mydoom | 3a5042b3fc2b210247d099f25db59c4c5595b8e198aeab69332409d630d77162

General

Target

3a5042b3fc2b210247d099f25db59c4c5595b8e198aeab69332409d630d77162.exe
Size

29KB
MD5

a8f2eedff7af116ded5d533b3ef71757
SHA1

288f0bb3a78879d8e565a1c137838cd0abc7cc9e
SHA256

3a5042b3fc2b210247d099f25db59c4c5595b8e198aeab69332409d630d77162
SHA512

b7182cc6b9e86c305afc4b06212bcb413c5bac1b355e971d51cf9462f9dd8b6df20017f03575a137043728e3f77a467eb3396e5acc1c1e31deca3d9065748fc0
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/o:AEwVs+0jNDY1qi/qw

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral1/memory/1688-17-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1688-37-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1688-61-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1688-65-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1688-70-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1688-77-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2684	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	3a5042b3fc2b210247d099f25db59c4c5595b8e198aeab69332409d630d77162.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1688-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1688-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0008000000017520-7.dat	upx
behavioral1/memory/2684-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1688-9-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1688-17-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2684-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2684-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2684-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2684-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2684-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1688-37-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2684-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2684-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-53.dat	upx
behavioral1/memory/1688-61-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2684-62-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2684-66-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1688-65-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2684-71-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1688-70-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2684-73-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1688-77-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2684-78-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	3a5042b3fc2b210247d099f25db59c4c5595b8e198aeab69332409d630d77162.exe
File opened for modification	C:\Windows\java.exe	3a5042b3fc2b210247d099f25db59c4c5595b8e198aeab69332409d630d77162.exe
File created	C:\Windows\java.exe	3a5042b3fc2b210247d099f25db59c4c5595b8e198aeab69332409d630d77162.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a5042b3fc2b210247d099f25db59c4c5595b8e198aeab69332409d630d77162.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2684	1688	3a5042b3fc2b210247d099f25db59c4c5595b8e198aeab69332409d630d77162.exe	30
PID 1688 wrote to memory of 2684	1688	3a5042b3fc2b210247d099f25db59c4c5595b8e198aeab69332409d630d77162.exe	30
PID 1688 wrote to memory of 2684	1688	3a5042b3fc2b210247d099f25db59c4c5595b8e198aeab69332409d630d77162.exe	30
PID 1688 wrote to memory of 2684	1688	3a5042b3fc2b210247d099f25db59c4c5595b8e198aeab69332409d630d77162.exe	30

C:\Users\Admin\AppData\Local\Temp\3a5042b3fc2b210247d099f25db59c4c5595b8e198aeab69332409d630d77162.exe
"C:\Users\Admin\AppData\Local\Temp\3a5042b3fc2b210247d099f25db59c4c5595b8e198aeab69332409d630d77162.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB3B7.tmp

Filesize
29KB

MD5
1bb282061a5227e7da39f74d84846a4a

SHA1
8baa5c36b92ba4ed65eba23a358520afeba953a0

SHA256
a0e5fbd9ee8deb25a78f7bcc9c0ec294b24154fc10eb2b3c31cfdb478f70c686

SHA512
ba15c89a9cd3f27623c8739020958390ec7b233bac020a3cf9ede2100bc3474cbe93addc47f2c42c0af70f1bb000ab6034efa89e6933c61ee9dedbde81ba2210

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
e9f6d00e37be7796f7e9a2ddb5cce1a0

SHA1
fd966eaff462f4513c7ad1a22a76587a558b9443

SHA256
34c2ad3ee2b0e53915628446b2734ef1cb5abd7ce34015bbb633825d8885236a

SHA512
34067a30b375efc23014c6a8b817e9f5a1232e35df67502ba8af9f3681221a7728887cc8971c5b0d2fa5008162c7acd1ab1b076be3bfe766e5379fd1e0d59b1e

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1688-61-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1688-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1688-17-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1688-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1688-77-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1688-70-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1688-65-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1688-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1688-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1688-37-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2684-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2684-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2684-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2684-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2684-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2684-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2684-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2684-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2684-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2684-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2684-73-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2684-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2684-78-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads