mydoom | 3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2.exe
Size

41KB
MD5

2ddf287d9eecdb898d72459d09431eef
SHA1

0fbec495b6d5ca591d6c2bd8ff07c85b05b7ad11
SHA256

3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2
SHA512

ac46f9e488ec46d7bd43ea59dfb5046a92fe6dba66f43637e67021022f2533fbd3c93d1c63f04cf45d1b9473258a255cbb1e5bb33c81cf16842012002352dc3d
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4588-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4588-32-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4588-118-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4588-154-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4588-158-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4588-163-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4588-180-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4588-221-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4588-258-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4588-291-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4588-332-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

984 services.exe

pid	process
984	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4588-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/984-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/984-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/984-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/984-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/984-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/984-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-32-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/984-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpD715.tmp	upx
behavioral2/memory/4588-118-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/984-119-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-154-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/984-155-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-158-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/984-159-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-163-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/984-164-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-180-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/984-183-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-221-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/984-222-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-258-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/984-259-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-291-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/984-292-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-332-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/984-333-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

Processes:

3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2.exe

description	ioc	process
File created	C:\Windows\services.exe	3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2.exe
File opened for modification	C:\Windows\java.exe	3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2.exe
File created	C:\Windows\java.exe	3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2.exeservices.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2.exe

description	pid	process	target process
PID 4588 wrote to memory of 984	4588	3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2.exe	services.exe
PID 4588 wrote to memory of 984	4588	3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2.exe	services.exe
PID 4588 wrote to memory of 984	4588	3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2.exe
"C:\Users\Admin\AppData\Local\Temp\3a7020cebdde3b99e020f064c8bac7618e6100a3a0dcb8d6ebd736e785456bc2.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\default[2].htm

Filesize
304B

MD5
267ddfdbb8d492b25de208d84b290f1c

SHA1
9f57d9f19f25549e1232489a0c101a92e851de2f

SHA256
ef1f87447ae1ab45548d2934cf0dbd15a32b86359ff9fccfa48d76c1badf6586

SHA512
0709aa62d39d419d335183235dcf328e1dfe6997bd9bfbdeb01bb050df8dcab63ec2d4f46e4718ab389fa8e12af66dec2e3019c8871ac6e40927a25cb706c6b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\default[3].htm

Filesize
304B

MD5
68b8c190a6eab85ea8f4835df8de79c5

SHA1
43832bc2b2457c1431ecbb203f471a21c93ab69d

SHA256
834c833dc3ad979c81ed54b4655d98f59bc679682a6738a3490355ccec21f7e9

SHA512
98bf33e57e5b94a70843489837de4773ae6c709b1e6b77c27280af04c30c33918c7a513c05c17e60e868d13cf8394dc26ea04b000c812d9601edd990b7ea5cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\default[6].htm

Filesize
313B

MD5
ffb72ab4faba49ad441ce07db37dd8b6

SHA1
194e13c1c32ebb6e7a1dc912261cbd58a82ff71e

SHA256
7bd7c3676e98ddde8e0d5b63dd22cb9379d975bcd1d68884c97565cdd8d03660

SHA512
517be20d2442489ce39b48dc7f9f6f13f8c45d02703fb1865071f553d36b2289f5abc26c6089fc0bfad1a41fe318bf4b5a806915c5e45898ac744b7e4ed30257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H4VCA4X1\default[4].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W9QJOIKH\default[3].htm

Filesize
305B

MD5
157431349a057954f4227efc1383ecad

SHA1
69ccc939e6b36aa1fabb96ad999540a5ab118c48

SHA256
8553409a8a3813197c474a95d9ae35630e2a67f8e6f9f33b3f39ef4c78a8bfac

SHA512
6405adcfa81b53980f448c489c1d13506d874d839925bffe5826479105cbf5ba194a7bdb93095585441c79c58de42f1dab1138b3d561011dc60f4b66d11e9284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W9QJOIKH\default[8].htm

Filesize
312B

MD5
5431b34b55fc2e8dfe8e2e977e26e6b5

SHA1
87cf8feeb854e523871271b6f5634576de3e7c40

SHA256
3d7c76daab98368a0dd25cd184db039cdd5d1bc9bd6e9bb91b289119047f5432

SHA512
6f309dd924ba012486bcf0e3bafe64899007893ea9863b6f4e5428384ad23d9942c74d17c42a5cf9922a0e0fd8d61c287a2288a945a775586125d53376b9325c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W9QJOIKH\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciwwh.log

Filesize
128B

MD5
88392b5f19f45c32d92ea65283ef66d2

SHA1
2f0366bb14852fdbe6aa0aa7bfb5e6b8fc9f016f

SHA256
2275e1e962066215a4cf88adf6874ed3cef715921b8386ac638ebc059b7938e7

SHA512
24171633aa4187d8dbb49baea47e4af6de25ff5949e842411e22a2de7b304e6c94b00c7688fdcbad0072821b652a4528cb7c0ef14d61d8af26ad56ff6fb1fff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD715.tmp

Filesize
41KB

MD5
77ad45e4d65fc8b4953d845f5abf388c

SHA1
c0757a96d862d0bebe0c81972fbcc6fa8c3145b3

SHA256
0dd27cb12abc36e913d92d42f4fe3460ae27590f7476e94fa4191b99d304548e

SHA512
efc1f73b2ef54280db716d15abab003b698f66447d684d0f05ec00862d9980067d47d83b0a0e238499a972824fedf43795e697123fb1a98e1adcde1d5e99cad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
160B

MD5
67b681f8735692ee61c7c6d112497d05

SHA1
196ff25e7d1c704436b6ab87cf01f9447b28bc0b

SHA256
879e0f56649653f2fb151f56bbbcbd299f28618de8f4cbcdb331db4e1d038ee5

SHA512
29dfaee26ec9af3d04f6bf2e205257312f8e9237b00bf7a71b9964047087fdd25a321a8196248c74ecb39bd89ab3b9252e668d88fa73d4603431af4e2192020a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
160B

MD5
b25844d627a8ae255fe935e0e00ec375

SHA1
7229979ad42dfdbfb99c376a797cddd207938ec1

SHA256
5334ce49e23e415b65857b77af26b0f412c1bd6395e94136b272c20f3741957f

SHA512
9adc2edf12b2b1b1180be6f4c9a58799bd593e2d203b1e697fd742f94d4d5239e9d97abd5d124a4764dbebd108165b9b26c16a925fd8b54deff043d4fe49d097

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
160B

MD5
a002a55f3a0616955f691f16d661e76e

SHA1
c2102ddfa5ff31bf61600c3247033d2c3b6934ee

SHA256
0a5c94a9ecaeea5162dd72ddb14883cd9ddf4d5bb9efb3a31e404cafbb8605f5

SHA512
9917b4e07e6c1d9f416cb63c7e523e267e79c6f77909f1d8d76db15dbab49a6a217d5bcd5b9522df93affa2e85109ae372a6bf0375888c52e95a17876812ff73

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/984-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/984-222-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/984-119-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/984-333-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/984-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/984-155-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/984-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/984-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/984-159-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/984-292-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/984-164-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/984-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/984-259-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/984-183-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/984-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/984-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4588-32-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-221-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-258-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-180-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-291-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-163-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-158-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-154-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-118-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-332-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download