mydoom | 1d3e271b3fc5e867084d551ad81bfb49e591c36040b27eef408b833d411c30fa

General

Target

1d3e271b3fc5e867084d551ad81bfb49e591c36040b27eef408b833d411c30fa.exe
Size

29KB
MD5

fa3d5f7928308ac90fde68db9e6928f6
SHA1

43bfe1446b4f3e2e9ef64c5fa4315f22b52a040c
SHA256

1d3e271b3fc5e867084d551ad81bfb49e591c36040b27eef408b833d411c30fa
SHA512

12b6ac2ac6307b9841932cabdd93b7f0bd90c52e3b2cfe24fa755787f45e6821362d83d60f6082e6d99298c1d7356b4d2f9b56343a516b6ce9a001a79368f001
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Qh9:AEwVs+0jNDY1qi/qon

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 7 IoCs

resource	yara_rule
behavioral2/memory/456-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/456-49-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/456-130-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/456-173-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/456-177-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/456-179-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/456-193-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
4648	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	1d3e271b3fc5e867084d551ad81bfb49e591c36040b27eef408b833d411c30fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/456-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000a000000023b68-4.dat	upx
behavioral2/memory/4648-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/456-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4648-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4648-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4648-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4648-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4648-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4648-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4648-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4648-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4648-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/456-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4648-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0004000000000707-60.dat	upx
behavioral2/memory/456-130-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4648-134-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/456-173-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4648-174-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/456-177-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4648-178-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/456-179-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4648-180-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/456-193-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4648-194-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	1d3e271b3fc5e867084d551ad81bfb49e591c36040b27eef408b833d411c30fa.exe
File created	C:\Windows\java.exe	1d3e271b3fc5e867084d551ad81bfb49e591c36040b27eef408b833d411c30fa.exe
File created	C:\Windows\services.exe	1d3e271b3fc5e867084d551ad81bfb49e591c36040b27eef408b833d411c30fa.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d3e271b3fc5e867084d551ad81bfb49e591c36040b27eef408b833d411c30fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 4648	456	1d3e271b3fc5e867084d551ad81bfb49e591c36040b27eef408b833d411c30fa.exe	82
PID 456 wrote to memory of 4648	456	1d3e271b3fc5e867084d551ad81bfb49e591c36040b27eef408b833d411c30fa.exe	82
PID 456 wrote to memory of 4648	456	1d3e271b3fc5e867084d551ad81bfb49e591c36040b27eef408b833d411c30fa.exe	82

C:\Users\Admin\AppData\Local\Temp\1d3e271b3fc5e867084d551ad81bfb49e591c36040b27eef408b833d411c30fa.exe
"C:\Users\Admin\AppData\Local\Temp\1d3e271b3fc5e867084d551ad81bfb49e591c36040b27eef408b833d411c30fa.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\84KCLP1T\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4975.tmp

Filesize
29KB

MD5
c14558cf5ec3afee575ee10fd3b40454

SHA1
15a29166b7666a5c681dfbf6850f39d9b78c0a3b

SHA256
46b42e302e430a7e94ca1e8506be2af289b33ebd9501a3d97f05dbf762528a37

SHA512
ae328f4a0b82df6b646afecf96d661582603c287ef017d66f671f0a91cb481db92bcb0d730542cbd751f0a3c45cd028f4da1ef595f963ee6690c6df9b507051a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
f9cf91466c4dbe472320f01acdcdbd9d

SHA1
6f206a34ab612b639bdb27fd23324ee518686a88

SHA256
06b1fc7f32eb7055e4f5561a87238db91706b084a10864b018bfd5c1503cf5a7

SHA512
150d61c89bbf14d83f574d4f24b8d3fcec93e016e4c18be9dc8537e65640d980549cd21cbab383c164e85986b3fb262d98924efae45145b44bc78b1ea6e3c4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
d672d16ca3746ae50faca167baea4ca2

SHA1
598edfcdb1128fbf06ea474822e97cf43ce8ed24

SHA256
6aa228c31110b263f6d7e6afeab792d1e14f6226e2ef233f80e55f0773fedb26

SHA512
e7806f5ebc766598b132d858f3912c932414380549c6a96945659f810efc45e4720ed7a4a10bd7720b77445bce940817f9c130c55a5f2510ed629bce0ab889a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
f6b503044779fcacf8529fdbf1244fb8

SHA1
6fdc4f2c374f3023c01c7aa06a794ae0c3fab150

SHA256
7260edb39c9f81b31ac5a3e4cff852a11e8f145ad38a8eacd69859ff3fef51c5

SHA512
4e668482bd46ba7c72d64df396c60aa8b75c216a1cfb07aef5916a8dfeb747648fc3a25e0bc92fc0cd8edc7ed6f0d9e485dd057e4f4cd91002205f21b5b62ca7

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/456-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/456-130-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/456-193-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/456-179-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/456-177-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/456-173-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/456-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/456-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4648-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4648-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4648-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4648-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4648-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4648-134-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4648-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4648-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4648-174-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4648-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4648-178-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4648-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4648-180-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4648-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4648-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4648-194-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads