mydoom | 5036f42313d91cda62488a1835cadf307cbc0390ae3be538faec1ea7204bfb70

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5036f42313d91cda62488a1835cadf307cbc0390ae3be538faec1ea7204bfb70.exe
Size

29KB
MD5

31c6f4e306f7bda8e80cd3c11420269e
SHA1

31abbf2b616ec1716ea5f1a321fc2e2f29f7fac1
SHA256

5036f42313d91cda62488a1835cadf307cbc0390ae3be538faec1ea7204bfb70
SHA512

6505919d2f2e52fdd63b1c1bead9b63ec751fc5d6e7a6bd91df55ba34268fd4e70449ee6bc14f3dfbf381b1cc821b71ab5320a178082e5cc29e05077799f3011
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/8q:AEwVs+0jNDY1qi/qUq

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 11 IoCs

resource	yara_rule
behavioral2/memory/4596-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4596-27-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4596-32-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4596-128-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4596-151-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4596-160-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4596-187-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4596-227-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4596-255-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4596-282-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4596-319-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
3228	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	5036f42313d91cda62488a1835cadf307cbc0390ae3be538faec1ea7204bfb70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4596-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000023c55-4.dat	upx
behavioral2/memory/3228-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4596-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3228-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3228-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3228-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3228-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4596-27-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3228-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4596-32-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3228-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0009000000023c73-43.dat	upx
behavioral2/memory/4596-128-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3228-129-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4596-151-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3228-152-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3228-156-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4596-160-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3228-161-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4596-187-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3228-194-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4596-227-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3228-231-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4596-255-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3228-256-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4596-282-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3228-283-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4596-319-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3228-321-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	5036f42313d91cda62488a1835cadf307cbc0390ae3be538faec1ea7204bfb70.exe
File opened for modification	C:\Windows\java.exe	5036f42313d91cda62488a1835cadf307cbc0390ae3be538faec1ea7204bfb70.exe
File created	C:\Windows\java.exe	5036f42313d91cda62488a1835cadf307cbc0390ae3be538faec1ea7204bfb70.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5036f42313d91cda62488a1835cadf307cbc0390ae3be538faec1ea7204bfb70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3228	4596	5036f42313d91cda62488a1835cadf307cbc0390ae3be538faec1ea7204bfb70.exe	85
PID 4596 wrote to memory of 3228	4596	5036f42313d91cda62488a1835cadf307cbc0390ae3be538faec1ea7204bfb70.exe	85
PID 4596 wrote to memory of 3228	4596	5036f42313d91cda62488a1835cadf307cbc0390ae3be538faec1ea7204bfb70.exe	85

C:\Users\Admin\AppData\Local\Temp\5036f42313d91cda62488a1835cadf307cbc0390ae3be538faec1ea7204bfb70.exe
"C:\Users\Admin\AppData\Local\Temp\5036f42313d91cda62488a1835cadf307cbc0390ae3be538faec1ea7204bfb70.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3DWZNJ32\default[2].htm

Filesize
311B

MD5
cb42662caffe525e9957c942617edf06

SHA1
615009db9a1a242579e639ee0fc7a2a765095bfe

SHA256
312bf5c9a1a122abc6361bf8ed01a44346285b962c0d273ef2de0eb796ae1b15

SHA512
3e6777f1f74f64fff6cb2bd1a81a6c08d9a64feeebc3deb7cacb8f0f41b23a5c59a8e6294b99c76dd386aaaf9043a1a252ac47910fe1801bdc2995f7b675692c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3DWZNJ32\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\default[3].htm

Filesize
311B

MD5
593192ca95413c197b2b34ef10fee9e3

SHA1
76efabd5fc9a2c297384883c8adec463e492896e

SHA256
ffcebeaee31d4944d14ed393a22bca4715f8d17f3580fa3e3d6f05d03732a8bf

SHA512
61be629d128309af1c36579e160ff30b14fb332f1440c048bf24620faa33f8bfd756e97398a4464e415abcfd39d0bee7cac57559b7ec29692c0640a2a76b361a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YB8IB6GH\default[1].htm

Filesize
310B

MD5
2a8026547dafd0504845f41881ed3ab4

SHA1
bedb776ce5eb9d61e602562a926d0fe182d499db

SHA256
231fe7c979332b82ceccc3b3c0c2446bc2c3cab5c46fb7687c4bb579a8bba7ce

SHA512
1f6fa43fc0cf5cbdb22649a156f36914b2479a93d220bf0e23a32c086da46dd37e8f3a789e7a405abef0782e7b3151087d253c63c6cefcad10fd47c699fbcf97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YB8IB6GH\default[3].htm

Filesize
313B

MD5
69c60ed308101b5335bf8f3965de4cee

SHA1
46fa4e015d3074e5278f30246dfc7e52395ee164

SHA256
1b949aeab999aed6ebea087159db61393d411edcbbf228b98f4b5c3d8711ad29

SHA512
4b3b388f53a35a0f1eb44706723d2814f010095a8629d692e8d6542ac4520e1f7caaa7a6bd79a7a00ed97bbd246fc8d74f51853432e386685d6771203a7d8ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp512A.tmp

Filesize
29KB

MD5
5f38b15107dac6674435a4dbea60be98

SHA1
96f759b1a8dfd22ea8ba94b5fef7f2b0991b964c

SHA256
7c9b9633e9364a1826e2b8697d34b28f52467fad95e5fad5b06128c03df0efdb

SHA512
4704ed642e521f2262f9a08bfce780c32794d9a3fe96fb0cd2091da9a62eec962e822d31c1b918e86aee26cc5324633df6b4fd7f65e6e285a49434e9d80fed51

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
ba5a6816ec2b1c7eb1ac840a831d7a3b

SHA1
06b3f477a13de4ad07264725154b4b6d16874a6d

SHA256
892f668808259c1edd3aac3c29d3e8c65235f0cdc802c980698ea7d4451cfb20

SHA512
2936db491b3a46cee6c2bd2a97f5097a8dc5ecb8ac93697186bc05c74047054642796eb8454b372b70531c7a92721f736f0666399a5287d0c1297853e3d46874

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
77db6407bf8f04da34cf4601fd4def37

SHA1
4fcfd1c349942b3c5518b329859d82e7e789696d

SHA256
95bf05897b5a986d54458265f49411064613d682a438c9518449d140952ca0db

SHA512
d7b5de27c82550a1866dba802d9501976413761dd78cd754242acc4f4d0a3422bba51b625ed352431402a16bda49a00cfd2e840c93b07cf727a4aec54f2555f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
4a3bdcac249ca80a3258ce9969213c9b

SHA1
de8b643b534125678e4c648b8c0dd034c4b01fcb

SHA256
3003a1c2a6900244da5fd208102e790d64098a8cd40155dba69ed9b04a3709b6

SHA512
d724740cf2ca0253d3f787bcd28254c126350d2f29269475f7ee4105b6386e9b412a8faef981e3e4b969788d78b55128cdb2b205a67d98b7f62d89ac2a48c809

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
681c77a7009051113a94374c4e3309ef

SHA1
6c7da5c7a76be22344cf94c8b0f5a8e323d59968

SHA256
3f46ea63dc115ea40ee31661d4f84cf5ac98fad7aef10e899cae99d4f2571060

SHA512
bd29f70175729d73ea359fa281777da1ce6602abc523c2b9e215a95b27e402c3e219eb5cf8de569ee52fe4ced28ef03148444106c41e6a82b99c0364439c242d

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3228-152-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3228-283-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3228-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3228-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3228-321-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3228-129-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3228-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3228-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3228-256-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3228-156-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3228-231-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3228-161-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3228-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3228-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3228-194-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3228-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-187-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4596-227-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4596-160-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4596-255-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4596-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4596-282-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4596-151-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4596-27-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4596-319-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4596-128-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4596-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4596-32-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads