Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 15:26
Behavioral task
behavioral1
Sample
23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe
-
Size
53KB
-
MD5
64e1a3284ba834792da9b6bad7b4f96a
-
SHA1
30a5faf20fd25c0b0090c7f87e0024a9f3237b42
-
SHA256
23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85
-
SHA512
fe1085e8e76a4f31c44489daeaf3b265e88b059e0a29897babb4992ae34789bb7ea0be3c7369585dcd0d4184b97e3201ead6c095938944cf7754cf16a80d3a4b
-
SSDEEP
768:SCIqdH/k1ZVcT194jp4xxcIhhJnj/gTRKp13eCgb38cnDauSf54rZ4MixGOjTZPg:SNqaLV8a6xfhhJnj/aRMeCgb3LDy4aG
Score
10/10
Malware Config
Signatures
-
Detects MyDoom family 22 IoCs
resource yara_rule behavioral2/memory/6084-10-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/3896-87-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/2228-88-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/2228-145-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/3896-170-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/2228-171-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/2228-250-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/3896-319-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/2228-320-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/2228-327-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/3896-328-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/2228-329-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/2228-333-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/3896-405-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/3896-453-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/2228-454-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/3896-460-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/3896-542-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/2228-544-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/3896-611-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/3896-623-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral2/memory/2228-624-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom -
Mydoom family
-
Executes dropped EXE 2 IoCs
pid Process 2228 lsass.exe 6084 lsass.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar = "C:\\Windows\\lsass.exe" 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar = "C:\\Windows\\lsass.exe" lsass.exe -
resource yara_rule behavioral2/memory/3896-0-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/files/0x00060000000227be-4.dat upx behavioral2/memory/6084-10-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/3896-87-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/2228-88-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/2228-145-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/3896-170-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/2228-171-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/2228-250-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/3896-319-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/2228-320-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/2228-327-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/3896-328-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/2228-329-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/2228-333-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/3896-405-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/3896-453-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/2228-454-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/3896-460-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/3896-542-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/2228-544-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/3896-611-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/3896-623-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral2/memory/2228-624-0x0000000000800000-0x000000000080D000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\Harry Potter.exe 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\index.exe lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\Winamp 5.0 (en) Crack.ShareReactor.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Winamp 5.0 (en).com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Common Files\microsoft shared\ink\he-IL\ICQ 4 Lite.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\Winamp 5.0 (en) Crack.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\Winamp 5.0 (en).com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\index.exe lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\Kazaa Lite.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\hr-HR\WinRAR.v.3.2.and.key.exe 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\Winamp 5.0 (en) Crack.ShareReactor.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\Harry Potter.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\Harry Potter.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\index.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Harry Potter.exe 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\index.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\ICQ 4 Lite.ShareReactor.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\Harry Potter.exe 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\ICQ 4 Lite.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\ICQ 4 Lite.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\WinRAR.v.3.2.and.key.exe 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Harry Potter.exe 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WinRAR.v.3.2.and.key.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\index.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\WinRAR.v.3.2.and.key.ShareReactor.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\WinRAR.v.3.2.and.key.exe 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\Winamp 5.0 (en) Crack.ShareReactor.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Common Files\microsoft shared\Winamp 5.0 (en) Crack.ShareReactor.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\TextConv\en-US\Winamp 5.0 (en) Crack.exe lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Harry Potter.exe 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Common Files\microsoft shared\ink\nb-NO\ICQ 4 Lite.ShareReactor.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\Kazaa Lite.ShareReactor.com lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Winamp 5.0 (en).ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\Winamp 5.0 (en) Crack.com lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ICQ 4 Lite.ShareReactor.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\Kazaa Lite.exe lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\WinRAR.v.3.2.and.key.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\index.exe 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CD770CB7-9E07-4D10-88E6-9B773B199C47\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\Kazaa Lite.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Winamp 5.0 (en).exe lsass.exe File created C:\Program Files\Common Files\microsoft shared\VC\Winamp 5.0 (en) Crack.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ICQ 4 Lite.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Kazaa Lite.exe lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\index.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WinRAR.v.3.2.and.key.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\ICQ 4 Lite.ShareReactor.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Winamp 5.0 (en).ShareReactor.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\ICQ 4 Lite.ShareReactor.com lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\index.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\WinRAR.v.3.2.and.key.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\index.exe lsass.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\WinRAR.v.3.2.and.key.ShareReactor.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\Winamp 5.0 (en) Crack.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\Winamp 5.0 (en).ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\ICQ 4 Lite.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\Winamp 5.0 (en) Crack.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CD770CB7-9E07-4D10-88E6-9B773B199C47\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\index.exe lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\Winamp 5.0 (en) Crack.exe 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\Winamp 5.0 (en) Crack.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Winamp 5.0 (en) Crack.com 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Winamp 5.0 (en) Crack.com lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ICQ 4 Lite.ShareReactor.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\nb-NO\Winamp 5.0 (en) Crack.com lsass.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CD770CB7-9E07-4D10-88E6-9B773B199C47\root\vfs\Windows\WinRAR.v.3.2.and.key.exe lsass.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\lsass.exe 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File created C:\Windows\lsass.exe 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe File opened for modification C:\Windows\lsass.exe lsass.exe File created C:\Windows\lsass.exe lsass.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4272 wrote to memory of 2228 4272 cmd.exe 88 PID 4272 wrote to memory of 2228 4272 cmd.exe 88 PID 4272 wrote to memory of 2228 4272 cmd.exe 88 PID 2948 wrote to memory of 6084 2948 cmd.exe 91 PID 2948 wrote to memory of 6084 2948 cmd.exe 91 PID 2948 wrote to memory of 6084 2948 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe"C:\Users\Admin\AppData\Local\Temp\23e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\lsass.exeC:\Windows\lsass.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\lsass.exeC:\Windows\lsass.exe2⤵
- Executes dropped EXE
PID:6084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD551ae800f581eb172987452b8ca71c421
SHA1e92ed85484874ddc7ea69f996b3735a067cb1a7e
SHA256362cd96b39f9e958dbdcf384d98d6757f233c7caea6a78de7c38a533d668f981
SHA51271b1015b4d3e1faab921be9800c5e6b2652511a6ed6882f4a430e051d39b96f71f67dd55f2b5012c33b11a1406ab51357f8c99cb6672efb012d2930a822e7a88
-
Filesize
53KB
MD564e1a3284ba834792da9b6bad7b4f96a
SHA130a5faf20fd25c0b0090c7f87e0024a9f3237b42
SHA25623e42710764f91c9732f00abb93ebd9af4bb75da30c91f06d46d0dae43185c85
SHA512fe1085e8e76a4f31c44489daeaf3b265e88b059e0a29897babb4992ae34789bb7ea0be3c7369585dcd0d4184b97e3201ead6c095938944cf7754cf16a80d3a4b