mydoom | b13ab3dc1bb327e2b74bf44e94a26a7d89957623b6e787ad4413fc5ca78dc993

General

Target

2f8df73e7d4092fe0087ba993cbace70N.exe
Size

41KB
MD5

2f8df73e7d4092fe0087ba993cbace70
SHA1

c9b3571a3ba5a6baa4c50cdf65eddc78b822732f
SHA256

b13ab3dc1bb327e2b74bf44e94a26a7d89957623b6e787ad4413fc5ca78dc993
SHA512

8ee474e2c4c9544983d3ae0a79300507a50723bffa00d10ecdc097d0a7567a841da53d3b2e8f959032cc106e38c94c54bd542b279d6ab83643b5f1c2fcdda9a4
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 8 IoCs

resource	yara_rule
behavioral2/memory/4332-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4332-27-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4332-32-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4332-131-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4332-147-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4332-156-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4332-189-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4332-224-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom

Executes dropped EXE 1 IoCs

pid	Process
1272	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4332-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000800000002348c-4.dat	upx
behavioral2/memory/1272-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4332-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1272-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1272-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1272-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1272-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4332-27-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1272-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4332-32-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1272-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000900000002349b-43.dat	upx
behavioral2/memory/4332-131-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1272-132-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4332-147-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1272-148-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1272-152-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4332-156-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1272-157-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4332-189-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1272-190-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4332-224-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1272-225-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	2f8df73e7d4092fe0087ba993cbace70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	2f8df73e7d4092fe0087ba993cbace70N.exe
File opened for modification	C:\Windows\java.exe	2f8df73e7d4092fe0087ba993cbace70N.exe
File created	C:\Windows\java.exe	2f8df73e7d4092fe0087ba993cbace70N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f8df73e7d4092fe0087ba993cbace70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 1272	4332	2f8df73e7d4092fe0087ba993cbace70N.exe	86
PID 4332 wrote to memory of 1272	4332	2f8df73e7d4092fe0087ba993cbace70N.exe	86
PID 4332 wrote to memory of 1272	4332	2f8df73e7d4092fe0087ba993cbace70N.exe	86

C:\Users\Admin\AppData\Local\Temp\2f8df73e7d4092fe0087ba993cbace70N.exe
"C:\Users\Admin\AppData\Local\Temp\2f8df73e7d4092fe0087ba993cbace70N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N27JXEQ0\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZK5NPJWQ\default[1].htm

Filesize
304B

MD5
cde2c6ec81201bdd39579745c69d502f

SHA1
e025748a7d4361b2803140ed0f0abda1797f5388

SHA256
a81000fc443c3c99e0e653cca135e16747e63bccebd5052ed64d7ae6f63f227f

SHA512
de5ca6169b2bb42a452ebd2f92c23bad3a98c01845a875336d6affe7f0192c2782b1f66f149019c0b880410c836fc45b2e9157dcccc7ad0d9e5953521a2151d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8DA7.tmp

Filesize
41KB

MD5
20e2184bbde1bf517a29b33b0de95e9b

SHA1
68e13fac2255982ddfa03e76e6e6cfb58e5b254c

SHA256
709c9c260fa0d05fdd62187ab82d2806d75222ad7402f5f169be537e3edca0f5

SHA512
a6c4dc6267d54061b56cc1f3a91b209fdbf2f9250ea76ea4284f9dc5cf45005a686e5b487bb5f1bb2fd0d36e3058e19e569f9515820c7315ae64cf5d751216f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
4028141e787df93cc7fe26d2870d3782

SHA1
958be4f439284ed3d7eafbec2473a3a6405a8f0e

SHA256
2eaa0729463eb387f2e7e952a5959ed2769f23fb9295cd31482497577e247e68

SHA512
f486ff971576536c26de0b01d4a9a1e1f2fd9fe3d3ab6b6f123da63da0fd38393a33c5167d684958ac7685d59af590f1fd2113f3fb66fd258e7659121b779323

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
bf2f5bcd32bbac7f92ecd89475fd9e66

SHA1
b35a83d2169289df7c41abfb751998947d4ea5c1

SHA256
cb9450c1dead28f6f2c5ff2f37919ead03fe6ca26535e007f4baf7c9b159bd3c

SHA512
71c5f6bfb4ce1c19214b94bf32f724dbc7a340614bb3a1b02d2b7561acb2ebae9ac179526332d90621bf16a5d74c3636a24e4e54723c985d8c6796ed87e6035d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
a10755df76f4bc88b27c2c65aa1b554e

SHA1
f1f22b20c54dcb2e24d3d4797d3e164418151c5a

SHA256
21660e657db6efad0d96b3f53ac81345fcf67d81130410a4ebd476faeb2a6253

SHA512
41f5f5f7c00ec084a46cce5cf0c023cbea4a3df3e8be3d5a5d383b737eb86f7ff927de62baef948511325738fa962d6bef66e5a3fdbd675ebb278ce2fce189ad

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1272-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1272-152-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1272-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1272-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1272-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1272-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1272-225-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1272-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1272-190-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1272-132-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1272-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1272-157-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1272-148-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4332-147-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4332-156-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4332-27-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4332-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4332-189-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4332-131-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4332-224-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4332-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4332-32-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads