Malware Analysis Report

2025-03-15 00:39

Sample ID 240930-2ngeassfla
Target 6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N
SHA256 6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003
Tags
upx mydoom discovery persistence worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003

Threat Level: Known bad

The file 6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N was found to be: Known bad.

Malicious Activity Summary

upx mydoom discovery persistence worm

Detects MyDoom family

MyDoom

Executes dropped EXE

Adds Run key to start application

UPX packed file

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-30 22:43

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-30 22:43

Reported

2024-09-30 22:45

Platform

win7-20240903-en

Max time kernel

120s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe

"C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.156.133.4:1034 tcp
N/A 10.213.60.59:1034 tcp
N/A 10.128.8.216:1034 tcp
N/A 10.0.0.36:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.9.14:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.0.255:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 172.16.1.136:1034 tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp

Files

memory/2408-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2408-4-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2540-10-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2408-16-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2408-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2540-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2540-20-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2540-25-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2540-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2540-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2540-37-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-41-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2540-42-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-43-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 140f77434302c1e1791284244bc5ae37
SHA1 08bab20c6c0404122284a22cac6833f217a524c0
SHA256 edf327c7bca98f1399425bcf7ee34cc896f6e2dbdbd8bcde8a9ad54230afea52
SHA512 eb7b8161eb462270425b58001808cae2dfa693ca522ad604f3df474c4e8c52dc4658011c7b7be49e017ddc856ba5ee85c0b41828511a0694f81bde5402655a1b

C:\Users\Admin\AppData\Local\Temp\tmpE12D.tmp

MD5 d01714e664f1bc26feed3d0f68bfb64e
SHA1 5e464c4dc0e2f4922a9029a9ac65d7b80528a525
SHA256 120da9c76581e6df33c7d5c2b6c41d601e5e0dcb467c87bb5cb38dabfe145f65
SHA512 13ad05e6c0fe8c9450352bcf38e7aab5bfa3511230c95b387a135468a3631e48fe1b700785e55779e3dd24a61f15223bbcd68d6ea6eff14098ed9e41a603dc5b

memory/2540-61-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-64-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2540-65-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-69-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2540-70-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-71-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2540-72-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2540-77-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-76-0x0000000000500000-0x0000000000510200-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-30 22:43

Reported

2024-09-30 22:45

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe

"C:\Users\Admin\AppData\Local\Temp\6e209d36dfa12bdc9c06a688a42220f84d88ad172e57ac911f31ef630bc70003N.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.156.133.4:1034 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
N/A 10.213.60.59:1034 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 10.128.8.216:1034 tcp
N/A 10.0.0.36:1034 tcp
US 52.111.227.13:443 tcp
N/A 192.168.0.255:1034 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
N/A 172.16.1.136:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.41.26:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:80 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 udp
SE 192.229.221.95:80 tcp
N/A 209.202.254.10:80 tcp
IE 212.82.100.137:80 tcp
US 8.8.8.8:53 udp
N/A 209.202.254.10:443 tcp
IE 212.82.100.137:443 tcp
IE 212.82.100.137:80 tcp

Files

memory/4060-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/3024-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4060-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3024-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3024-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3024-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3024-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3024-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3024-33-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3024-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3024-40-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3024-45-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3024-50-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3024-52-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4060-56-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3024-57-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 22c5ed66afec64fc6b955d29b8c6b404
SHA1 5aa4c27a1e00178117d0335b900c9d738ded94d3
SHA256 ae1c51e840ae5b26ca5aedcf3d6fe12caea02af901dd4fe424ab9548cbe55088
SHA512 623327a3384ee0236a9b8de8aa8420a5f5c25981992a2346069411fe8e45628a1240425239603748bcc8f52549b857bb89117794ed396354c6a2e940c2c0e7ac

C:\Users\Admin\AppData\Local\Temp\tmp70C3.tmp

MD5 6bdf42803f6d9cc6c23896817a9771c0
SHA1 4f262024577c63d91003f21db0420b3871a0c3d5
SHA256 b1122a77575a28ec66b7ac9e33fe6f07bdd3dd0d57a30c44411d24a62c0a13b0
SHA512 4519347d834934e66b23a1cc90a22de381481ca0b08b51bcf7aec38cdfda7c40fdf0f4d872774308688753c18156a7ec115071f8393e6a1893b645e63609d3cc

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 90d1e75a58a5568d3040cfd8a9d1fd66
SHA1 4e1671a313cdcc673efc5ae3ec6d4e43a3763682
SHA256 82f0b30ce7527e03928bf967211f81932012b47f38b037211f987238583f7ac7
SHA512 9337a67ae2a9ce875256d2ecf955a1ef10f13ab4505a4959e153fe4ebecb4f91fdd11d150fda7c0d79e72958c7bac9361bd72208881a1b3f53d4ccd7d0743461