mydoom | 5851085fd7c81bbd629d3145500cbbea1d499b80a044b5f1f2a736f66d0dd69b

General

Target

Worm.Win32.Mydoom.exe
Size

41KB
MD5

b732c35773157dad9d09506d47577340
SHA1

76d64fff0f59b1bbcdba891fc4cf1dd851c462c0
SHA256

5851085fd7c81bbd629d3145500cbbea1d499b80a044b5f1f2a736f66d0dd69b
SHA512

b5600594bc4d012fa802d4e49d37da496a67c7c0193658031b65e3fdc72724fda6c86068a62f82bd063ee04fc812a9cf9cd5a550bf4cd72a761b33ce73d28940
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/6:AEwVs+0jNDY1qi/q

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2184-16-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2184-55-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2184-60-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1784 services.exe

pid	process
1784	services.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2184-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2184-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral1/memory/1784-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2184-16-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1784-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1784-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1784-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1784-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1784-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1784-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1784-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1784-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1784-49-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1784-54-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2184-55-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1784-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2184-60-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1784-61-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpC14E.tmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Worm.Win32.Mydoom.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	Worm.Win32.Mydoom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

Worm.Win32.Mydoom.exe

description	ioc	process
File created	C:\Windows\services.exe	Worm.Win32.Mydoom.exe
File opened for modification	C:\Windows\java.exe	Worm.Win32.Mydoom.exe
File created	C:\Windows\java.exe	Worm.Win32.Mydoom.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Worm.Win32.Mydoom.exeservices.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Worm.Win32.Mydoom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Worm.Win32.Mydoom.exe

description	pid	process	target process
PID 2184 wrote to memory of 1784	2184	Worm.Win32.Mydoom.exe	services.exe
PID 2184 wrote to memory of 1784	2184	Worm.Win32.Mydoom.exe	services.exe
PID 2184 wrote to memory of 1784	2184	Worm.Win32.Mydoom.exe	services.exe
PID 2184 wrote to memory of 1784	2184	Worm.Win32.Mydoom.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\Worm.Win32.Mydoom.exe
"C:\Users\Admin\AppData\Local\Temp\Worm.Win32.Mydoom.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC14E.tmp

Filesize
41KB

MD5
3d16fa0507b1c88186aa4e50cadf4551

SHA1
6f0553ad4c97f445f8a6dcfd17b2d0cda2326c5d

SHA256
cc0fa6dc69a7e0107ee848f086ec1f32789586eb4f0499efc73c53a860aa0637

SHA512
b0c673418a6bbf18f10e7e8736074afa76f921c7d9ac2f35cff2c1516b289ee7991feb18ef157059acb18137442b8d685e13348edfb4b27a16ffdea0cb802763

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubu53purF.log

Filesize
160B

MD5
71b043f2e24b27de7d2365c2d329a9d4

SHA1
23e6a4875971719d1a94a8ca82a9250bc4d6487c

SHA256
66e161c9166d77576300d5d184a43211814d4d540658a4c53300a78e9805ab2c

SHA512
f18ca7195ed3968860513331e3db81c350bedfe4c1f144446d767ddf02b1b0a28c87390da5584b0a46102e05daa3eba21a27253879eb4d8fd285597729c2af8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
06883b7ea5eee2a401e146d9666e63f5

SHA1
d66d177be44d4ad723aa4ac12202b2309a87a3ee

SHA256
7b89f2e1fa6e1e9d26c5bfc666a2f2cd89466b04c6177782837e638185061def

SHA512
cecc4006f441ac44df79381c5e7237225aeca52d768198c608a332a22545a5efaaca0e091393f2ad1dc49ccf974c38767a9f92ec31cb1eafd6d21ed4384253c5

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1784-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1784-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1784-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1784-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1784-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1784-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1784-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1784-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1784-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1784-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1784-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1784-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1784-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2184-17-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2184-55-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2184-60-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2184-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2184-16-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2184-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads