mydoom | 6ec1b39cd672bbe2fd178b01b26b7489ee846ec8460d302a3f95422d23d76407

General

Target

90f41ab2cafc2630bc2a82f2670ca8b0N.exe
Size

28KB
MD5

90f41ab2cafc2630bc2a82f2670ca8b0
SHA1

ea2c2ebc94d68c40d1804788bd82983c9fac1dac
SHA256

6ec1b39cd672bbe2fd178b01b26b7489ee846ec8460d302a3f95422d23d76407
SHA512

56b48eaf25d94e96439077668ef196f7198d5af3f9f1cd0d5be977cddc55edf30ac13dcae37b189798a8a343cacb8c16251b3f11cd242a54aec6b614a3fdfdd0
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNA:Dv8IRRdsxq1DjJcqfH

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral1/memory/2152-15-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2152-40-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2152-59-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2152-63-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2152-68-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2152-75-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom

Executes dropped EXE 1 IoCs

pid	Process
3044	services.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2152-2-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2152-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/files/0x0008000000016d6d-7.dat	upx
behavioral1/memory/2152-15-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3044-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3044-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3044-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3044-29-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3044-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3044-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2152-40-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3044-41-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x002d000000016d5d-51.dat	upx
behavioral1/memory/2152-59-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3044-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2152-63-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3044-64-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2152-68-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3044-69-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3044-71-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2152-75-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3044-76-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	90f41ab2cafc2630bc2a82f2670ca8b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	90f41ab2cafc2630bc2a82f2670ca8b0N.exe
File created	C:\Windows\services.exe	90f41ab2cafc2630bc2a82f2670ca8b0N.exe
File opened for modification	C:\Windows\java.exe	90f41ab2cafc2630bc2a82f2670ca8b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90f41ab2cafc2630bc2a82f2670ca8b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 3044	2152	90f41ab2cafc2630bc2a82f2670ca8b0N.exe	31
PID 2152 wrote to memory of 3044	2152	90f41ab2cafc2630bc2a82f2670ca8b0N.exe	31
PID 2152 wrote to memory of 3044	2152	90f41ab2cafc2630bc2a82f2670ca8b0N.exe	31
PID 2152 wrote to memory of 3044	2152	90f41ab2cafc2630bc2a82f2670ca8b0N.exe	31

C:\Users\Admin\AppData\Local\Temp\90f41ab2cafc2630bc2a82f2670ca8b0N.exe
"C:\Users\Admin\AppData\Local\Temp\90f41ab2cafc2630bc2a82f2670ca8b0N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UniqATwr.log

Filesize
1KB

MD5
4ee7c8999da3fa294c0a742bb6e1dde7

SHA1
a7018b82caa69bbbbac2b9f344564cf2e2d45969

SHA256
52e1069b0ab4f3a9ed99c1425d76c5d4c6c0c0d7b11410a9af3796bc523e24f3

SHA512
3fc5fff2e5949319fdfbedc9a2c1d23d03dd95098fd0db0453d6e5434dd4144dd81f8d22bcff012d882a41e105f0291316069be0512ea53733cad5f788e203a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF826.tmp

Filesize
28KB

MD5
417ebcffc68cf9409e3d07aac23aa1fd

SHA1
7e0192b366ea60a18ac4f601722de8bd4eecc993

SHA256
9283c841bc377947fe8db94a1bd60a0fce3b2bda8723b484549998c122dc28f2

SHA512
be459535a422c3825aa496390e743ab8192b52f75a2bf5b7871ab5aaebe3aeac3a3e844318cc19c82e4ebda867315ecbadae97ba2c6cc1d3ef6e424a8584fb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
c71b4c51cc8375c904846ff02f471f05

SHA1
de3c725cd7d7a26a7589edd35b6fb10be2d85c34

SHA256
7b0fae61e374134fc008c4b2da447b99e45073f7e44ebfda21faa8d9736b961b

SHA512
b8a5721b4dd7c8cb40d0f1427cc38f8be95ccff52fac67cb0cc4fd98f1ce71cf71c5252943814a84b14241f5162d3962c542611da2515560e68f10aff139eff5

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2152-40-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2152-68-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2152-75-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2152-63-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2152-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2152-59-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2152-15-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2152-2-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2152-16-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/3044-41-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3044-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3044-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3044-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3044-29-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3044-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3044-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3044-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3044-69-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3044-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3044-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3044-76-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads