mydoom | 0e79144c2cc6e35bbd49d47674aecdd03377af5df3b0c463822b6c11c0f3576c

General

Target

0e79144c2cc6e35bbd49d47674aecdd03377af5df3b0c463822b6c11c0f3576cN.exe
Size

29KB
MD5

2caef13e6e68b906e543e61bfebb5ae0
SHA1

8904ccde7e38ec1bbe89a703d57d71eb94dba114
SHA256

0e79144c2cc6e35bbd49d47674aecdd03377af5df3b0c463822b6c11c0f3576c
SHA512

2b2b4a223751ec0150ab4004329fa6137a03b20da303659e511d99ee44d9396d9856b632b51ae4846fbd5f50969ac95cfc75d9003d7629d9de215c6aa6570024
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/vq:AEwVs+0jNDY1qi/qHq

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 8 IoCs

resource	yara_rule
behavioral2/memory/1356-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1356-32-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1356-106-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1356-157-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1356-161-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1356-166-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1356-179-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1356-216-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom

Executes dropped EXE 1 IoCs

pid	Process
3876	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	0e79144c2cc6e35bbd49d47674aecdd03377af5df3b0c463822b6c11c0f3576cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1356-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000023c86-7.dat	upx
behavioral2/memory/3876-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1356-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3876-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3876-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3876-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3876-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3876-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1356-32-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3876-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0010000000023b29-38.dat	upx
behavioral2/memory/1356-106-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3876-108-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1356-157-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3876-158-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1356-161-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3876-162-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1356-166-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3876-167-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3876-180-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1356-179-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1356-216-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3876-221-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	0e79144c2cc6e35bbd49d47674aecdd03377af5df3b0c463822b6c11c0f3576cN.exe
File opened for modification	C:\Windows\java.exe	0e79144c2cc6e35bbd49d47674aecdd03377af5df3b0c463822b6c11c0f3576cN.exe
File created	C:\Windows\java.exe	0e79144c2cc6e35bbd49d47674aecdd03377af5df3b0c463822b6c11c0f3576cN.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e79144c2cc6e35bbd49d47674aecdd03377af5df3b0c463822b6c11c0f3576cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 3876	1356	0e79144c2cc6e35bbd49d47674aecdd03377af5df3b0c463822b6c11c0f3576cN.exe	84
PID 1356 wrote to memory of 3876	1356	0e79144c2cc6e35bbd49d47674aecdd03377af5df3b0c463822b6c11c0f3576cN.exe	84
PID 1356 wrote to memory of 3876	1356	0e79144c2cc6e35bbd49d47674aecdd03377af5df3b0c463822b6c11c0f3576cN.exe	84

C:\Users\Admin\AppData\Local\Temp\0e79144c2cc6e35bbd49d47674aecdd03377af5df3b0c463822b6c11c0f3576cN.exe
"C:\Users\Admin\AppData\Local\Temp\0e79144c2cc6e35bbd49d47674aecdd03377af5df3b0c463822b6c11c0f3576cN.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JAZ6MGFU\default[3].htm

Filesize
313B

MD5
ffb72ab4faba49ad441ce07db37dd8b6

SHA1
194e13c1c32ebb6e7a1dc912261cbd58a82ff71e

SHA256
7bd7c3676e98ddde8e0d5b63dd22cb9379d975bcd1d68884c97565cdd8d03660

SHA512
517be20d2442489ce39b48dc7f9f6f13f8c45d02703fb1865071f553d36b2289f5abc26c6089fc0bfad1a41fe318bf4b5a806915c5e45898ac744b7e4ed30257

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcwaEvxwxU.log

Filesize
256B

MD5
3fb0339a0f7ba9b5cc2a542a37a52a93

SHA1
9cf37907384a4248019632128aa893e1fb4472bd

SHA256
50b8b8df257f50526db65fb6077e4980b6f59871a789a612630bc18d9c781b99

SHA512
38b28b39f99422525bdc5cd4e2d7b2b82e6daaf462e7211a8e2bd6cd51970d32c48cd493d3f83227ae0c802f8e716a8d21ca83e16bce4324415629cdf6f81795

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DAB.tmp

Filesize
29KB

MD5
dc0216c1f03087254c641a98038dbf77

SHA1
fbcc7e4fbacce49ab247d9aba72d66d1b47e0999

SHA256
2e7464f50c74feb43bf68e8d36c5655cb138a9cbef6cba14d3bc66b7e3cf746f

SHA512
1ca35d7852ccc955ac1dfd180b2c717af18293f852af71ed12fda72b518da2c03d7f1ee3eb378474612de80228c707c9706ea7f3fc227076c76813bd3923020d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
2414410e9ae1b7c0eb4d1a676fa2c824

SHA1
01c9f80d15e30a8df78f46751ea8a1bef64aa4d4

SHA256
31d30272df2246738ae1e2aa26cb1c6b1a4c82907ab70d0390f66aac86e6ecfe

SHA512
ca82411dbdcc09ba763698402abd0e82c992a57c2d958b13573bf6dfb2d9821a262ba916da36034a08778125e7313e31ffa06b7cc226e53ed8ae9845fb489839

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
522460ea58aebdbfc76ccc1944ce0472

SHA1
abbe41fcc4d05f8edf48d6e4afc87dac6ba3ffdf

SHA256
a89601316bba0482c45ea52814d2ad543cfef2553988f7729bd5fefcf24325e9

SHA512
a93dfa67c9f96833f69cb7304854cef0dbb979194ed88d145688b73f2c849103c9c3121c38032396ee455eee54bcf8a54d4b105c0074228e09ff7bc6363b54c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
d836236924ecbde367489cc2e42457f3

SHA1
7b889f245afca44a25e7742925a4cf4dfec48dd2

SHA256
1398c5360db43c7e7bf9ae7fe7aaaf40a9dbcd33d4d461219ffb979158f59748

SHA512
48e04093a49215b75a6a408856023d18c149c5bd01f4b74860e46519900814909f8576d390b6d2aaeddc88002ac50c4ea9a6775c16d4a1a2d35274d3d53ad0f5

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1356-161-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1356-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1356-216-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1356-179-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1356-32-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1356-166-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1356-106-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1356-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1356-157-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3876-167-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3876-158-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3876-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3876-108-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3876-162-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3876-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3876-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3876-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3876-180-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3876-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3876-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3876-221-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3876-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads