mydoom | 3d4d6f6c6f51d45c01d2c489dcc597b72b4c298ad7006efa422dd486def3b1cb

General

Target

3d4d6f6c6f51d45c01d2c489dcc597b72b4c298ad7006efa422dd486def3b1cbN.exe
Size

29KB
MD5

69c4a6d592cc6eb681d53f79888b1a60
SHA1

9860e530655e014a7312c21ea49db1f044e53af0
SHA256

3d4d6f6c6f51d45c01d2c489dcc597b72b4c298ad7006efa422dd486def3b1cb
SHA512

3a7e3e1ed26bb5373e5bf227bfd7b96140766c7397660aa00161d873439d5e57753e4b21c8deed6c1cb6e910c2b074e3385fd4a9701d21193ee94d195ee4591a
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9//:AEwVs+0jNDY1qi/q3

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 8 IoCs

resource	yara_rule
behavioral1/memory/1736-2-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1736-8-0x0000000000400000-0x0000000000408000-memory.dmp	family_mydoom
behavioral1/memory/1736-17-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1736-33-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1736-53-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1736-55-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1736-60-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1736-67-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom

Executes dropped EXE 1 IoCs

pid	Process
2284	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	3d4d6f6c6f51d45c01d2c489dcc597b72b4c298ad7006efa422dd486def3b1cbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-2-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1736-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0008000000016399-7.dat	upx
behavioral1/memory/2284-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1736-8-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1736-17-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2284-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2284-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2284-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2284-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1736-33-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2284-34-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2284-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-44.dat	upx
behavioral1/memory/1736-53-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2284-54-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1736-55-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2284-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1736-60-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2284-61-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2284-66-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1736-67-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2284-68-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2284-73-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	3d4d6f6c6f51d45c01d2c489dcc597b72b4c298ad7006efa422dd486def3b1cbN.exe
File opened for modification	C:\Windows\java.exe	3d4d6f6c6f51d45c01d2c489dcc597b72b4c298ad7006efa422dd486def3b1cbN.exe
File created	C:\Windows\java.exe	3d4d6f6c6f51d45c01d2c489dcc597b72b4c298ad7006efa422dd486def3b1cbN.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d4d6f6c6f51d45c01d2c489dcc597b72b4c298ad7006efa422dd486def3b1cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2284	1736	3d4d6f6c6f51d45c01d2c489dcc597b72b4c298ad7006efa422dd486def3b1cbN.exe	30
PID 1736 wrote to memory of 2284	1736	3d4d6f6c6f51d45c01d2c489dcc597b72b4c298ad7006efa422dd486def3b1cbN.exe	30
PID 1736 wrote to memory of 2284	1736	3d4d6f6c6f51d45c01d2c489dcc597b72b4c298ad7006efa422dd486def3b1cbN.exe	30
PID 1736 wrote to memory of 2284	1736	3d4d6f6c6f51d45c01d2c489dcc597b72b4c298ad7006efa422dd486def3b1cbN.exe	30

C:\Users\Admin\AppData\Local\Temp\3d4d6f6c6f51d45c01d2c489dcc597b72b4c298ad7006efa422dd486def3b1cbN.exe
"C:\Users\Admin\AppData\Local\Temp\3d4d6f6c6f51d45c01d2c489dcc597b72b4c298ad7006efa422dd486def3b1cbN.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp96A4.tmp

Filesize
29KB

MD5
ff61d4a835fcf5592f1edd35f971858e

SHA1
8cc06541eadcd266b989803704b6dbd0ce7a854b

SHA256
7e0b59f3bc11287ddeab376fc8b94047e72f0254db985687e1b336633b2c9ab4

SHA512
17bc827bdb16be3c91a493c49cc8f45d724f45521b10a217ac0aee04952045c678447cc053a3e939cb470f0801509312d2570d9c4f43fca659181aebc680ae78

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
96f1a82a5c3992b4f05238b9c248811c

SHA1
0ea5b9c54021a5e5e9d9bd6d8ed99b3866b06976

SHA256
033b66ec38fd58277f8e1f1ede13c8a454745457d2420b737fd0782fb763b3a3

SHA512
cb8bca9db8cae3930cab015ce911fb2245364cf1c96159ad46e43914c72b20136ba026aaf237c598e64cf3142acff07c2bd9dc34dd63ec1ab2a82597a1fafc29

Download Submit
C:\Users\Admin\AppData\Local\Temp\znhyupf.log

Filesize
320B

MD5
dbbef91a29808abd8f3eb7a1bccdc1ea

SHA1
13e4b027b726ddc3f238d4ec18731208b327fecd

SHA256
181034a9ddc5f289f9a0524a7277915952e8df5fdac157da86f5ad79879a3976

SHA512
0a05c943548b811329b4d166f21d94d67fadc743c814f8bf7771fb4e1115dd00536cda32da71a0ad96596341e9a0f42fe4b3e34ddc423ae4f5671bbbf4a6e6ac

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1736-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1736-17-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1736-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1736-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1736-60-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1736-67-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1736-55-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1736-53-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1736-33-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1736-2-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1736-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-73-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads