mydoom | b0ac138d74be41c6d0d387f3279e153f123d92133c3258c4466188fd9c26ddcc

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0ac138d74be41c6d0d387f3279e153f123d92133c3258c4466188fd9c26ddccN.exe
Size

29KB
MD5

c40497148a4cc5599bc79c339e7978e0
SHA1

7e42a39669a1b1276f885d349fda7e9a2e61c308
SHA256

b0ac138d74be41c6d0d387f3279e153f123d92133c3258c4466188fd9c26ddcc
SHA512

91811f6c709f63ce52d1df3b59993bc7f7978c5124b0b63c544ba7529c6c7172c6c7a65d0bb58934421973e54afc004630ba538c5dade324b12998a767fc8c6f
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/q:AEwVs+0jNDY1qi/qC

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 10 IoCs

resource	yara_rule
behavioral1/memory/1504-2-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1504-8-0x00000000001B0000-0x00000000001B8000-memory.dmp	family_mydoom
behavioral1/memory/1504-16-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1504-30-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1504-52-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1504-56-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1504-58-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1504-63-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1504-68-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1504-70-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
824	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	b0ac138d74be41c6d0d387f3279e153f123d92133c3258c4466188fd9c26ddccN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1504-2-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1504-4-0x00000000001B0000-0x00000000001B8000-memory.dmp	upx
behavioral1/files/0x0008000000016cfd-9.dat	upx
behavioral1/memory/1504-8-0x00000000001B0000-0x00000000001B8000-memory.dmp	upx
behavioral1/memory/1504-16-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/824-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/824-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/824-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/824-29-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1504-30-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/824-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-44.dat	upx
behavioral1/memory/1504-52-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/824-53-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1504-56-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/824-57-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1504-58-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/824-59-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1504-63-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/824-64-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1504-68-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/824-69-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1504-70-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/824-71-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/824-76-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	b0ac138d74be41c6d0d387f3279e153f123d92133c3258c4466188fd9c26ddccN.exe
File opened for modification	C:\Windows\java.exe	b0ac138d74be41c6d0d387f3279e153f123d92133c3258c4466188fd9c26ddccN.exe
File created	C:\Windows\java.exe	b0ac138d74be41c6d0d387f3279e153f123d92133c3258c4466188fd9c26ddccN.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0ac138d74be41c6d0d387f3279e153f123d92133c3258c4466188fd9c26ddccN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	b0ac138d74be41c6d0d387f3279e153f123d92133c3258c4466188fd9c26ddccN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b0ac138d74be41c6d0d387f3279e153f123d92133c3258c4466188fd9c26ddccN.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 824	1504	b0ac138d74be41c6d0d387f3279e153f123d92133c3258c4466188fd9c26ddccN.exe	30
PID 1504 wrote to memory of 824	1504	b0ac138d74be41c6d0d387f3279e153f123d92133c3258c4466188fd9c26ddccN.exe	30
PID 1504 wrote to memory of 824	1504	b0ac138d74be41c6d0d387f3279e153f123d92133c3258c4466188fd9c26ddccN.exe	30
PID 1504 wrote to memory of 824	1504	b0ac138d74be41c6d0d387f3279e153f123d92133c3258c4466188fd9c26ddccN.exe	30

C:\Users\Admin\AppData\Local\Temp\b0ac138d74be41c6d0d387f3279e153f123d92133c3258c4466188fd9c26ddccN.exe
"C:\Users\Admin\AppData\Local\Temp\b0ac138d74be41c6d0d387f3279e153f123d92133c3258c4466188fd9c26ddccN.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f08607d429f1767e5dc9e22f6c1a13d8

SHA1
7f657d90b86f9f2b82b5a319ce32740fe210cf38

SHA256
60d5933d7afdb99b571b28dcca8d2ccc99c4edd6d14b0626a58b261e0c8c410c

SHA512
4242e17e9be8fd8f7178a8a7f2a260055a7033d0e8c2b7204ba7e2c434c21268982c483548cddfa0ab8405c30317f83be671ad35f3fb846764ce10b0d576f567

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0add5c5446c86a8ee8034d7ab83d8429

SHA1
f1d06622ba735ddebc8f84a49405d4d37464045c

SHA256
c1a6a344f9b97cc628744475e32119f14ca518c48977fab710283fa0845e1ed2

SHA512
ddb58fbc9d4fcf509b6e650d97614d19495035707cff8125e12670d1faa19278c571ca1f325399aaf2b297098b5fef1f258f036a4e82d5c2615969d49b1a10f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
546a56bc983fc5a0ee3bf3d40710c2f5

SHA1
54a04669b38840daa5552b8f9041c86e18bdc3fd

SHA256
5993f84c12d006a45c7d0bf02cc75ccad29e8b1ab504e4310421cf2ccaac41a1

SHA512
0b7722c03eb5777c30f727e05520d0b58686ecdba8edcf10fbc83de69c29afaf69fdbf22ccd3bb9d97cf91cfdfe03fb390daa0bb4130bef7c9f2b55420cd2429

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9900f541fc0609e49217c718c32d9a4b

SHA1
46ccbce6e0291c22498f328b9e59398a83a4df6d

SHA256
5965b18a355f85fb17f6e2884583a063a2a676a21224b84d6bc99d4a0331e812

SHA512
fbbdc6e300525fe4d59e922636f1fd8b087b1f498deda8f9dd698f0e1eb49af6ebecd86cff4e1e011fe618272005d36f8d1664863677cb622ad24926877fd19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab76DE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar77AD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6BB0.tmp

Filesize
29KB

MD5
dce51053797b3114c1f63f5bd04f64cf

SHA1
dc5129f4d8ba5f64025068a47df3b5527997fb4c

SHA256
768f6698333f08216615b80e28843ddfb96b61fdf8c7d6162cbbc725e1510751

SHA512
bbd083071a9213e422fa265fde091c10746ecbc169f1e5448aab1e15679a40931018aee618d1603eecddc42daa844aac3f7bbaf4f42a3b54c2b2b4097aa9f250

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
a2544a41b2cd896c30f8886ddae2c258

SHA1
970031fc10f48c893c276e9a90932447151f7611

SHA256
a71c06bdeb6a47381a25114c10c75b22ff907a06ea3f609b94f9e61e1b2075c6

SHA512
6d1ac43d5e1baa5c47ed889d984e8e67b9f849d0761a5ba2d194252c326a97dd21f63eb20b7d2962f68d89c1933961cd986ac0c2a24e84f4bd6d73c7eaf81ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
eb06c0da83af3719742594d49d948d0b

SHA1
7da087eb50babdb2528031132cc31ef89da3d7b6

SHA256
b3a36e1ba341a1e87ed7b591470810427413b7d908e52cfde89895d0700e12dd

SHA512
f28b4b781ca20bae4a1ee5e25f11a6db34c702f53f583d1e26d3ca31a7fd2b2a6fc3c88d129ae4a51575dd0137e06f547f52f8c683a703fd92dc2b2ed6df2464

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/824-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/824-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/824-29-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/824-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/824-53-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/824-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/824-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/824-69-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/824-59-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/824-76-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/824-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/824-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1504-56-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1504-70-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1504-68-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1504-63-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1504-58-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1504-2-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1504-52-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1504-30-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1504-16-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1504-8-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/1504-4-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads