mydoom | 805b36acf6767168ef4f337591a71230106bb368f524ded8ba45e9ac66b64705

General

Target

805b36acf6767168ef4f337591a71230106bb368f524ded8ba45e9ac66b64705.exe
Size

29KB
MD5

0d6e2e1b3d27c16a9d99341ad3348102
SHA1

298ef223dbdd68b949c50db722256440cb57510e
SHA256

805b36acf6767168ef4f337591a71230106bb368f524ded8ba45e9ac66b64705
SHA512

80abaa6390ad5dceea59b194dda691d2efd90f33195105674837bb9b03c9eca81347ce8f8697b6f39b634aef076c512c5f1788af312c2f73fdacaf97d20d67f5
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9//:AEwVs+0jNDY1qi/qn

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 3 IoCs

resource	yara_rule
behavioral2/memory/3996-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3996-51-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3996-56-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
4700	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	805b36acf6767168ef4f337591a71230106bb368f524ded8ba45e9ac66b64705.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3996-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000d000000023a68-4.dat	upx
behavioral2/memory/4700-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3996-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4700-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4700-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4700-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4700-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4700-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4700-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4700-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4700-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4700-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4700-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3996-51-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4700-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3996-56-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4700-57-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0004000000000707-67.dat	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	805b36acf6767168ef4f337591a71230106bb368f524ded8ba45e9ac66b64705.exe
File opened for modification	C:\Windows\java.exe	805b36acf6767168ef4f337591a71230106bb368f524ded8ba45e9ac66b64705.exe
File created	C:\Windows\java.exe	805b36acf6767168ef4f337591a71230106bb368f524ded8ba45e9ac66b64705.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	805b36acf6767168ef4f337591a71230106bb368f524ded8ba45e9ac66b64705.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 4700	3996	805b36acf6767168ef4f337591a71230106bb368f524ded8ba45e9ac66b64705.exe	84
PID 3996 wrote to memory of 4700	3996	805b36acf6767168ef4f337591a71230106bb368f524ded8ba45e9ac66b64705.exe	84
PID 3996 wrote to memory of 4700	3996	805b36acf6767168ef4f337591a71230106bb368f524ded8ba45e9ac66b64705.exe	84

C:\Users\Admin\AppData\Local\Temp\805b36acf6767168ef4f337591a71230106bb368f524ded8ba45e9ac66b64705.exe
"C:\Users\Admin\AppData\Local\Temp\805b36acf6767168ef4f337591a71230106bb368f524ded8ba45e9ac66b64705.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ67RYHS\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxkn9ioex.log

Filesize
320B

MD5
be5b82fd798a8a2e661d9b6edd58135a

SHA1
1f1689c7b3402fec98437fb02fbcad43ff1b6d7b

SHA256
82cb03988c6bdc542190508ffad4621a3d7435bdd2bce12745404b72db481eb2

SHA512
c297d97e46f4710ff2c73db8272d15b890939a494e1e3b266c84a14d78b3860757f338cc7e5e780bd9492dd04862291946abd17a759b1a18b9912aed8a682679

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp190E.tmp

Filesize
29KB

MD5
4da3deceb32ce36ecb4a629ef4f4c270

SHA1
9fb670e8c83df54b1a56d9170145ace8b0e11258

SHA256
2e531f6e1efb20a1541e9da1681ff0554088a977d3199e84172dda1249868e49

SHA512
70bcaac678aa90f154b7204a7f019f5f875ce7ac4b3f6a5214493776fd5668c5b44eac67cf79cbc85552a8a9c123ea873d221736884700e664bcc9f0f600ad64

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
18220a4b890c441885db3752e9f8e442

SHA1
472effd7eaf3df15c068b60afcb3909033a879b6

SHA256
8b0f5ac96b9d2b7ab8ed65b9aea5245286b83e63b1eac98fdb507cc935ac0afb

SHA512
8b30af1e41f48f84c6ba8a976802c6e33b3f4f004a5090fd8460a8545a2b557bae7cd53c0866c12f1792132e48d0c6235f38c78627a573922a53c111eb175e23

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3996-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3996-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3996-56-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3996-51-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4700-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4700-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4700-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4700-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4700-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4700-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4700-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4700-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4700-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4700-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4700-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4700-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4700-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads