mydoom | 0e1aa2528e1e2e38aaf87ed05f5422a5c375d0e0b1bf15b273e910068386ea5c

General

Target

0e1aa2528e1e2e38aaf87ed05f5422a5c375d0e0b1bf15b273e910068386ea5c.exe
Size

29KB
MD5

b048fb7bc3389855f911cdfa2d703572
SHA1

bfcead96bcd6f06c632af580389967a49a088d60
SHA256

0e1aa2528e1e2e38aaf87ed05f5422a5c375d0e0b1bf15b273e910068386ea5c
SHA512

c32bb772cfdb6bd9873008ddd37f8ba5ad25e2672026da4adc5e66994e3be34dbf9634b94ca369d5110b466a655fed6e3c2326c28f127358a8dce4b1a6f69f5c
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/X:AEwVs+0jNDY1qi/q/

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral1/memory/1924-16-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1924-31-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1924-57-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1924-59-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1924-64-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1924-71-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2468	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	0e1aa2528e1e2e38aaf87ed05f5422a5c375d0e0b1bf15b273e910068386ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1924-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/files/0x0008000000018781-10.dat	upx
behavioral1/memory/1924-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/memory/1924-16-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2468-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2468-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2468-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2468-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1924-31-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2468-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2468-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-42.dat	upx
behavioral1/memory/1924-57-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2468-58-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1924-59-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2468-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1924-64-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2468-65-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2468-70-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1924-71-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2468-72-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2468-77-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	0e1aa2528e1e2e38aaf87ed05f5422a5c375d0e0b1bf15b273e910068386ea5c.exe
File created	C:\Windows\services.exe	0e1aa2528e1e2e38aaf87ed05f5422a5c375d0e0b1bf15b273e910068386ea5c.exe
File opened for modification	C:\Windows\java.exe	0e1aa2528e1e2e38aaf87ed05f5422a5c375d0e0b1bf15b273e910068386ea5c.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e1aa2528e1e2e38aaf87ed05f5422a5c375d0e0b1bf15b273e910068386ea5c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2468	1924	0e1aa2528e1e2e38aaf87ed05f5422a5c375d0e0b1bf15b273e910068386ea5c.exe	30
PID 1924 wrote to memory of 2468	1924	0e1aa2528e1e2e38aaf87ed05f5422a5c375d0e0b1bf15b273e910068386ea5c.exe	30
PID 1924 wrote to memory of 2468	1924	0e1aa2528e1e2e38aaf87ed05f5422a5c375d0e0b1bf15b273e910068386ea5c.exe	30
PID 1924 wrote to memory of 2468	1924	0e1aa2528e1e2e38aaf87ed05f5422a5c375d0e0b1bf15b273e910068386ea5c.exe	30

C:\Users\Admin\AppData\Local\Temp\0e1aa2528e1e2e38aaf87ed05f5422a5c375d0e0b1bf15b273e910068386ea5c.exe
"C:\Users\Admin\AppData\Local\Temp\0e1aa2528e1e2e38aaf87ed05f5422a5c375d0e0b1bf15b273e910068386ea5c.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp93E6.tmp

Filesize
29KB

MD5
303d18a36ebba8b7e4b15672e4806fc1

SHA1
3efc686f8ba4235c11933fd99fb468dea51dfcac

SHA256
864a9e53f893f78d2f658bdea2af00d00e5a4259474f6d74d9f45f16e096cc6d

SHA512
8d0d001a28d5690d59f4628679f960338d09cfb11f704d5e5a6f7519ddd9157518338d2dc453a609025af2eb609021aebed8e7b2792f7522820b9a14723b0782

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
0b83c6dbcb6c0ae8498eab8c4088f66f

SHA1
552c52af0c872e605f875bfc71e60b875799cbf5

SHA256
d118552439fc7189757caad177d5374df2c36906062ddbbb5820f3f1f1c1c764

SHA512
3c77f902923099cc46d4780fbd5624af70a8426344e15c1caa206598beba267fa7fad750351e9d41d346e431e46471228dc08ee60879e29fe6a9885cd0e3493a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
40adc8064c05efae02a96f0bd69dae99

SHA1
e0eba664f34792c0417d08411b3ff4b61674e3e1

SHA256
d1d822cbfd904a0eaf5e454551484f4286094e7c5aa1be7bc58c8f2fe0b578d6

SHA512
13b574cc584bd51d4abb65124e0f32b5a7746f6d265b0d059d9a83d70c50ca146ce8eb9d6630a5ad0e2da0b72d4e59cafc8b74be5d481a663d8ff6dafd131239

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1924-59-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1924-57-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1924-9-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1924-71-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1924-64-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1924-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1924-31-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1924-17-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1924-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1924-16-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2468-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2468-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2468-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2468-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2468-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2468-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2468-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2468-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2468-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2468-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2468-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2468-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads