mydoom | 14015e84ed37d35afc284e6a1873fc88b8e57fb40a1b95723b4653a77226085d

General

Target

14015e84ed37d35afc284e6a1873fc88b8e57fb40a1b95723b4653a77226085d.exe
Size

29KB
MD5

da9e92465b22365564fb6fa69b55caf7
SHA1

033ed9780d803c362d374fe5057cbc0460bbd544
SHA256

14015e84ed37d35afc284e6a1873fc88b8e57fb40a1b95723b4653a77226085d
SHA512

01ff4869120a70aa1a3a4c4c348a0f04e70422eae1538966cc22390591b89915b1eb4302ddf642f86c614589d08c38bc1cf2c5b18ceef8f1a533b1deaeb71647
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/s:AEwVs+0jNDY1qi/qE

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral1/memory/2352-17-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2352-45-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2352-50-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2352-74-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2352-76-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2352-81-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2356	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	14015e84ed37d35afc284e6a1873fc88b8e57fb40a1b95723b4653a77226085d.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2352-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2356-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000800000001660e-8.dat	upx
behavioral1/memory/2352-17-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2352-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2356-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2356-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2356-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2356-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2356-34-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2356-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2356-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2352-45-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2356-46-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2352-50-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2356-51-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-64.dat	upx
behavioral1/memory/2352-74-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2356-75-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2352-76-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2356-77-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2352-81-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2356-82-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	14015e84ed37d35afc284e6a1873fc88b8e57fb40a1b95723b4653a77226085d.exe
File opened for modification	C:\Windows\java.exe	14015e84ed37d35afc284e6a1873fc88b8e57fb40a1b95723b4653a77226085d.exe
File created	C:\Windows\java.exe	14015e84ed37d35afc284e6a1873fc88b8e57fb40a1b95723b4653a77226085d.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14015e84ed37d35afc284e6a1873fc88b8e57fb40a1b95723b4653a77226085d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2356	2352	14015e84ed37d35afc284e6a1873fc88b8e57fb40a1b95723b4653a77226085d.exe	30
PID 2352 wrote to memory of 2356	2352	14015e84ed37d35afc284e6a1873fc88b8e57fb40a1b95723b4653a77226085d.exe	30
PID 2352 wrote to memory of 2356	2352	14015e84ed37d35afc284e6a1873fc88b8e57fb40a1b95723b4653a77226085d.exe	30
PID 2352 wrote to memory of 2356	2352	14015e84ed37d35afc284e6a1873fc88b8e57fb40a1b95723b4653a77226085d.exe	30

C:\Users\Admin\AppData\Local\Temp\14015e84ed37d35afc284e6a1873fc88b8e57fb40a1b95723b4653a77226085d.exe
"C:\Users\Admin\AppData\Local\Temp\14015e84ed37d35afc284e6a1873fc88b8e57fb40a1b95723b4653a77226085d.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD388.tmp

Filesize
29KB

MD5
769da2b051e6f6c71f0d6d7ee50eb5f4

SHA1
9bdf92f4780582e7c2a68fcf3338a249eb4059df

SHA256
3475ce466f67499e49f35853d2e42ac6e2d3c8a166741414240a271bbf44fbc2

SHA512
a3f4c8f249a4ab816986f28f64b5e9803defce1228c306f3cf683c3c96ad0242635f49d92f218c67a07e485e892e1c64e565a551a8f6ee15ae8be9562529d6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
f0cb6a8ab1a130d140ef9a0f5b8777db

SHA1
340c2f738adb2c5091e564ada8f0cf566a99b367

SHA256
1cb661077bb75103c4f32f7b524db539801612bdffed7c2a2ae6277032da35bc

SHA512
28e145974d715ef691a306624a119a8805549273c4fb6c6721af5df27d7245ea1fb57e7c884bb25efc59b9f2e1fc9b7365dcc9ef128ed9cc3242bedec19ac71a

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2352-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2352-45-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2352-17-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2352-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2352-81-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2352-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2352-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2352-76-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2352-74-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2352-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2352-50-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2356-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2356-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2356-46-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2356-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2356-51-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2356-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2356-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2356-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2356-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2356-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2356-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2356-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2356-82-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads