mydoom | 555244561a438c4f14388d873e81c4ac0948ad100cb80d354267e50eee8f3317

General

Target

555244561a438c4f14388d873e81c4ac0948ad100cb80d354267e50eee8f3317.exe
Size

29KB
MD5

1902b6831fa3d25fd6aea69de3dea079
SHA1

5a28be8a28bb2de4c2cf0f16fe9b0875f8ecaf19
SHA256

555244561a438c4f14388d873e81c4ac0948ad100cb80d354267e50eee8f3317
SHA512

45931203dab276746b98fa1264f847f64867229677a291dc3b755eb79270db7e267047d7604f28e984e395fe6dcc67d5f4d3d5cdda85c606fa21253a4da8b346
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/s:AEwVs+0jNDY1qi/qU

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 7 IoCs

resource	yara_rule
behavioral1/memory/2348-16-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2348-52-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2348-54-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2348-75-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2348-80-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2348-82-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2348-87-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
1952	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	555244561a438c4f14388d873e81c4ac0948ad100cb80d354267e50eee8f3317.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2348-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2348-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0008000000018d68-7.dat	upx
behavioral1/memory/1952-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2348-16-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1952-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-29-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-41-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-53-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2348-52-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1952-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2348-54-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-65.dat	upx
behavioral1/memory/1952-76-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2348-75-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1952-81-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2348-80-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1952-83-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2348-82-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1952-88-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2348-87-0x0000000000500000-0x0000000000510200-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	555244561a438c4f14388d873e81c4ac0948ad100cb80d354267e50eee8f3317.exe
File opened for modification	C:\Windows\java.exe	555244561a438c4f14388d873e81c4ac0948ad100cb80d354267e50eee8f3317.exe
File created	C:\Windows\java.exe	555244561a438c4f14388d873e81c4ac0948ad100cb80d354267e50eee8f3317.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	555244561a438c4f14388d873e81c4ac0948ad100cb80d354267e50eee8f3317.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1952	2348	555244561a438c4f14388d873e81c4ac0948ad100cb80d354267e50eee8f3317.exe	30
PID 2348 wrote to memory of 1952	2348	555244561a438c4f14388d873e81c4ac0948ad100cb80d354267e50eee8f3317.exe	30
PID 2348 wrote to memory of 1952	2348	555244561a438c4f14388d873e81c4ac0948ad100cb80d354267e50eee8f3317.exe	30
PID 2348 wrote to memory of 1952	2348	555244561a438c4f14388d873e81c4ac0948ad100cb80d354267e50eee8f3317.exe	30

C:\Users\Admin\AppData\Local\Temp\555244561a438c4f14388d873e81c4ac0948ad100cb80d354267e50eee8f3317.exe
"C:\Users\Admin\AppData\Local\Temp\555244561a438c4f14388d873e81c4ac0948ad100cb80d354267e50eee8f3317.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp50E0.tmp

Filesize
29KB

MD5
d02df24b91afbf6c543e3fa47b546c14

SHA1
99581f19582a694349becf893f7038d92d8b44c2

SHA256
cd40a1ce5ca64d9895071275afb89d9d4fddea4a049a019405c45add359ab95b

SHA512
50ea51e5194729372f79b8b227980e2ed4ac79424045e4e78b2cc5ab7f88969581d9fbf5fa8f784e0a0fbc6372755982f04f949538bd97b7606b06f227ca65e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
362B

MD5
5e8e848aa0385943c85c270964cbe158

SHA1
66e11beb41cd945f28e3c4d5241d74f0c35793f2

SHA256
64b5f7f5e1037a82cffcc7793c4dc5940668a51bbb8f584b2e3c452e1c0c5303

SHA512
8dcafd98b25faf60c221807b8805b296eef9fbfed90882074fcdf59ef5074bd001204a4b9c314d6ab09a096b62e791492d6d7d76104d38d9769a20d2e768bb88

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
dcbef9fbb59439e4f0b099d021490548

SHA1
0a96b07f06737ecd5c4bfd45fbb6c9e59b9c7ed6

SHA256
33796c1bf8179e56bd976b584e5389c37646f149dee5312b1c35b1d1c7e49ba7

SHA512
fecaeb4b9d28f1d1fa505af6a20cad4c08c9dfdf38cbe74a796840c549d9f3f1726f6f025f9fcd7ee05aa7302c15b38f9936a49bb1ae22d0f25156d596a3ac6f

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1952-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-29-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-41-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-88-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-53-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-83-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-81-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-76-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2348-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2348-54-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2348-75-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2348-16-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2348-80-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2348-52-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2348-82-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2348-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2348-87-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads