mydoom | 9b81cd810d0d5df83421566be57d8c43d50fab258c94339200e70a82f8806805

General

Target

9b81cd810d0d5df83421566be57d8c43d50fab258c94339200e70a82f8806805.exe
Size

41KB
MD5

be3341e79b2f12499de7c15ca4ec94a7
SHA1

f776f7211c191ea6e0a94f01a41009bf4e62506c
SHA256

9b81cd810d0d5df83421566be57d8c43d50fab258c94339200e70a82f8806805
SHA512

68bfd6a214dc0a52cbf422c59652992190046d1db5c1f79462fae12b9b72e96dbbb63f69953a0c3ed290e15426f1447ccf2d5e1dac72b9a2b749a142b9de837a
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/M:AEwVs+0jNDY1qi/qE

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 3 IoCs

resource	yara_rule
behavioral2/memory/2552-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2552-51-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2552-125-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
212	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	9b81cd810d0d5df83421566be57d8c43d50fab258c94339200e70a82f8806805.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2552-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0007000000023cd5-4.dat	upx
behavioral2/memory/212-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2552-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/212-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/212-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/212-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/212-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/212-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/212-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/212-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/212-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/212-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/212-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2552-51-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/212-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0004000000000707-68.dat	upx
behavioral2/memory/2552-125-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/212-140-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	9b81cd810d0d5df83421566be57d8c43d50fab258c94339200e70a82f8806805.exe
File opened for modification	C:\Windows\java.exe	9b81cd810d0d5df83421566be57d8c43d50fab258c94339200e70a82f8806805.exe
File created	C:\Windows\java.exe	9b81cd810d0d5df83421566be57d8c43d50fab258c94339200e70a82f8806805.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b81cd810d0d5df83421566be57d8c43d50fab258c94339200e70a82f8806805.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 212	2552	9b81cd810d0d5df83421566be57d8c43d50fab258c94339200e70a82f8806805.exe	85
PID 2552 wrote to memory of 212	2552	9b81cd810d0d5df83421566be57d8c43d50fab258c94339200e70a82f8806805.exe	85
PID 2552 wrote to memory of 212	2552	9b81cd810d0d5df83421566be57d8c43d50fab258c94339200e70a82f8806805.exe	85

C:\Users\Admin\AppData\Local\Temp\9b81cd810d0d5df83421566be57d8c43d50fab258c94339200e70a82f8806805.exe
"C:\Users\Admin\AppData\Local\Temp\9b81cd810d0d5df83421566be57d8c43d50fab258c94339200e70a82f8806805.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PTWQX4L2\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxkn9ioex.log

Filesize
128B

MD5
f97e5e2a796d7e2e5d6cdc627ab753a3

SHA1
740bb2e12b1ba8d27c2449dd3b0302d754d87069

SHA256
172b2f429a6fcb7ed5493af5d81f2aaa8d560180e5de8a96ba4ad2f8d3c1b632

SHA512
b0b8da344db230970149f94e5e66d63dde3bec8fc39cf827fecc50a19b799c33720bbc31639a7a7c0de81b53a8013bfbd3c0da27a74ced7d1e148a8adc8c15ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7AC7.tmp

Filesize
41KB

MD5
48b81b6ef665ea17174859afeaafcf13

SHA1
f714076ae1092fe81bd34c1fa4c8413dd0c1490f

SHA256
d3db2a316a959c7a5e2925d27a204ef144636c971bf64becc72c9b8f320c1bd4

SHA512
54a6d8560c8e032f65a4795a15ec702954da355b381d2a9a6f2b0de06b6f8e5859fa1b6dc17aecbeaf4d47e4f3bbe36e76ba598bdcc21d86597477a2c1a30ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
160B

MD5
f922b05ac830cce717c3ec64bd74db67

SHA1
24325c43f41125523ae6d33000af593fbaeca638

SHA256
3ae4c1573555cdeb15a6f5eb5033874dbc1ff7ce03a1b6780589292a33aa046c

SHA512
d159cd9ae6a56959419b7bd754634b9d2f0bf8817296e04b50635a25014f7ff0ac67eb132e46c1d07f626edbe95095fb7e5c7d3a8e2742cc4413278a513eca3f

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/212-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/212-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/212-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/212-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/212-140-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/212-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/212-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/212-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/212-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/212-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/212-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/212-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/212-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2552-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2552-125-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2552-51-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2552-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads