Analysis
-
max time kernel
38s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 15:31
Behavioral task
behavioral1
Sample
2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe
Resource
win10v2004-20250314-en
General
-
Target
2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe
-
Size
29KB
-
MD5
4bdf6ff55589f81e261c5f8ce04eddf3
-
SHA1
920140ce2dedee06b09c9e271e810cb34da5080f
-
SHA256
2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19
-
SHA512
3dad6863ec0565613ae13c132d84e2873020395188ab1dbceba06e6eeffb45251c5313a7758f37f662eaa92bb0a4d63c6e1cbc490c6ea6087f7e68cbb617cceb
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/qhY:AEwVs+0jNDY1qi/qyW
Malware Config
Signatures
-
Detects MyDoom family 1 IoCs
resource yara_rule behavioral1/memory/2084-17-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom -
Mydoom family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 2672 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral1/memory/2084-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2084-4-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x0007000000018780-7.dat upx behavioral1/memory/2672-11-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2084-9-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2084-17-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2672-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2672-20-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2672-27-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2672-34-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\java.exe 2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe File created C:\Windows\java.exe 2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe File created C:\Windows\services.exe 2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 3032 explorer.exe Token: SeShutdownPrivilege 3032 explorer.exe Token: SeShutdownPrivilege 3032 explorer.exe Token: SeShutdownPrivilege 3032 explorer.exe Token: SeShutdownPrivilege 3032 explorer.exe Token: SeShutdownPrivilege 3032 explorer.exe Token: SeShutdownPrivilege 3032 explorer.exe Token: SeShutdownPrivilege 3032 explorer.exe Token: SeShutdownPrivilege 3032 explorer.exe Token: SeShutdownPrivilege 3032 explorer.exe Token: SeShutdownPrivilege 3032 explorer.exe Token: SeShutdownPrivilege 3032 explorer.exe Token: SeShutdownPrivilege 944 explorer.exe Token: SeShutdownPrivilege 944 explorer.exe Token: SeShutdownPrivilege 944 explorer.exe Token: SeShutdownPrivilege 944 explorer.exe Token: SeShutdownPrivilege 944 explorer.exe Token: SeShutdownPrivilege 944 explorer.exe Token: SeShutdownPrivilege 944 explorer.exe Token: SeShutdownPrivilege 944 explorer.exe Token: SeShutdownPrivilege 944 explorer.exe Token: SeShutdownPrivilege 944 explorer.exe Token: SeShutdownPrivilege 944 explorer.exe Token: SeShutdownPrivilege 944 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 3032 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 944 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2672 2084 2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe 30 PID 2084 wrote to memory of 2672 2084 2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe 30 PID 2084 wrote to memory of 2672 2084 2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe 30 PID 2084 wrote to memory of 2672 2084 2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe 30 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe"C:\Users\Admin\AppData\Local\Temp\2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2672
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2728
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3032
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:944
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2516
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2