File name:	cfa325c1254aa7ef8b59d08534d7fe27ba83903c3a8b496c2627bdc42e4f3282.exe
Full analysis:	https://app.any.run/tasks/248c01b4-5ced-4e11-9940-7cfe8bcbd9e2
Verdict:	Malicious activity
Analysis date:	January 11, 2025, 00:18:49
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	mydoom upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 4 sections
MD5:	9F170512DC6DA064CE71A341BFBBF8C4
SHA1:	3E83CA96BF203C9E57E728BDDB35ED302E38D8F9
SHA256:	CFA325C1254AA7EF8B59D08534D7FE27BA83903C3A8B496C2627BDC42E4F3282
SSDEEP:	768:RmCTPPL4MbUgJFpNZzFv8q78nEEOvV2xB0Hxz+S6iqJKf:RnTFbUgXf3Uq78TY16iOu

.exe	\|	UPX compressed Win32 Executable (38.2)
.exe	\|	Win32 EXE Yoda's Crypter (37.5)
.dll	\|	Win32 Dynamic Link Library (generic) (9.2)
.exe	\|	Win32 Executable (generic) (6.3)
.exe	\|	Clipper DOS Executable (2.8)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	7
CodeSize:	25088
InitializedDataSize:	4096
UninitializedDataSize:	32768
EntryPoint:	0x10024
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(716) cfa325c1254aa7ef8b59d08534d7fe27ba83903c3a8b496c2627bdc42e4f3282.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	JavaVM
Value: C:\Users\admin\AppData\Local\Temp\java.exe
(PID) Process:	(5992) services.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Services
Value: C:\Users\admin\AppData\Local\Temp\services.exe

PID	Process	Filename		Type
716	cfa325c1254aa7ef8b59d08534d7fe27ba83903c3a8b496c2627bdc42e4f3282.exe	C:\Users\admin\AppData\Local\Temp\java.exe		executable
		MD5:9F170512DC6DA064CE71A341BFBBF8C4	SHA256:CFA325C1254AA7EF8B59D08534D7FE27BA83903C3A8B496C2627BDC42E4F3282
5992	services.exe	C:\Users\admin\AppData\Local\Temp\nscom.log		binary
		MD5:11D8B3D000D7F18BD5FE0D40A922F8DF	SHA256:860C89AA471061A9A8E576E40CC24C38A852B2C3BB9891C8B68B29FDC7EBD092
716	cfa325c1254aa7ef8b59d08534d7fe27ba83903c3a8b496c2627bdc42e4f3282.exe	C:\Users\admin\AppData\Local\Temp\zincite.log		binary
		MD5:55CF923AB415914D3BDA352FD2374931	SHA256:39350C1FD0006CBCDE51B9EAF71A5DD1C1DD0C26DF802EFC18045A080BE94FA9
716	cfa325c1254aa7ef8b59d08534d7fe27ba83903c3a8b496c2627bdc42e4f3282.exe	C:\Users\admin\AppData\Local\Temp\services.exe		executable
		MD5:B0FE74719B1B647E2056641931907F4A	SHA256:BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1356	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5964	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1356	svchost.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1356	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5964	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5992	services.exe	172.16.1.3:1034	—	—	—	unknown
1356	svchost.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1356	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5964	RUXIMICS.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158 4.231.128.59	whitelisted
google.com	142.250.185.110	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
self.events.data.microsoft.com	52.178.17.233	whitelisted

General Info

cfa325c1254aa7ef8b59d08534d7fe27ba83903c3a8b496c2627bdc42e4f3282.exe

9F170512DC6DA064CE71A341BFBBF8C4

3E83CA96BF203C9E57E728BDDB35ED302E38D8F9

CFA325C1254AA7EF8B59D08534D7FE27BA83903C3A8B496C2627BDC42E4F3282

768:RmCTPPL4MbUgJFpNZzFv8q78nEEOvV2xB0Hxz+S6iqJKf:RnTFbUgXf3Uq78TY16iOu

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

MYDOOM has been detected

Changes the autorun value in the registry

SUSPICIOUS

Reads security settings of Internet Explorer

The process creates files with name similar to system file names

Connects to unusual port

Executable content was dropped or overwritten

INFO

Checks proxy server information

Checks supported languages

Create files in a temporary directory

Failed to create an executable file in Windows directory

Reads the computer name

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings