mydoom | 33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4cN.exe
Size

41KB
MD5

3958c654681bc15226b233af1ec20a60
SHA1

41cc69766a755fbd001bf27e07bd1a05b1f95eed
SHA256

33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4c
SHA512

114bf620031d33705fd093e7478a0842dfe08809ae49f53d9b76ec1a8770be74b05e615dcd8cc4ffb18afbbf34cd4b1bf139ec89f5b62ff4d815bdf647308ea0
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

mydoom microsoft discovery persistence phishing product:outlook upx worm

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Detects MyDoom family 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4180-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4180-44-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4180-164-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4180-197-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4180-201-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4180-206-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4180-229-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4180-271-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

4808 services.exe

pid	process
4808	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4cN.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4180-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4808-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/4180-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4808-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4808-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4808-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4808-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4808-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4808-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4808-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4808-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4180-44-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4808-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmp2C87.tmp	upx
behavioral2/memory/4180-164-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4808-165-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4180-197-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4808-198-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4180-201-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4808-202-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4180-206-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4808-207-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4180-229-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4808-230-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4180-271-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4808-272-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

Processes:

33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4cN.exe

description	ioc	process
File created	C:\Windows\services.exe	33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4cN.exe
File opened for modification	C:\Windows\java.exe	33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4cN.exe
File created	C:\Windows\java.exe	33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4cN.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4cN.exeservices.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4cN.exe

description	pid	process	target process
PID 4180 wrote to memory of 4808	4180	33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4cN.exe	services.exe
PID 4180 wrote to memory of 4808	4180	33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4cN.exe	services.exe
PID 4180 wrote to memory of 4808	4180	33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4cN.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4cN.exe
"C:\Users\Admin\AppData\Local\Temp\33b4d31652d545163b01b3b4d594a54c6d648c5e55b7ffca8a2164bc84582a4cN.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\6C0MPH4E.htm

Filesize
153KB

MD5
f3a258908f9c723535083537c2233c72

SHA1
9598f976e1c9e74bd407be1edbb412ad462d4d61

SHA256
96cf980425cff1ba5f574f3aba2a63a35eba53d4d5a5fec029f0765dca148ee3

SHA512
eeab68d6aa3f2553eae805277d7c062210fdafcef777753183b66f202fee003b668d87422948ad541e80dc8f3b4383855709c1e8c478d87c2d968e2d655014fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\search[2].htm

Filesize
129KB

MD5
a7ee1709bbdf9df0b29ec4ba2b515b86

SHA1
9d9bc17519d58ed09cf116b70a134e2ce82b5ae9

SHA256
c333acf77508c604a8caf2851d9bcf525f2bcce260d6418999479e57c791d9bf

SHA512
1b062ac197a3fd51bec2728e3e59a24631416c5e7e0238e81ada6f9131f535a408a92a72f290fe2abb7f97e1b819dd820e89393a49d88863228df3f1d322fbdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9PMCFZKU\search[4].htm

Filesize
139KB

MD5
1e2c6a7d105a29b6e94326a8bf8e24f3

SHA1
c3e118c983078570e49727d8ee1e02cb5fdb4476

SHA256
5907e57342cb1d5904016669e39750af0896bd793ca7c5d0877a73bffe7fee4b

SHA512
f2da3785eb6d143161fac2bc24ae055fc11883b2a7c8ed0d1d979a2219e5353b7ebbcb877ad56ca9065f7782df717212f6689063dd15f5f0bf6feea79dc0e0d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JAZ6MGFU\search[1].htm

Filesize
124KB

MD5
dd5bf3bb82dc7b7a299eeab974ecf943

SHA1
259967bf8008dc2662e326fe1182b60b3fbec993

SHA256
d50544ab24f1a0f5ed13643e06a7297f4292cd7720f900670e22d5ffde716b5f

SHA512
8b1fc2576c7adfe96fc1436aa828fbf07f7b67c986e6f6a2ee358e6eb5e21610c38a59ea06abde961c113bd380b911f454686841547a6fdc9de6f567f19a5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2C87.tmp

Filesize
41KB

MD5
252605aee4350b4b4cc43f8fd07d6d93

SHA1
3611ce37e0e05feeba4f60791b677aec736ff5d8

SHA256
df41d6596a6d2e6da67e6158315a87fbece9c8164644de8d2a5391a842a1e7f1

SHA512
048532dd9a1ebf0d0311ab71fee9c169a89b4ad0a5735d2ceb51364192c0ae8091fe2d80b760fc8b05a3d7be3892f79c9501fe6d292871f9dcb07cee1e2fc7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
f032437db786542c6984c29df3c92b2b

SHA1
2499ed1fc7cf271e5eb5a442ab3f959b4820cc8f

SHA256
f2eea48e0a46e6c67eb72851abaa2efd1887002471f591bde3db1acbaf1e7f84

SHA512
4f4ae1e77a4e2ed90ecb15618e04ca1aacc116779de97fdfb765701a2884f4de0401dec2bededa0edefd1c8a9ca8428a2daa2f7b9edf112fe5b2d7896cb4dcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
605649ee406443318792b1d37733ce56

SHA1
22e20c3482e2e6bf0805f6376d0916147fa1c0c8

SHA256
b3cd8957a1b76aea113fd5cd764c50d42f38b68392aa51df9ea3a2a3f9882709

SHA512
f9cfc3cf6ceeefab78eb84d0dfc3a4314b7a85ed87b78d430157b20ad17e7a51029e79f8c0d98d103304a4dbfeeded635cc77b9b32c5c7d31baa301f3f4b4e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
728c3a104d9d426d64a7e9f647a99342

SHA1
f7d0525715a9370cd76adb627a0308ff1ad4a627

SHA256
108e16e98afea92661c75bcf960117b9d447a966f0975b5fd864bd333f8fbedf

SHA512
ea2505b3548d720367fc9bbce9ae574f27660c5c996bfe00670fc1977377950b799847790b8a28fc311a7d73f9057eb1ff8cd41831e802383151b0f1a87567fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4180-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4180-201-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4180-197-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4180-164-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4180-44-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4180-206-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4180-229-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4180-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4180-271-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4808-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-165-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-198-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-202-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-207-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-230-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-272-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download