File name:

4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84

Full analysis: https://app.any.run/tasks/6c430642-302d-4b63-93ed-00efe814f2f0
Verdict: Malicious activity
Analysis date: January 10, 2025, 23:13:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
mydoom
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 4 sections
MD5:

D991AB582EC38871DA084961DFAE31C4

SHA1:

86051736B631F31150668F815B6D0CCB08E56D38

SHA256:

4553EC7A5E4461AEEBB90F66ACC75D434A72A84314A9014563C2F61CA0A1CB84

SSDEEP:

768:RmCTPPL4MbUgJFpNZzFv8q78nEEOvV2xB0Hxz+S6iqJKG:RnTFbUgXf3Uq78TY16iOp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • MYDOOM has been detected

      • 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe (PID: 5432)
      • services.exe (PID: 5548)
    • Changes the autorun value in the registry

      • 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe (PID: 5432)
      • services.exe (PID: 5548)
  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe (PID: 5432)
    • Executable content was dropped or overwritten

      • 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe (PID: 5432)
    • Reads security settings of Internet Explorer

      • services.exe (PID: 5548)
      • 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe (PID: 5432)
    • Connects to unusual port

      • services.exe (PID: 5548)
  • INFO

    • Failed to create an executable file in Windows directory

      • 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe (PID: 5432)
    • Checks supported languages

      • 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe (PID: 5432)
      • services.exe (PID: 5548)
    • Create files in a temporary directory

      • 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe (PID: 5432)
      • services.exe (PID: 5548)
    • Reads the computer name

      • services.exe (PID: 5548)
      • 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe (PID: 5432)
    • Checks proxy server information

      • services.exe (PID: 5548)
      • 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe (PID: 5432)
    • UPX packer has been detected

      • services.exe (PID: 5548)
      • 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe (PID: 5432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (38.2)
.exe | Win32 EXE Yoda's Crypter (37.5)
.dll | Win32 Dynamic Link Library (generic) (9.2)
.exe | Win32 Executable (generic) (6.3)
.exe | Clipper DOS Executable (2.8)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x10024
UninitializedDataSize: 32768
InitializedDataSize: 4096
CodeSize: 25088
LinkerVersion: 7
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 0000:00:00 00:00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #MYDOOM 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe #MYDOOM services.exe

Process information

PID
CMD
Path
Indicators
Parent process
5432"C:\Users\admin\Desktop\4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe" C:\Users\admin\Desktop\4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5548"C:\Users\admin\AppData\Local\Temp\services.exe"C:\Users\admin\AppData\Local\Temp\services.exe
4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\services.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
1 007
Read events
852
Write events
155
Delete events
0

Modification events

(PID) Process:(5432) 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:JavaVM
Value:
C:\Users\admin\AppData\Local\Temp\java.exe
(PID) Process:(5548) services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Services
Value:
C:\Users\admin\AppData\Local\Temp\services.exe
Executable files
2
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
54324553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exeC:\Users\admin\AppData\Local\Temp\zincite.logbinary
MD5:F0A7A98CF349817543CDC435897D720C
SHA256:DF4161641367FD4E0B48FBEE06247A9E9C11F3CF74FAD81EFAE0FFEE66E1465D
5548services.exeC:\Users\admin\AppData\Local\Temp\nscom.logbinary
MD5:8BCF262CE732610F2DA5B11A57B8F616
SHA256:C89A2713635B99D7DCD8EB196692578371113887C8E85B6B6EDA6E63ABCE8BD7
54324553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exeC:\Users\admin\AppData\Local\Temp\services.exeexecutable
MD5:B0FE74719B1B647E2056641931907F4A
SHA256:BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C
54324553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exeC:\Users\admin\AppData\Local\Temp\java.exeexecutable
MD5:D991AB582EC38871DA084961DFAE31C4
SHA256:4553EC7A5E4461AEEBB90F66ACC75D434A72A84314A9014563C2F61CA0A1CB84
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
25
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4300
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4300
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4300
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.171:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5548
services.exe
10.156.133.4:1034
unknown
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4300
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
www.bing.com
  • 104.126.37.171
  • 104.126.37.155
  • 104.126.37.153
  • 104.126.37.162
  • 104.126.37.123
  • 104.126.37.144
  • 104.126.37.160
  • 104.126.37.154
  • 104.126.37.131
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.189.173.2
whitelisted

Threats

No threats detected
No debug info