Analysis

  • max time kernel
    38s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2025, 15:31

General

  • Target

    2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe

  • Size

    29KB

  • MD5

    4bdf6ff55589f81e261c5f8ce04eddf3

  • SHA1

    920140ce2dedee06b09c9e271e810cb34da5080f

  • SHA256

    2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19

  • SHA512

    3dad6863ec0565613ae13c132d84e2873020395188ab1dbceba06e6eeffb45251c5313a7758f37f662eaa92bb0a4d63c6e1cbc490c6ea6087f7e68cbb617cceb

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/qhY:AEwVs+0jNDY1qi/qyW

Malware Config

Signatures

  • Detects MyDoom family 1 IoCs
  • MyDoom

    MyDoom is a Worm that is written in C++.

  • Mydoom family
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe
    "C:\Users\Admin\AppData\Local\Temp\2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:2672
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2728
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3032
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:944
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SendNotifyMessage
    PID:2516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\services.exe

    Filesize

    8KB

    MD5

    b0fe74719b1b647e2056641931907f4a

    SHA1

    e858c206d2d1542a79936cb00d85da853bfc95e2

    SHA256

    bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

    SHA512

    9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

  • memory/2084-17-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2084-4-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2084-0-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2084-9-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2672-11-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2672-19-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2672-20-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2672-27-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2672-34-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2728-24-0x00000000052E0000-0x00000000052E1000-memory.dmp

    Filesize

    4KB

  • memory/3032-28-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

    Filesize

    4KB