mydoom | 8ab0f04e62161a9511ce897d32d9d951c3a67c39662eb11a8e191ce6ce30af5d

General

Target

8ab0f04e62161a9511ce897d32d9d951c3a67c39662eb11a8e191ce6ce30af5d.exe
Size

29KB
MD5

b82d22467e2a79fae09453e669a8babf
SHA1

8a765139d41a2b7c0050fc3dbcb3aa29cbd4361a
SHA256

8ab0f04e62161a9511ce897d32d9d951c3a67c39662eb11a8e191ce6ce30af5d
SHA512

b5076720a9039b1d21efc7c86f3eed501c2e4165eb3e84a8477f121c830fa094198bfe2720366aa759a99679f478c0b01e704d27b31bf5177cb332e6efd14097
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/0X:AEwVs+0jNDY1qi/qi

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 5 IoCs

resource	yara_rule
behavioral2/memory/2204-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2204-51-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2204-56-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2204-164-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2204-179-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
4692	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	8ab0f04e62161a9511ce897d32d9d951c3a67c39662eb11a8e191ce6ce30af5d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2204-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4692-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000b000000023b62-4.dat	upx
behavioral2/memory/2204-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4692-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4692-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4692-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4692-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4692-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4692-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4692-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4692-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4692-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4692-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2204-51-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4692-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2204-56-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0005000000000709-69.dat	upx
behavioral2/memory/4692-77-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2204-164-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4692-169-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2204-179-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4692-180-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4692-184-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	8ab0f04e62161a9511ce897d32d9d951c3a67c39662eb11a8e191ce6ce30af5d.exe
File opened for modification	C:\Windows\java.exe	8ab0f04e62161a9511ce897d32d9d951c3a67c39662eb11a8e191ce6ce30af5d.exe
File created	C:\Windows\java.exe	8ab0f04e62161a9511ce897d32d9d951c3a67c39662eb11a8e191ce6ce30af5d.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ab0f04e62161a9511ce897d32d9d951c3a67c39662eb11a8e191ce6ce30af5d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 4692	2204	8ab0f04e62161a9511ce897d32d9d951c3a67c39662eb11a8e191ce6ce30af5d.exe	83
PID 2204 wrote to memory of 4692	2204	8ab0f04e62161a9511ce897d32d9d951c3a67c39662eb11a8e191ce6ce30af5d.exe	83
PID 2204 wrote to memory of 4692	2204	8ab0f04e62161a9511ce897d32d9d951c3a67c39662eb11a8e191ce6ce30af5d.exe	83

C:\Users\Admin\AppData\Local\Temp\8ab0f04e62161a9511ce897d32d9d951c3a67c39662eb11a8e191ce6ce30af5d.exe
"C:\Users\Admin\AppData\Local\Temp\8ab0f04e62161a9511ce897d32d9d951c3a67c39662eb11a8e191ce6ce30af5d.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OIPZWEW8\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp23FC.tmp

Filesize
29KB

MD5
e690896bdc3c984015a91f15a9051042

SHA1
7dc0f53814bcbf96f71e591b3f70a4b416a5424b

SHA256
fbb8c019539d9f76479254bb781b113aa28248d18dddcbd545a43c08bb626728

SHA512
76ee11fccb0b808245672ae7f5419b80e2c6a810d39799219a5eee471158019a626e7f262cb492f90c82bda655237e26c06f4abf344166e3afd93cd6f10baaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
6cae3b1500683460eedc99cbf23c8fbc

SHA1
7a04b753aea0009867b7ce1c849de263bb784c89

SHA256
ade264fb81b2db27497ec13ccb1e0c00937f115fecfc92934b2813d79f8853cd

SHA512
3e1569d92445e65b11be03ee9802d5316071d9caa0b748a347b3094edc71cac3ea7410cf4adf8770c89449715c1515ecf360b25fa9fb146ee319413ad34d35c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
9b0f01fdd8f2741d9b6180ed84b8fd98

SHA1
0af8ab8aa45e74606f40f30a49d49e218d89634b

SHA256
c8af7c3c8a1bbf31ca30aff7a52c77969dc6d3f31bbf62b1da682e838fbb1e00

SHA512
d63815903c9d5b5e8baf32d8671a472f75c442c0a3792cfc1f6168179b0bb5c5fec2e3b46f6b4573be2db0a64c42f9e112c8523f72b349e606b46c82e67c37b9

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2204-51-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2204-179-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2204-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2204-164-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2204-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2204-56-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4692-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4692-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4692-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4692-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4692-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4692-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4692-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4692-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4692-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4692-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4692-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4692-169-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4692-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4692-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4692-180-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4692-184-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads