mydoom | 6c5b52aa4d318338f085a8afa0193662e2183cccc65254919fd594c1170f78bf

General

Target

6c5b52aa4d318338f085a8afa0193662e2183cccc65254919fd594c1170f78bf.exe
Size

29KB
MD5

df3a97bddf35f71f5b8b3858b97a5108
SHA1

2e2047e5e86446e450d9067d52fe63efdf1fac1d
SHA256

6c5b52aa4d318338f085a8afa0193662e2183cccc65254919fd594c1170f78bf
SHA512

a762fbca29c7db847f9c4794097e8268aae09e8a420801c15df218bdf2989791e8a30146d8a256fe55115b14e42943a12a044df5130cb78dbd35aec88811005f
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/G5:AEwVs+0jNDY1qi/qE

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 7 IoCs

resource	yara_rule
behavioral1/memory/2308-15-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2308-52-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2308-54-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2308-69-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2308-74-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2308-76-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2308-81-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
1796	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	6c5b52aa4d318338f085a8afa0193662e2183cccc65254919fd594c1170f78bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2308-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2308-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/files/0x0007000000019c57-7.dat	upx
behavioral1/memory/2308-15-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1796-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1796-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1796-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1796-29-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1796-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1796-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1796-41-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1796-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1796-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2308-52-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1796-53-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2308-54-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1796-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x002d000000019c34-60.dat	upx
behavioral1/memory/2308-69-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1796-70-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2308-74-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1796-75-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2308-76-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1796-77-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2308-81-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1796-82-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	6c5b52aa4d318338f085a8afa0193662e2183cccc65254919fd594c1170f78bf.exe
File opened for modification	C:\Windows\java.exe	6c5b52aa4d318338f085a8afa0193662e2183cccc65254919fd594c1170f78bf.exe
File created	C:\Windows\java.exe	6c5b52aa4d318338f085a8afa0193662e2183cccc65254919fd594c1170f78bf.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c5b52aa4d318338f085a8afa0193662e2183cccc65254919fd594c1170f78bf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1796	2308	6c5b52aa4d318338f085a8afa0193662e2183cccc65254919fd594c1170f78bf.exe	30
PID 2308 wrote to memory of 1796	2308	6c5b52aa4d318338f085a8afa0193662e2183cccc65254919fd594c1170f78bf.exe	30
PID 2308 wrote to memory of 1796	2308	6c5b52aa4d318338f085a8afa0193662e2183cccc65254919fd594c1170f78bf.exe	30
PID 2308 wrote to memory of 1796	2308	6c5b52aa4d318338f085a8afa0193662e2183cccc65254919fd594c1170f78bf.exe	30

C:\Users\Admin\AppData\Local\Temp\6c5b52aa4d318338f085a8afa0193662e2183cccc65254919fd594c1170f78bf.exe
"C:\Users\Admin\AppData\Local\Temp\6c5b52aa4d318338f085a8afa0193662e2183cccc65254919fd594c1170f78bf.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp34F5.tmp

Filesize
29KB

MD5
2366be477ef5c4af01ba54bde4da286c

SHA1
350402a1310489b461e68d7ad4a6ee3ad1d523d4

SHA256
2110abd423add17b22796b26f9e6f3b3ff8f41cc90c5164e16bb1deb81ded151

SHA512
c3830cd94d08fa1f12d83a06a309d915ccaece393469c5795a806c95531d65e36cad02a549e9f450b67201760860d5b49476dd28e968d610c92d59af4a54d86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yrwaaf.log

Filesize
320B

MD5
9c0042c134af726094362847b15dd559

SHA1
49204b90043e0acc1c74a37520e85315f5c6a91f

SHA256
a7b438fa67f92f1c885ef60fb1438f60b5c4308341d4e89a3ab590eb775b7d92

SHA512
36246379aabc865a4fb9f3483ec2875436a13358bde1a6632c70050de1080d6369dc7aea8a9ba861f7d171632bd56ae37540fd1a9ac0e255045c3b9e13c7013c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
38dad62037edabf8e0afd76019756328

SHA1
c761df60b8cce5beee3f340c125e1b1305917b03

SHA256
6c536ba6d3ed5b2352ae8657984f05a07dcf0f8cd50fe1b262bf00a044348a1b

SHA512
80138d6f58280c75d234ec930eaa29ed943d9cac4dac65959f1c7d2ac4f87669eb49674bda5b2e3eebeee1fc25a4659e2c1ad343af3e86529686ef1d79f2368b

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1796-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1796-53-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1796-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1796-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1796-29-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1796-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1796-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1796-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1796-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1796-82-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1796-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1796-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1796-41-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1796-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1796-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2308-54-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2308-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2308-69-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2308-15-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2308-74-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2308-16-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2308-76-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2308-52-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2308-81-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2308-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads