File name:	03d673559a8d605659458de942d2af79645c767847ac76978c01f89ad385face
Full analysis:	https://app.any.run/tasks/d787fcc2-1479-4612-b057-ad6c6fa9bd3e
Verdict:	Malicious activity
Analysis date:	January 10, 2025, 19:31:30
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	mydoom upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 4 sections
MD5:	43052126CA8F12F7B358DD41EDD9263C
SHA1:	EFC8307F051B1F209EA4D33DBE34BFC0B4AE5182
SHA256:	03D673559A8D605659458DE942D2AF79645C767847AC76978C01F89AD385FACE
SSDEEP:	768:RmCTPPL4MbUgJFpNZzFv8q78nEEOvV2xB0Hxz+S6iqJK2:RnTFbUgXf3Uq78TY16iO5

.exe	\|	UPX compressed Win32 Executable (38.2)
.exe	\|	Win32 EXE Yoda's Crypter (37.5)
.dll	\|	Win32 Dynamic Link Library (generic) (9.2)
.exe	\|	Win32 Executable (generic) (6.3)
.exe	\|	Clipper DOS Executable (2.8)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	7
CodeSize:	25088
InitializedDataSize:	4096
UninitializedDataSize:	32768
EntryPoint:	0x10024
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(3952) 03d673559a8d605659458de942d2af79645c767847ac76978c01f89ad385face.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	JavaVM
Value: C:\Users\admin\AppData\Local\Temp\java.exe
(PID) Process:	(5972) services.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Services
Value: C:\Users\admin\AppData\Local\Temp\services.exe

PID	Process	Filename		Type
3952	03d673559a8d605659458de942d2af79645c767847ac76978c01f89ad385face.exe	C:\Users\admin\AppData\Local\Temp\java.exe		executable
		MD5:43052126CA8F12F7B358DD41EDD9263C	SHA256:03D673559A8D605659458DE942D2AF79645C767847AC76978C01F89AD385FACE
5972	services.exe	C:\Users\admin\AppData\Local\Temp\nscom.log		binary
		MD5:B42ADC0D35B8327871EE1E4B94B6AE93	SHA256:A8A93A3D6DDDE36A6976734C1E62DCE5BEDC34BAB51E0EC046EFF0BF4A29D1EB
3952	03d673559a8d605659458de942d2af79645c767847ac76978c01f89ad385face.exe	C:\Users\admin\AppData\Local\Temp\zincite.log		binary
		MD5:7209B22E7209140550B5B0137711DBE1	SHA256:9154B383DABE0A61860B77F1D09F73191198F737BDE5F5907C63BFB41A832FE0
3952	03d673559a8d605659458de942d2af79645c767847ac76978c01f89ad385face.exe	C:\Users\admin\AppData\Local\Temp\services.exe		executable
		MD5:B0FE74719B1B647E2056641931907F4A	SHA256:BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.164.24:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	2.16.164.24:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
488	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
488	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5972	services.exe	172.16.1.3:1034	—	—	—	unknown
4712	MoUsoCoreWorker.exe	2.16.164.24:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
488	svchost.exe	2.16.164.24:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
488	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4712	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59	whitelisted
google.com	172.217.18.14	whitelisted
crl.microsoft.com	2.16.164.24 2.16.164.99 2.16.164.98 2.16.164.88 2.16.164.128 2.16.164.17 2.16.164.122	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
self.events.data.microsoft.com	20.189.173.11	whitelisted

General Info

03d673559a8d605659458de942d2af79645c767847ac76978c01f89ad385face

43052126CA8F12F7B358DD41EDD9263C

EFC8307F051B1F209EA4D33DBE34BFC0B4AE5182

03D673559A8D605659458DE942D2AF79645C767847AC76978C01F89AD385FACE

768:RmCTPPL4MbUgJFpNZzFv8q78nEEOvV2xB0Hxz+S6iqJK2:RnTFbUgXf3Uq78TY16iO5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

MYDOOM has been detected

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Connects to unusual port

The process creates files with name similar to system file names

INFO

Reads the computer name

UPX packer has been detected

Checks supported languages

Create files in a temporary directory

Checks proxy server information

Failed to create an executable file in Windows directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings