mydoom | 196d2a5bda6d1197b3ba0fec8b282bb495f87a83c20d1bc8341ffe51a02df34a

General

Target

196d2a5bda6d1197b3ba0fec8b282bb495f87a83c20d1bc8341ffe51a02df34a.exe
Size

29KB
MD5

b710cd372572d425910925b677e93830
SHA1

451a3a16448547f360463eb2b8c3117f3aaae289
SHA256

196d2a5bda6d1197b3ba0fec8b282bb495f87a83c20d1bc8341ffe51a02df34a
SHA512

6c56cd5b5771c38d523e042598a197ac46231cd041a006d773d5922b2a6d653b34f7129c459761917209e0aed334304e1f8d3cb047b3a20d1f2fd3dba9a65126
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/J:AEwVs+0jNDY1qi/qR

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 9 IoCs

resource	yara_rule
behavioral1/memory/2856-2-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2856-16-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2856-36-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2856-61-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2856-63-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2856-67-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2856-72-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2856-74-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2856-79-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2988	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	196d2a5bda6d1197b3ba0fec8b282bb495f87a83c20d1bc8341ffe51a02df34a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2856-2-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2856-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x001000000001866e-9.dat	upx
behavioral1/memory/2988-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2856-16-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2988-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2988-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2988-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2988-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2988-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2856-36-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2988-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0004000000013d08-50.dat	upx
behavioral1/memory/2856-61-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2988-62-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2856-63-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2988-64-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2856-67-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2988-68-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2856-72-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2988-73-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2856-74-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2988-75-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2856-79-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2988-80-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	196d2a5bda6d1197b3ba0fec8b282bb495f87a83c20d1bc8341ffe51a02df34a.exe
File opened for modification	C:\Windows\java.exe	196d2a5bda6d1197b3ba0fec8b282bb495f87a83c20d1bc8341ffe51a02df34a.exe
File created	C:\Windows\java.exe	196d2a5bda6d1197b3ba0fec8b282bb495f87a83c20d1bc8341ffe51a02df34a.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	196d2a5bda6d1197b3ba0fec8b282bb495f87a83c20d1bc8341ffe51a02df34a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2988	2856	196d2a5bda6d1197b3ba0fec8b282bb495f87a83c20d1bc8341ffe51a02df34a.exe	31
PID 2856 wrote to memory of 2988	2856	196d2a5bda6d1197b3ba0fec8b282bb495f87a83c20d1bc8341ffe51a02df34a.exe	31
PID 2856 wrote to memory of 2988	2856	196d2a5bda6d1197b3ba0fec8b282bb495f87a83c20d1bc8341ffe51a02df34a.exe	31
PID 2856 wrote to memory of 2988	2856	196d2a5bda6d1197b3ba0fec8b282bb495f87a83c20d1bc8341ffe51a02df34a.exe	31

C:\Users\Admin\AppData\Local\Temp\196d2a5bda6d1197b3ba0fec8b282bb495f87a83c20d1bc8341ffe51a02df34a.exe
"C:\Users\Admin\AppData\Local\Temp\196d2a5bda6d1197b3ba0fec8b282bb495f87a83c20d1bc8341ffe51a02df34a.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\blTauEkyb.log

Filesize
320B

MD5
940bc5a59e0235761cee52f289c75043

SHA1
b3f58610c3d719b9f527d644de4d064c452450c8

SHA256
7386a3a5be75e5e325178a85343466b169cc4350afde9aed7fd11beb954ab66f

SHA512
5f0a9952671d7f05106c72b689edec4854deaee69a4b76c43352b028eeb62c7fde91f4e283407ca4d4bd1205f45f221d58d5859b027a9301488a9e33aacf8f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp58EB.tmp

Filesize
29KB

MD5
646a0603633ca671c5de77e5f04a23f8

SHA1
fb2fbc3a4ca37e4c2cb971a9a671fe1b49cd9d92

SHA256
921baa259978a50381159d24449558447367868809675fabdc39666c9725e1c1

SHA512
29ed3fb4105ba4c2176537668cd42d81081f5ad542c975dd398b15e5550e9a9a303a0352dcf7f493e979949eb388691f521a8e5bd4db03eb92bf67ff97a2d051

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
b52dc8c9b9826e27034b10a591ff55ab

SHA1
ee1f95c1d600011c77d50fd09c4e51b1b82139b1

SHA256
16c4c2733d9cf426e5b47d1d7ac04726dd83e1caa534422efb4ed89c3848d945

SHA512
5ad06b67888adfa8c13b04c3281ed2bb4a1cb0e1d73420be118f1dcad9d4b46cdc7988c5eae6f0deff8419829e5c312511d2dd8c6e881c747255eae3ea1a55e2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2856-67-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2856-2-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2856-79-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2856-74-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2856-72-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2856-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2856-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2856-36-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2856-63-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2856-16-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2856-61-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2988-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-73-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-80-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads