mydoom | 1dac243d12d98b484f079da73454d31ae5e14c121e7c8a0d7abd8d699a37a463

General

Target

1dac243d12d98b484f079da73454d31ae5e14c121e7c8a0d7abd8d699a37a463.exe
Size

41KB
MD5

bbf5fb316b5452f04a6242173d9cc632
SHA1

6893af4b4eaa04b9fae2633e43db5e4a29a73c0d
SHA256

1dac243d12d98b484f079da73454d31ae5e14c121e7c8a0d7abd8d699a37a463
SHA512

2e06c1613061bd0c47f84f6737b3fbdf79f380dd8047bef413039042091d2bcba86c60ed8015934ec510ec2d7a5baa04ea78fd579c1b4ab0a0ce8e4bab54b0e8
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 7 IoCs

resource	yara_rule
behavioral1/memory/264-0-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/264-15-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/264-54-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/264-59-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/264-80-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/264-82-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/264-87-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
1880	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	1dac243d12d98b484f079da73454d31ae5e14c121e7c8a0d7abd8d699a37a463.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/264-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/264-3-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0008000000016d9f-7.dat	upx
behavioral1/memory/264-15-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1880-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1880-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1880-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1880-29-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1880-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1880-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1880-41-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1880-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1880-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1880-53-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1880-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/264-54-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1880-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/264-59-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-70.dat	upx
behavioral1/memory/1880-81-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/264-80-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1880-83-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/264-82-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/264-87-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1880-88-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	1dac243d12d98b484f079da73454d31ae5e14c121e7c8a0d7abd8d699a37a463.exe
File opened for modification	C:\Windows\java.exe	1dac243d12d98b484f079da73454d31ae5e14c121e7c8a0d7abd8d699a37a463.exe
File created	C:\Windows\java.exe	1dac243d12d98b484f079da73454d31ae5e14c121e7c8a0d7abd8d699a37a463.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dac243d12d98b484f079da73454d31ae5e14c121e7c8a0d7abd8d699a37a463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 1880	264	1dac243d12d98b484f079da73454d31ae5e14c121e7c8a0d7abd8d699a37a463.exe	31
PID 264 wrote to memory of 1880	264	1dac243d12d98b484f079da73454d31ae5e14c121e7c8a0d7abd8d699a37a463.exe	31
PID 264 wrote to memory of 1880	264	1dac243d12d98b484f079da73454d31ae5e14c121e7c8a0d7abd8d699a37a463.exe	31
PID 264 wrote to memory of 1880	264	1dac243d12d98b484f079da73454d31ae5e14c121e7c8a0d7abd8d699a37a463.exe	31

C:\Users\Admin\AppData\Local\Temp\1dac243d12d98b484f079da73454d31ae5e14c121e7c8a0d7abd8d699a37a463.exe
"C:\Users\Admin\AppData\Local\Temp\1dac243d12d98b484f079da73454d31ae5e14c121e7c8a0d7abd8d699a37a463.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:264
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8BED.tmp

Filesize
41KB

MD5
16e535011c95b43edd5691da0dbe2517

SHA1
1239588eedf116b76c1e98dc0eefdd7104306ede

SHA256
a94f0aecadbc83b7ffede96fde90365653bf067f6a1186f7a57d7b9aad5a6ddb

SHA512
dd8d854c90934d187d0125e7ac0eac4639b78a0ee871eaca3e5a9c851ebf24b484c98c812a4cb19df88d560d41bff2a8684bb3e55c69d6c48962773f54af2390

Download Submit
C:\Users\Admin\AppData\Local\Temp\w4ihiaNhc.log

Filesize
128B

MD5
2ee96d48f7c9bb4f48d462c666dd4420

SHA1
f7b4df3cbae1019abb443d5718905b7bed2edb23

SHA256
c07e79fff02dedc3366ef2a3a6a8f5a9e8deab8eade264cd22c3e2e9e2a89fba

SHA512
86e9e5ca610e18c01ed42f3870ad89c64ca696685e41059b04c041a0271159e2b40e0a341612a56921b5bda221d3803c74891b960f1f64e952816aff0ef226bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
160B

MD5
60967a29ab977d26d4d590be6e066df6

SHA1
b88f8e1009de9a2f86401a88cc949ee1dff3baae

SHA256
1f83914823d9a3a9756146f20cd7a239d276c88de7e92a82e145be7f5181d7d2

SHA512
1ed8cee10eaa3e6c6d42f203d991a67f1107c93fc05d9bc70ea24ea881b533d3b5fe92fe6f8bb7da130cbf9ad0ee5ca63a4615c48933354fd2942b280146ce0f

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/264-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/264-87-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/264-82-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/264-80-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/264-3-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/264-15-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/264-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/264-59-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/264-54-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1880-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1880-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1880-53-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1880-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1880-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1880-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1880-41-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1880-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1880-29-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1880-81-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1880-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1880-83-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1880-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1880-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1880-88-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads