mydoom | 2bc51c1509c61916523d2ebb0d2dc433e91cb865429b2b8d09e0c378b2bd646b

General

Target

2bc51c1509c61916523d2ebb0d2dc433e91cb865429b2b8d09e0c378b2bd646bN.exe
Size

29KB
MD5

656dcc6efc3458a58d09600f0bddf4b0
SHA1

de7059d1565baccb0c4a4f31ba0cec8e7e2c47ba
SHA256

2bc51c1509c61916523d2ebb0d2dc433e91cb865429b2b8d09e0c378b2bd646b
SHA512

fd09cf5ff7efc7676d0ea6eef06830c913684b3dd96669a62e693b563b3826db35c58764aab2ef271af057037c24690ff6e8eeb6437c6ad79a24d741e19735da
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/kF:AEwVs+0jNDY1qi/q2

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 8 IoCs

resource	yara_rule
behavioral2/memory/3424-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3424-32-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3424-123-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3424-160-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3424-164-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3424-169-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3424-186-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3424-223-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
3500	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	2bc51c1509c61916523d2ebb0d2dc433e91cb865429b2b8d09e0c378b2bd646bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3424-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3500-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000a000000023b6d-4.dat	upx
behavioral2/memory/3424-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3500-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3500-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3500-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3500-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3500-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3424-32-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3500-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000c000000023b87-43.dat	upx
behavioral2/memory/3424-123-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3500-124-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3424-160-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3500-161-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3424-164-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3500-165-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3424-169-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3500-170-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3424-186-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3500-188-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3424-223-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3500-224-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	2bc51c1509c61916523d2ebb0d2dc433e91cb865429b2b8d09e0c378b2bd646bN.exe
File opened for modification	C:\Windows\java.exe	2bc51c1509c61916523d2ebb0d2dc433e91cb865429b2b8d09e0c378b2bd646bN.exe
File created	C:\Windows\java.exe	2bc51c1509c61916523d2ebb0d2dc433e91cb865429b2b8d09e0c378b2bd646bN.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bc51c1509c61916523d2ebb0d2dc433e91cb865429b2b8d09e0c378b2bd646bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 3500	3424	2bc51c1509c61916523d2ebb0d2dc433e91cb865429b2b8d09e0c378b2bd646bN.exe	83
PID 3424 wrote to memory of 3500	3424	2bc51c1509c61916523d2ebb0d2dc433e91cb865429b2b8d09e0c378b2bd646bN.exe	83
PID 3424 wrote to memory of 3500	3424	2bc51c1509c61916523d2ebb0d2dc433e91cb865429b2b8d09e0c378b2bd646bN.exe	83

C:\Users\Admin\AppData\Local\Temp\2bc51c1509c61916523d2ebb0d2dc433e91cb865429b2b8d09e0c378b2bd646bN.exe
"C:\Users\Admin\AppData\Local\Temp\2bc51c1509c61916523d2ebb0d2dc433e91cb865429b2b8d09e0c378b2bd646bN.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L6PPXFHA\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\plqrk.log

Filesize
320B

MD5
560548542a9f2fa66d5ab0365df3417d

SHA1
551cfc0d6d396fd7d789d7270333bb29c9f26409

SHA256
517247e1d1b42f67577922cd2968060504d61e882ffd4b4a849362f476949871

SHA512
5086f2833e8bec258c63db5feab157d672b8521f58a17f6b6d0663c188b7fdb7205d9bccc33b0517e2c2670dd3aadda7cad412701b48f3d5a5e6b56ed202bd4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp55ED.tmp

Filesize
29KB

MD5
a98a3a95b8d8536111eee2a931348ab1

SHA1
b9dcbe1c419b86b5669e71021dde7b247aabe68a

SHA256
fd208fad1681f4b965a310439f8656ffc71fced1380cca0c841f452814f4da87

SHA512
dc2349f2b75f854a1cc76f226f47ab88758dd9ba8ecbd793fc5968d1b5c2a27b8e52828f233b58252dbad6b2f6a984884c07433ecdf188fc5bb29653896d72a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
9e07612f1e436bcb5f020eef700dbbac

SHA1
1d7cc9a2a4ab80e7b949768c6bd74f087c1c12fe

SHA256
133afd93df27a5714863ff604eb0fd8b3bb3b22567bf4d544ef46ed6c59859d3

SHA512
b7f3ee08114e6ba421f54f8dfc294a3121f489a35ab64f94f4059903452444c752e6b10fd543a62b1b624ba6a37db0d0fdeae0f7dacb146a5962718b5464cc4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
a56ea08236e2ab38f472bae0d63c9c6e

SHA1
6b92b90da37da4323d941e5a60b2f16c50c7577b

SHA256
d3881671d23c31482d6a47a36575d8395e8c084fe2e767ec5f6fbd0108c7a56d

SHA512
afe071235e5f2a07cec96df9d0a62c8e263b8b888971a41afd3e7b2bc2a0df18457e08837981a6e777e09abaaa0c0002e967b16f5b29932509135e4249f0454a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
bc97d7babbacfd17631f6f1161b27c7e

SHA1
c2ea8746d0879ceb57d4d1ba5942f712abc636f8

SHA256
d501cfb880a1b548bb407807f262cb3de9413692a2522c56cc6b2bb62455e7b5

SHA512
4cf7bcedda590208b72399dbe50bd5076b719ef63954b60144313dba3fc4112dd427553a0fe649cdc502eaced20645c375d47368d80b44dbef640b8f6a83aa05

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3424-164-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3424-160-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3424-32-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3424-223-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3424-186-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3424-169-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3424-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3424-123-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3424-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3500-161-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3500-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3500-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3500-124-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3500-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3500-165-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3500-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3500-170-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3500-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3500-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3500-188-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3500-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3500-224-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads