mydoom | 6ec1b39cd672bbe2fd178b01b26b7489ee846ec8460d302a3f95422d23d76407

General

Target

90f41ab2cafc2630bc2a82f2670ca8b0N.exe
Size

28KB
MD5

90f41ab2cafc2630bc2a82f2670ca8b0
SHA1

ea2c2ebc94d68c40d1804788bd82983c9fac1dac
SHA256

6ec1b39cd672bbe2fd178b01b26b7489ee846ec8460d302a3f95422d23d76407
SHA512

56b48eaf25d94e96439077668ef196f7198d5af3f9f1cd0d5be977cddc55edf30ac13dcae37b189798a8a343cacb8c16251b3f11cd242a54aec6b614a3fdfdd0
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNA:Dv8IRRdsxq1DjJcqfH

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 8 IoCs

resource	yara_rule
behavioral2/memory/3812-13-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3812-32-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3812-110-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3812-153-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3812-157-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3812-162-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3812-175-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3812-212-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom

Executes dropped EXE 1 IoCs

pid	Process
4732	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3812-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0008000000023445-4.dat	upx
behavioral2/memory/4732-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4732-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4732-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4732-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4732-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4732-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-32-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4732-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0009000000023457-43.dat	upx
behavioral2/memory/3812-110-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4732-111-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-153-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4732-154-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-157-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4732-158-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-162-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4732-163-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-175-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4732-176-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-212-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4732-215-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	90f41ab2cafc2630bc2a82f2670ca8b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	90f41ab2cafc2630bc2a82f2670ca8b0N.exe
File opened for modification	C:\Windows\java.exe	90f41ab2cafc2630bc2a82f2670ca8b0N.exe
File created	C:\Windows\java.exe	90f41ab2cafc2630bc2a82f2670ca8b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90f41ab2cafc2630bc2a82f2670ca8b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 4732	3812	90f41ab2cafc2630bc2a82f2670ca8b0N.exe	86
PID 3812 wrote to memory of 4732	3812	90f41ab2cafc2630bc2a82f2670ca8b0N.exe	86
PID 3812 wrote to memory of 4732	3812	90f41ab2cafc2630bc2a82f2670ca8b0N.exe	86

C:\Users\Admin\AppData\Local\Temp\90f41ab2cafc2630bc2a82f2670ca8b0N.exe
"C:\Users\Admin\AppData\Local\Temp\90f41ab2cafc2630bc2a82f2670ca8b0N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\951G8FD5\default[9].htm

Filesize
308B

MD5
5243568476eb2052b2f3b67dc9053e86

SHA1
b126aa6506772f9024b76580bdf28b45e3a7f051

SHA256
2d458622dc76eb87e44cc7db89309efdf50f99821145ae86864fd1b714cbaa80

SHA512
3c68cef4e3daa4bca6e8b3aa5a31874be1e4dec38fe9781c6fe4890980744527d0c6818eeb519f8e6b322118e1f08302d85972fa7da4ba8be9421aabf9a77833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VDS6YA2E\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\brcqqygivI.log

Filesize
1KB

MD5
37e55761b03d64d39f7d9525838099c2

SHA1
fff143c071d0b7d40a96d79b036728b8d9fcce54

SHA256
15e274e62088cba893a493acae009bdd86831e22ffe809e9806bb771e1024ffa

SHA512
4a1d6a2595ef2ae59d81b76c7a0a7ac50eabf2be643f17ed021bcd3ff5aad11511f8f99192e0d9a61be47a8ff58790a5af34961a80332e0c01dadf7e46b24580

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6649.tmp

Filesize
28KB

MD5
3af32bcf7f7c425d6b643034a0fc86fa

SHA1
4f5e987fbe66d41f8d57ef9b9c2092e47854ce16

SHA256
20ef657dcec67729bef09d1fbf880545ac2308935731a05652c30fdf71f935bd

SHA512
28dc0d64bd3552fa3f7430128f91ea957e4c329e0ac2802a09a838dd7221705fd592d450748b8be8d06e2acaf18be673f361ab5ff3620815f177f68b762a85ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
01a5b5685ba5660371296e78e46599e6

SHA1
466208cbec53ba8455f9fa981aef9553002bfb7d

SHA256
ca041c5f6cd3e41be4001325b920aacefca1e5cbb4c122a44a1897273f662a1b

SHA512
5f7e8c3e5b6efa75711bb506aad41eefddd9e281c9f6deec108c845efda9ccf6850d84dae3161da2517cae965a098c8700800b83449856b595b84795514800a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
f833d85d97330328437a9973a854f521

SHA1
528d5166129fb783a617c1c6e24223943175640c

SHA256
d80feef54879b793a7842d881c81de6222ab47f31d6df5f3bd66029018e95a4c

SHA512
a1c824e58bac1254362c6d107b24c9d1a02369d888d5d42c8971e0cfda037c7cf0a6eb82fedbe0aecb09289a37c827d4f402b8718b3826e74d44ed0fd7619aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
1bc9b38b3714d9da2608c7ace83aefac

SHA1
4474273784c06af4a441e13306b3a1b691e5ebf1

SHA256
5a3d3de85cbbe7f06c0073a8965201a853f7719ec1d2c05408c87099c62c5b23

SHA512
c3e7fc34fa7c0ea04640957ad4e4f2b95d0d39acafb65d7aa137abeb54df889cec3ae69dc42a94335fb4c2608a8946277be6ae0442c21c6954271c4b66b9944e

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3812-157-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3812-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3812-212-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3812-175-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3812-32-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3812-162-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3812-110-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3812-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3812-153-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4732-163-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4732-154-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4732-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4732-111-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4732-158-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4732-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4732-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4732-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4732-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4732-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4732-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4732-215-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4732-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads