mydoom | 389266838316a35b3d1513404b682d25de203f31d9f5473d9ea4c486e093de91

General

Target

389266838316a35b3d1513404b682d25de203f31d9f5473d9ea4c486e093de91.exe
Size

41KB
MD5

d217a327abb504c5c60e87ab3e50e8fc
SHA1

62d271edf3224ae5c12617110f5dc733096fc5a4
SHA256

389266838316a35b3d1513404b682d25de203f31d9f5473d9ea4c486e093de91
SHA512

b6f765df4f4823a62c83e52af72d9d07466fd3aab45b905730bf1b9147971c49cecd7cfd5053996e371f4945dac920856e5cd95bab51014ef17130a2f74a8b5b
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/S:AEwVs+0jNDY1qi/qK

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 2 IoCs

resource	yara_rule
behavioral2/memory/3772-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3772-56-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
3716	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	389266838316a35b3d1513404b682d25de203f31d9f5473d9ea4c486e093de91.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3772-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0009000000023c91-4.dat	upx
behavioral2/memory/3716-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3772-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3716-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3716-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3716-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3716-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3716-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3716-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3716-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3716-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3716-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3716-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3716-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3772-56-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3716-57-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0004000000000709-67.dat	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	389266838316a35b3d1513404b682d25de203f31d9f5473d9ea4c486e093de91.exe
File created	C:\Windows\java.exe	389266838316a35b3d1513404b682d25de203f31d9f5473d9ea4c486e093de91.exe
File created	C:\Windows\services.exe	389266838316a35b3d1513404b682d25de203f31d9f5473d9ea4c486e093de91.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	389266838316a35b3d1513404b682d25de203f31d9f5473d9ea4c486e093de91.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 3716	3772	389266838316a35b3d1513404b682d25de203f31d9f5473d9ea4c486e093de91.exe	83
PID 3772 wrote to memory of 3716	3772	389266838316a35b3d1513404b682d25de203f31d9f5473d9ea4c486e093de91.exe	83
PID 3772 wrote to memory of 3716	3772	389266838316a35b3d1513404b682d25de203f31d9f5473d9ea4c486e093de91.exe	83

C:\Users\Admin\AppData\Local\Temp\389266838316a35b3d1513404b682d25de203f31d9f5473d9ea4c486e093de91.exe
"C:\Users\Admin\AppData\Local\Temp\389266838316a35b3d1513404b682d25de203f31d9f5473d9ea4c486e093de91.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5DD8.tmp

Filesize
41KB

MD5
4fa2cc9e75838afc6fc0ed286240cd54

SHA1
566e1ee894aa64520b80509c6565d57e5f87e563

SHA256
683e32fb405a81c19d97d74c57c8dae0eba86e9195a34f05d6ee4e9f7415b1f1

SHA512
0e8d57c702d5835dd9dbc79c67f7ae1371e7f80294f624e474a68da037b2e54ba78ab2025ca2072c22d8b745745227a21c9cc04cc4b2556c205ff1c794b5784d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5EB8.tmp

Filesize
42KB

MD5
b0ee77b124c02cc7686aa4877a14238a

SHA1
98cc2a3b04b8ac2c52f7c41309e1e194eeebf827

SHA256
3731cf793e205b3e8a6667f9575c6ed1241c1bab7beeea6387060bfc36bba150

SHA512
a13ae509254ce908b9a5a5291889d916c62b772de5f7203aec9ffe021d571f3333434c27e74bcf4567de6f10ef4e9925e57e9dcac450f14d71ee2e6980fed5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
f36eafe3dcffa0cf2196af5ce13ce232

SHA1
514b82dd986f3298252c57455a7b59c6ad4d520c

SHA256
8bd02832f3a2e615e92ba63b04e652ba3d1c3a362cb1b648e481e6118a33851d

SHA512
01ed077c86a87f87922450edb96890f83fce682f1168362662087b2885485e3d3c5cbfe8bb911dfd903ad64619085dff9121f1e4938678ef34c283c97a0d5cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
79944aa6ca31cad9e429a14f4031662b

SHA1
c3b7d32c8c64784b296d96c9e030aa60e3d6141e

SHA256
47b7d28c65b24b11e238299925257a873f474c2be0363e32d617fcdf0e05405b

SHA512
44f3c45df6cd1ded0d775fcb5810efb55b8abb13b6e38463c0490e427e1169cb93f9b97a246ab0822104b4b6d9c7fa5cf0f19b8eba3b391447d2b6597ebdf7bb

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3716-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3716-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3716-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3716-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3716-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3716-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3716-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3716-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3716-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3716-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3716-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3716-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3716-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3772-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3772-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3772-56-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads