mydoom | 19752be846b846ace67c5e8c480b9662d54229ff6c415a5375134389acfe65a7

General

Target

19752be846b846ace67c5e8c480b9662d54229ff6c415a5375134389acfe65a7.exe
Size

29KB
MD5

7c82a1bbb65d341174caaffa6e9f27d8
SHA1

d9bb3423fe2ed1c5b2c1ac8db97e3f1ed64d3f0a
SHA256

19752be846b846ace67c5e8c480b9662d54229ff6c415a5375134389acfe65a7
SHA512

daf8a0c82eb47180650536d8de5740fce4d4271b8e3c05e6b4a386ffae05d933226b1d82c6ff7e40b16dcb0b2345fe6513b15df3ad8d0c40259fbe972f5be2fb
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/mW:AEwVs+0jNDY1qi/q9

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral2/memory/2540-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2540-49-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2540-51-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2540-148-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2540-175-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2540-182-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2160	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	19752be846b846ace67c5e8c480b9662d54229ff6c415a5375134389acfe65a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2540-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000023cd1-4.dat	upx
behavioral2/memory/2160-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2540-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2160-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2160-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2160-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2160-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2160-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2160-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2160-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2160-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2160-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2540-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2160-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2540-51-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2160-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0005000000000707-65.dat	upx
behavioral2/memory/2540-148-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2160-149-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2540-175-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2160-176-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2160-178-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2540-182-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2160-183-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	19752be846b846ace67c5e8c480b9662d54229ff6c415a5375134389acfe65a7.exe
File opened for modification	C:\Windows\java.exe	19752be846b846ace67c5e8c480b9662d54229ff6c415a5375134389acfe65a7.exe
File created	C:\Windows\java.exe	19752be846b846ace67c5e8c480b9662d54229ff6c415a5375134389acfe65a7.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19752be846b846ace67c5e8c480b9662d54229ff6c415a5375134389acfe65a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2160	2540	19752be846b846ace67c5e8c480b9662d54229ff6c415a5375134389acfe65a7.exe	85
PID 2540 wrote to memory of 2160	2540	19752be846b846ace67c5e8c480b9662d54229ff6c415a5375134389acfe65a7.exe	85
PID 2540 wrote to memory of 2160	2540	19752be846b846ace67c5e8c480b9662d54229ff6c415a5375134389acfe65a7.exe	85

C:\Users\Admin\AppData\Local\Temp\19752be846b846ace67c5e8c480b9662d54229ff6c415a5375134389acfe65a7.exe
"C:\Users\Admin\AppData\Local\Temp\19752be846b846ace67c5e8c480b9662d54229ff6c415a5375134389acfe65a7.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PTWQX4L2\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxkn9ioex.log

Filesize
320B

MD5
e6057ff1f2b950c5172d4fa6e94acdf6

SHA1
3041ef08822bc20111bdbdffc53ee122d5c134db

SHA256
45795514b953de1e857f6fe3762b9e689d65b21ff5f74f080f962fd22858a6fc

SHA512
23009c229ca05fc5bb9c0030a6532a310d1724bceaf2850e5eafbc009ee1784d4eb5998ec67c83645093feb1e29e856d79d67d93a0c3e51b9f9e63a99f96748e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp651C.tmp

Filesize
29KB

MD5
1b939e95184a36000efeab12b9de3e7c

SHA1
f80fafddd4a43ceabc0669af3d7a176601954ecd

SHA256
a9a39026fd88653a7c7395febb34f0b5318acf81b1a623a304a2a5cd7a1ac90a

SHA512
058a68e5a53cdf8cbe9b430d0f2e2c31f2e91fcc25404c039614b1c2f7760d9a9c9178db60e354fa91e93be080818b3f69565ae0b97911689dadf19fa2842710

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
0c97a76110a1d0310b9a28802b898c08

SHA1
c7eeb2069de0a452714db5fcd09bab2207d62edc

SHA256
9b76c02be8d3d031e82df27e3381e2d561feaa211d1c0c20e4bc18ee23d6e872

SHA512
27f6bd227e8508276162e15f828b7c310d39df141879a55b2c408f122578fe83172f5aebf543c470ceb81a36b125c26248cb2023fa231bc1650a2ee52c648f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
17bd9c3febdc0147b685b77c80cb123b

SHA1
1471a23a54a3aabf540c4c2ea72d3203d82c1ee7

SHA256
0a1f1b0938f604d3d2a5a944c3b38a1c3d624dfa48efaa3a6d91075a773148b2

SHA512
68c27a9a96e0266a29d7e75fcd774181815151a775e1c96f5d7a706876f7e59d8af1631663b3cf79537be6f2c27f7a14d7b8bbb5125b4116e95717894b32a1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
bc6afea317d72606a404838cb3bbf0c5

SHA1
603e09060a9486f79b678dfcab04e63543b9040a

SHA256
a9935df61bf571562e8d56e3b7e52a03e6abf709f1182b85af1770c91c3b8006

SHA512
5401a34dea26552678e7372e8881f919e7d85763a886673d82f1c4067b21e66c328483173478223b8233f3907343db71f5124dfe04f4e9e21e53257fb9ee3856

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2160-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2160-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2160-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2160-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2160-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2160-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2160-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2160-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2160-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2160-183-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2160-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2160-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2160-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2160-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2160-178-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2160-149-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2540-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2540-175-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2540-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2540-148-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2540-182-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2540-51-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2540-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads