mydoom | 2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9ae

General

Target

2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9aeN.exe
Size

29KB
MD5

fa92f5374dff2b3cafceb5d07395e7e0
SHA1

ef7a6d15d8c95f8d18d6916caa8ed4cc33fa90be
SHA256

2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9ae
SHA512

54294a9f1784176b27b98c1ad5f310fec8ba9bc830c9710d110d0316e37cb0ee89a3523c7e5715b321a61e4b7013f44a50d4982173ad92a70149a501ae15ad32
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Bhg:AEwVs+0jNDY1qi/qJi

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2160-2-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2160-16-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2160-43-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2160-48-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2160-63-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2160-65-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2160-70-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid	Process
1664	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9aeN.exeservices.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9aeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2160-2-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/files/0x0008000000016276-9.dat	upx
behavioral1/memory/2160-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/memory/1664-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2160-16-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1664-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1664-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1664-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1664-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1664-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1664-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1664-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2160-43-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1664-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2160-48-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1664-49-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-54.dat	upx
behavioral1/memory/2160-63-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1664-64-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2160-65-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1664-66-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2160-70-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1664-71-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

Processes:

2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9aeN.exe

description	ioc	Process
File opened for modification	C:\Windows\java.exe	2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9aeN.exe
File created	C:\Windows\java.exe	2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9aeN.exe
File created	C:\Windows\services.exe	2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9aeN.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9aeN.exeservices.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9aeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9aeN.exe

description	pid	Process	procid_target
PID 2160 wrote to memory of 1664	2160	2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9aeN.exe	31
PID 2160 wrote to memory of 1664	2160	2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9aeN.exe	31
PID 2160 wrote to memory of 1664	2160	2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9aeN.exe	31
PID 2160 wrote to memory of 1664	2160	2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9aeN.exe	31

C:\Users\Admin\AppData\Local\Temp\2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9aeN.exe
"C:\Users\Admin\AppData\Local\Temp\2f249b8a2910402841bae9b05513ab445b3347d6ec77184af5ef5df2348db9aeN.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC40.tmp

Filesize
29KB

MD5
2ffe266e1778f69f1635cb1cf08481aa

SHA1
05caa2786100d422c93112aec1246c3729d0eb6b

SHA256
a38fdfc8532bdea7bb480ebd0578ce7af7fb392781751f45b84a8dfbb573126d

SHA512
d40a529425730a9f075b370e2aa72c28bc10455a49e78e65499377b325ab541a7b6a14355eee115b91d5468c50f375dd7c9fd8a914b755b70b478f5842005fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
46884c2060e375048c0459047b3413e8

SHA1
0c9ba15bd32e731748d5745702d8999f86c0a97b

SHA256
4d0a48fb5f85254515b8cd171754b7c063f9786e831bf950a89bda1335d97fa8

SHA512
f3a72326ef66404a466f0d3478a07338e9976f7fdc7edcbb394b421fd9f83b40dcf3fd6535857b23abd593e7d15784cc62edf43a3875e1b6ef97e98e9ed790e1

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1664-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1664-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1664-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1664-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1664-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1664-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1664-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1664-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1664-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1664-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1664-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1664-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1664-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2160-48-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2160-16-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2160-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2160-63-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2160-43-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2160-65-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2160-2-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2160-70-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2160-17-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads