddb9efe8cc78e49c575418

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
          Filesize

          68KB

          MD5

          d507778dee5295447139134680967c55

          SHA1

          9d25e360add80b3220a7399e7b557ca6bd7d8914

          SHA256

          1704539c464d85198c2d6844e8a2e15cffe2e2294dce8658c9a30bd7466de872

          SHA512

          f81e5957f9d84de3f54dec300973e48acb9f177f76aafabc3ed526f2b34350ff59daf84555f35122e5bf16c93c53ff71123084ffdaf8ef68c7a3b089e1b0c0d5

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
          Filesize

          498B

          MD5

          90be2701c8112bebc6bd58a7de19846e

          SHA1

          a95be407036982392e2e684fb9ff6602ecad6f1e

          SHA256

          644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

          SHA512

          d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
          Filesize

          9KB

          MD5

          5433eab10c6b5c6d55b7cbd302426a39

          SHA1

          c5b1604b3350dab290d081eecd5389a895c58de5

          SHA256

          23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

          SHA512

          207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
          Filesize

          9KB

          MD5

          7050d5ae8acfbe560fa11073fef8185d

          SHA1

          5bc38e77ff06785fe0aec5a345c4ccd15752560e

          SHA256

          cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

          SHA512

          a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
          Filesize

          1KB

          MD5

          71ece5b1c8bcb9bf627a4dc620b8233c

          SHA1

          a440e838fcdaa3843ec6deb6565359e714981adc

          SHA256

          4a91dc7389e9ab5f28dbc1d1967c00f81e9504db70c2bbfc3bf2d53f5a5992c5

          SHA512

          1993f4659d345bbe64edaa3d91c0c2bbc5b39746374e58b2aaa8fd9975ac43903a387adce1e08bb7aea113d7d773ebf534ba26a1f6d5ffbf86c5e4cf1aca2fdc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
          Filesize

          1KB

          MD5

          be123df3a7c2a4ae3ea0f23ea4e7a3d3

          SHA1

          fd136d680eff42ad2583ff2f078fdcd222ad3cb3

          SHA256

          a4ffd2765f94fcdcd248c0657fe1f0d73c74a9cba47fbe749da894da9aa6b2f6

          SHA512

          d2125f7b9fbc2d0dbf8ca039eeb8fd09027b96b148ae5073f2330f5d5e824234ae1f8800b8b4c418af17792235f60b81760520d6a06d0e4847e1d8903117cb35

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
          Filesize

          3KB

          MD5

          03e2668a4da16a7d25574b3d893e7ad4

          SHA1

          56856c8a6f243c58b52691d343f21043afcf320c

          SHA256

          47c1b477bfec2447c519533ac884ffd8a287b6e34188ca3bfae820fa7b6273a4

          SHA512

          c63cdc22873d1cc2fa1c55778b4182ef66ab217679f2de7780a3f4897140f63a5f4d867c12ff86288ccf1af05c2c5871467d5c96ab78adf7320c2a3ee132ee21

          Download Submit

        • C:\Windows\Debug\WIA\wiatrace.log
          Filesize

          7KB

          MD5

          5e5ebadc892ae0429e75af1c83c812ae

          SHA1

          64ec4826e8acdb3bec79cb53c5b76aca967912d5

          SHA256

          e0a884c77a3dc6508e286d4d5e4bfdc849be896ad02b709fa3f6b5b0793de787

          SHA512

          75357487a5449bf44b548ebc256ced5b6f6d032b4c916983349bce6a7a6b3420dfe3bd7a02307bab8d9f78ddcfb58c9205857704d65894546ee17fe65cc668da

          Download Submit

        • C:\Windows\services.exe
          Filesize

          8KB

          MD5

          b0fe74719b1b647e2056641931907f4a

          SHA1

          e858c206d2d1542a79936cb00d85da853bfc95e2

          SHA256

          bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

          SHA512

          9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

          Download Submit

        • memory/572-24-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/572-15-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/572-16-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/572-62-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/572-5-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/572-86-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/572-97-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3052-13-0x0000000000500000-0x0000000000510200-memory.dmp

          Filesize

          64KB

          Download

        • memory/3052-0-0x0000000000500000-0x0000000000510200-memory.dmp

          Filesize

          64KB

          Download