mydoom | bc2f60ae7879358993050c14a8379b1b76f47670d9eb2e6fbfe7465d0181f370

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 02:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bc2f60ae7879358993050c14a8379b1b76f47670d9eb2e6fbfe7465d0181f370.exe
Size

41KB
MD5

77cf99c043ad2de7ae86d9ba31026ab3
SHA1

c358470f1271b8d5e5203e7f99404d40e3746d5a
SHA256

bc2f60ae7879358993050c14a8379b1b76f47670d9eb2e6fbfe7465d0181f370
SHA512

9712492153500fb8a3f1f339e72cff4a08af832779c8204ee314566fa772ca3a4adf01643716da78dd9712ff50fc5da82bf5ca07dd81f78ef4657a3f238a06d5
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 9 IoCs

resource	yara_rule
behavioral2/memory/436-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/436-37-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/436-39-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/436-130-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/436-159-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/436-166-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/436-196-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/436-232-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/436-265-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom

Executes dropped EXE 1 IoCs

pid	Process
4888	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	bc2f60ae7879358993050c14a8379b1b76f47670d9eb2e6fbfe7465d0181f370.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/436-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0009000000023c59-4.dat	upx
behavioral2/memory/4888-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/436-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4888-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4888-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4888-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4888-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4888-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4888-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/436-37-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4888-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/436-39-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4888-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0012000000023b25-50.dat	upx
behavioral2/memory/436-130-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4888-131-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/436-159-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4888-160-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4888-162-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/436-166-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4888-167-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/436-196-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4888-197-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/436-232-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4888-233-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/436-265-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4888-266-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	bc2f60ae7879358993050c14a8379b1b76f47670d9eb2e6fbfe7465d0181f370.exe
File created	C:\Windows\java.exe	bc2f60ae7879358993050c14a8379b1b76f47670d9eb2e6fbfe7465d0181f370.exe
File created	C:\Windows\services.exe	bc2f60ae7879358993050c14a8379b1b76f47670d9eb2e6fbfe7465d0181f370.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc2f60ae7879358993050c14a8379b1b76f47670d9eb2e6fbfe7465d0181f370.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 4888	436	bc2f60ae7879358993050c14a8379b1b76f47670d9eb2e6fbfe7465d0181f370.exe	84
PID 436 wrote to memory of 4888	436	bc2f60ae7879358993050c14a8379b1b76f47670d9eb2e6fbfe7465d0181f370.exe	84
PID 436 wrote to memory of 4888	436	bc2f60ae7879358993050c14a8379b1b76f47670d9eb2e6fbfe7465d0181f370.exe	84

C:\Users\Admin\AppData\Local\Temp\bc2f60ae7879358993050c14a8379b1b76f47670d9eb2e6fbfe7465d0181f370.exe
"C:\Users\Admin\AppData\Local\Temp\bc2f60ae7879358993050c14a8379b1b76f47670d9eb2e6fbfe7465d0181f370.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4OVS68NE\default[6].htm

Filesize
312B

MD5
e5c2364375c0a8a786a9508a840b6299

SHA1
bec1874db0d2348274b6656d1383e262f73e2bc6

SHA256
51b67ae1066eb179562cf80a8a156bbd4b139b83072f610bf62c0b6d58ed17f3

SHA512
ee19a8fa40bc7e991ac289eb30ceec8264d6071f124e99791022961c99f25b97def4f13fa96149eb52786d1104d85d20410e65a333304c0df6ba858472a557d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9IEW0KLU\default[7].htm

Filesize
304B

MD5
cde2c6ec81201bdd39579745c69d502f

SHA1
e025748a7d4361b2803140ed0f0abda1797f5388

SHA256
a81000fc443c3c99e0e653cca135e16747e63bccebd5052ed64d7ae6f63f227f

SHA512
de5ca6169b2bb42a452ebd2f92c23bad3a98c01845a875336d6affe7f0192c2782b1f66f149019c0b880410c836fc45b2e9157dcccc7ad0d9e5953521a2151d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L6PPXFHA\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\default[2].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB8ED.tmp

Filesize
41KB

MD5
a6090bdce263fdb41c352b7c6e0804df

SHA1
a9048baeb6f831eab5db5a9836134c44d8c9ac0a

SHA256
f94a4dcf1cac624f7d424f748fbdac5d2ac83eeae8372c4532af7639cd3b115e

SHA512
589898f9095ccd25cf49f770a155788bf3b27a5aa4e34f61f001182b30b7726618903ef41a5b2d9ff3299dc0d373b3af0ab55b0ae25e22907b433da75805a1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
a55d2e8fec2eed79fbb33d09d6662405

SHA1
56f32857d488e8d84109f1852a580bdb98693e2a

SHA256
59fc9570255b2a61ed324aaabfe9bad57bc5c96a642a674c6cdb9ae1dd913993

SHA512
f9e95723748cea6398b0b6d9c32d52770b2d0d6a7c37ab4450cc90125c981838a9c0c8c729db3124478516e72b48ae8d2b5652a2e148868cdf0a6526ecaf8b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
b3b6902aedd725960a184d713b59ef28

SHA1
3db8d0c524719fd4c377a909a61b754652585108

SHA256
53d749d99b76b370e5353230ba3a89767f3ffb22a496b02be5702e0f33d44807

SHA512
67b4b4ff90cb9b0801e7f955f668378eff807fe59cfb75acc70a3e54603e2d0a472bb318593585b9502f4d2fbf4d38c06ef554af9cd5f17f352df19e2eaa4678

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
708438a703c8aa23e54ec25df261c189

SHA1
6fc673fadb13b9bbd5c1e1aa4d91975175f08f40

SHA256
6d129d6220598ceecca13d6ab7bd463ea1adb127d58f290011890a902a9cf50f

SHA512
fcb0880fc44ab05354e979d773ca8fb086695f75f54a4bda6b2ddc3980c67e23cf347e15acbf74cfdcd0b5c7ade706391082cd07fef10ac0d5f958e4bc21e964

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/436-196-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/436-159-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/436-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/436-39-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/436-265-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/436-232-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/436-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/436-166-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/436-130-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/436-37-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4888-162-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4888-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4888-160-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4888-131-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4888-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4888-167-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4888-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4888-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4888-197-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4888-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4888-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4888-233-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4888-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4888-266-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4888-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4888-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads