File name:	4b2d8c89786a5bec4369c84c067a96e77322a0fed8b0964c5b7a939fe08d909f
Full analysis:	https://app.any.run/tasks/18f6914d-60ea-4010-bc1a-fdb6a7ea1fa5
Verdict:	Malicious activity
Analysis date:	January 10, 2025, 23:35:57
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	mydoom upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 4 sections
MD5:	B2CFF5C1C1D99AF6982163B76D6316E2
SHA1:	70350C99E10D4E8470F4C2083B6B8B9EBA02DC92
SHA256:	4B2D8C89786A5BEC4369C84C067A96E77322A0FED8B0964C5B7A939FE08D909F
SSDEEP:	768:RmCTPPL4MbUgJFpNZzFv8q78nEEOvV2xB0Hxz+S6iqJKj:RnTFbUgXf3Uq78TY16iOG

.exe	\|	UPX compressed Win32 Executable (38.2)
.exe	\|	Win32 EXE Yoda's Crypter (37.5)
.dll	\|	Win32 Dynamic Link Library (generic) (9.2)
.exe	\|	Win32 Executable (generic) (6.3)
.exe	\|	Clipper DOS Executable (2.8)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	7
CodeSize:	25088
InitializedDataSize:	4096
UninitializedDataSize:	32768
EntryPoint:	0x10024
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(5340) 4b2d8c89786a5bec4369c84c067a96e77322a0fed8b0964c5b7a939fe08d909f.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	JavaVM
Value: C:\Users\admin\AppData\Local\Temp\java.exe
(PID) Process:	(4864) services.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Services
Value: C:\Users\admin\AppData\Local\Temp\services.exe

PID	Process	Filename		Type
5340	4b2d8c89786a5bec4369c84c067a96e77322a0fed8b0964c5b7a939fe08d909f.exe	C:\Users\admin\AppData\Local\Temp\services.exe		executable
		MD5:B0FE74719B1B647E2056641931907F4A	SHA256:BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C
5340	4b2d8c89786a5bec4369c84c067a96e77322a0fed8b0964c5b7a939fe08d909f.exe	C:\Users\admin\AppData\Local\Temp\java.exe		executable
		MD5:B2CFF5C1C1D99AF6982163B76D6316E2	SHA256:4B2D8C89786A5BEC4369C84C067A96E77322A0FED8B0964C5B7A939FE08D909F
4864	services.exe	C:\Users\admin\AppData\Local\Temp\nscom.log		binary
		MD5:9EA53DDA2010D53CFECB5696026F0F5D	SHA256:6084605FC4A8DB9988FC4359459AA584499C564DE1A8A90EF93A2F311F3A68F5
5340	4b2d8c89786a5bec4369c84c067a96e77322a0fed8b0964c5b7a939fe08d909f.exe	C:\Users\admin\AppData\Local\Temp\zincite.log		binary
		MD5:EBE813963EDE9F545F3B927AA6789657	SHA256:7C859F75D514FC3D72D97B6079319F30E9FD76363EB4A38DF5A15D89A76344DB

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3040	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
3040	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	104.126.37.163:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4864	services.exe	172.16.1.3:1034	—	—	—	unknown
4712	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3040	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
www.bing.com	104.126.37.163 104.126.37.131 104.126.37.154 104.126.37.144 104.126.37.123 104.126.37.145 104.126.37.128	whitelisted
google.com	142.250.185.238	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
self.events.data.microsoft.com	40.74.98.193	whitelisted

General Info

4b2d8c89786a5bec4369c84c067a96e77322a0fed8b0964c5b7a939fe08d909f

B2CFF5C1C1D99AF6982163B76D6316E2

70350C99E10D4E8470F4C2083B6B8B9EBA02DC92

4B2D8C89786A5BEC4369C84C067A96E77322A0FED8B0964C5B7A939FE08D909F

768:RmCTPPL4MbUgJFpNZzFv8q78nEEOvV2xB0Hxz+S6iqJKj:RnTFbUgXf3Uq78TY16iOG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

MYDOOM has been detected

Changes the autorun value in the registry

SUSPICIOUS

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Connects to unusual port

INFO

Checks proxy server information

Failed to create an executable file in Windows directory

Checks supported languages

Reads the computer name

Create files in a temporary directory

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings