mydoom | 89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fb

General

Target

89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fbN.exe
Size

29KB
MD5

909ac856bbc41652f275866f8f7e8250
SHA1

e99837dbc7151db68bec9f9beeb0c0214df4dc5c
SHA256

89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fb
SHA512

b2b7593dd631ff2a6a2fea16a170e4f83a152288e4554f53e04e5c0a6ee5c7284fb743ff2c896a5bcb3f0ec0456ea88680982ae523ba569fee7d65e3ae109046
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/xhr:AEwVs+0jNDY1qi/qpJ

Score

10^/10

mydoom microsoft discovery persistence phishing product:outlook upx worm

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Detects MyDoom family 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2112-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2112-37-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2112-39-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2112-154-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2112-184-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2112-191-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

4880 services.exe

pid	process
4880	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fbN.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2112-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/4880-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2112-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4880-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2112-37-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4880-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2112-39-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4880-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpD109.tmp	upx
behavioral2/memory/2112-154-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4880-155-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2112-184-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4880-185-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-187-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2112-191-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4880-192-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

Processes:

89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fbN.exe

description	ioc	process
File created	C:\Windows\services.exe	89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fbN.exe
File opened for modification	C:\Windows\java.exe	89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fbN.exe
File created	C:\Windows\java.exe	89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fbN.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fbN.exeservices.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fbN.exe

description	pid	process	target process
PID 2112 wrote to memory of 4880	2112	89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fbN.exe	services.exe
PID 2112 wrote to memory of 4880	2112	89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fbN.exe	services.exe
PID 2112 wrote to memory of 4880	2112	89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fbN.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fbN.exe
"C:\Users\Admin\AppData\Local\Temp\89881fe00d02a007b29bdd17dceef3acec99879744e492f5a43149a1b1daf5fbN.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OIPZWEW8\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YB8IB6GH\0QM30EDQ.htm

Filesize
153KB

MD5
ee74d47d1b98b1d6f010111874c353b0

SHA1
491e85988cf7f25fab479d44df149c3b3af41c14

SHA256
479af99e6c93a5d700158f1897f68e35bf5aa0d41013302530b7469adc23b944

SHA512
4b0eee2c139810fa8a64a8d3dd5b0651fd1090657f7e080de37907b15413922042393609c9de4c1b1498f32e25097901564101de9ed18cb6d6f9d99d623274bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD109.tmp

Filesize
29KB

MD5
1258c017a7bd633eff69bd13a8233d04

SHA1
3fb71f14d418d7ae3f05b0469886f37dd965fe7e

SHA256
652f6bb1d3cefd4d89dfd5348071f2f615217beba0cedab3e2cbcf191071b1ad

SHA512
9872eaa7d60e74331a6b21ef96c17d5e81342f847e753751989c2e7c2e9dc60ebf27717f8745b115d328ef074a7c7a49e016aeccb00adb6bcea2b15ac75fd051

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
4687abf6a0ea46d4f23a742aacdca6bc

SHA1
044f21293bfbaef4cccd84f487b31a2fd0eb8d52

SHA256
9610302af068b0f6e3ec821bc9945fb458938de5594b583e320cf8d70e41c9a8

SHA512
e9af496cbb74f36c853beb9d48f0bc3afdf01217bc0ed37a8e3abdc116e8b73f66b4b6cd8735bea277e1ece7ce5a511829a9c7d20b24586352a5154af414a791

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
d913dc06e3aef6a1a1c3daa24d54e8f6

SHA1
6c6936da92e56c298532468b4466b09258c6631e

SHA256
85e67fdbd4cfec81dd49db4dde46b682ae2ac02bbc8b107a3b8489c2db2304cf

SHA512
289fe5e51663794b319db692f35c90d9b7c34b44f83ef4febe2d63360240cb48938088d6fc67d3f5fb2caa51075639dc2294a852eb867f8bfe878fbeec1049f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
1a0095bc125a4fe38d946050789ce3cd

SHA1
b0b5e9eca31b703da2c31ab5e3f5922ba4ab4cf4

SHA256
861a182e48936bee9920e5fbd34b51a903ee1a8a34d277f8ebb34912137a5455

SHA512
75d98aa100f07396605b35991f0cbf066b1e1cfcafefa3eb3daba0d0e36354f37d8808973a24baff67fe81a12ce3947e5bac8268ab7307780a26523a6b98c230

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2112-184-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2112-154-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2112-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2112-37-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2112-191-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2112-39-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2112-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4880-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-155-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-185-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-187-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-192-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads