mydoom | 4a47467b7b45c9a464fcc01aff08530306c6abfb9af41072e8d259dda89a66ba

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a47467b7b45c9a464fcc01aff08530306c6abfb9af41072e8d259dda89a66ba.exe
Size

29KB
MD5

5aa1c95a58ee32764c5c9b5f0f6ff2ec
SHA1

a78974743b38530b3d19e8b29d689419ce151459
SHA256

4a47467b7b45c9a464fcc01aff08530306c6abfb9af41072e8d259dda89a66ba
SHA512

98df05c63984c87d4223d6cdbc62af3f4b4d15d71f0c0eb1256e462ccf25fd557cf2b6b995070977aa4e840068a13ea8b75fe765d56b06eb3c5e96466ea236e3
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/U:AEwVs+0jNDY1qi/q8

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 11 IoCs

resource	yara_rule
behavioral2/memory/2544-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2544-27-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2544-121-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2544-161-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2544-168-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2544-191-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2544-218-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2544-253-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2544-289-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2544-327-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2544-368-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
4596	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	4a47467b7b45c9a464fcc01aff08530306c6abfb9af41072e8d259dda89a66ba.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2544-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000023c82-7.dat	upx
behavioral2/memory/4596-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2544-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4596-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4596-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4596-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4596-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2544-27-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4596-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0009000000023ca0-41.dat	upx
behavioral2/memory/2544-121-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4596-122-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2544-161-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4596-162-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4596-164-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2544-168-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4596-169-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2544-191-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4596-192-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2544-218-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4596-219-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2544-253-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4596-259-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2544-289-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4596-293-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2544-327-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4596-328-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2544-368-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4596-369-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	4a47467b7b45c9a464fcc01aff08530306c6abfb9af41072e8d259dda89a66ba.exe
File opened for modification	C:\Windows\java.exe	4a47467b7b45c9a464fcc01aff08530306c6abfb9af41072e8d259dda89a66ba.exe
File created	C:\Windows\java.exe	4a47467b7b45c9a464fcc01aff08530306c6abfb9af41072e8d259dda89a66ba.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a47467b7b45c9a464fcc01aff08530306c6abfb9af41072e8d259dda89a66ba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 4596	2544	4a47467b7b45c9a464fcc01aff08530306c6abfb9af41072e8d259dda89a66ba.exe	83
PID 2544 wrote to memory of 4596	2544	4a47467b7b45c9a464fcc01aff08530306c6abfb9af41072e8d259dda89a66ba.exe	83
PID 2544 wrote to memory of 4596	2544	4a47467b7b45c9a464fcc01aff08530306c6abfb9af41072e8d259dda89a66ba.exe	83

C:\Users\Admin\AppData\Local\Temp\4a47467b7b45c9a464fcc01aff08530306c6abfb9af41072e8d259dda89a66ba.exe
"C:\Users\Admin\AppData\Local\Temp\4a47467b7b45c9a464fcc01aff08530306c6abfb9af41072e8d259dda89a66ba.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ67RYHS\default[1].htm

Filesize
312B

MD5
5431b34b55fc2e8dfe8e2e977e26e6b5

SHA1
87cf8feeb854e523871271b6f5634576de3e7c40

SHA256
3d7c76daab98368a0dd25cd184db039cdd5d1bc9bd6e9bb91b289119047f5432

SHA512
6f309dd924ba012486bcf0e3bafe64899007893ea9863b6f4e5428384ad23d9942c74d17c42a5cf9922a0e0fd8d61c287a2288a945a775586125d53376b9325c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ67RYHS\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EFY08QA2\defaultFFSHN8LV.htm

Filesize
312B

MD5
e5c2364375c0a8a786a9508a840b6299

SHA1
bec1874db0d2348274b6656d1383e262f73e2bc6

SHA256
51b67ae1066eb179562cf80a8a156bbd4b139b83072f610bf62c0b6d58ed17f3

SHA512
ee19a8fa40bc7e991ac289eb30ceec8264d6071f124e99791022961c99f25b97def4f13fa96149eb52786d1104d85d20410e65a333304c0df6ba858472a557d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EFY08QA2\default[4].htm

Filesize
318B

MD5
98fabeeee4a3c50ca3f11350f022be4f

SHA1
b0e60205e49d42f34bd5a159a972ad41a99288f1

SHA256
5e484772e930306d062f2d071d4ced41819264272b53260fcad2aae52ff10865

SHA512
ae084698e0f88bfa39997bcaba6f9a697bd1a7fc9d0496efb7d8dfeb96faefa62773e6be1f6c50358d530090b79948bf6b73afbb1f5606667235a93eb45dfa62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G94T3PNL\default[2].htm

Filesize
315B

MD5
14b82aec966e8e370a28053db081f4e9

SHA1
a0f30ebbdb4c69947d3bd41fa63ec4929dddd649

SHA256
202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf

SHA512
ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G94T3PNL\default[3].htm

Filesize
304B

MD5
cde2c6ec81201bdd39579745c69d502f

SHA1
e025748a7d4361b2803140ed0f0abda1797f5388

SHA256
a81000fc443c3c99e0e653cca135e16747e63bccebd5052ed64d7ae6f63f227f

SHA512
de5ca6169b2bb42a452ebd2f92c23bad3a98c01845a875336d6affe7f0192c2782b1f66f149019c0b880410c836fc45b2e9157dcccc7ad0d9e5953521a2151d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G94T3PNL\default[6].htm

Filesize
308B

MD5
5243568476eb2052b2f3b67dc9053e86

SHA1
b126aa6506772f9024b76580bdf28b45e3a7f051

SHA256
2d458622dc76eb87e44cc7db89309efdf50f99821145ae86864fd1b714cbaa80

SHA512
3c68cef4e3daa4bca6e8b3aa5a31874be1e4dec38fe9781c6fe4890980744527d0c6818eeb519f8e6b322118e1f08302d85972fa7da4ba8be9421aabf9a77833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PTWQX4L2\default[1].htm

Filesize
315B

MD5
e510f9586fd45ddb7f0c00cc01b5bb78

SHA1
0f49be1ea6f9228f7fa5877a74df5913d500f44c

SHA256
06dc56e918b87be102dbef5a82c2b9e572d2e4dd4e778026ab8aa59ec58c454c

SHA512
4a6cd27994a9bab95b152bd6be520dfa186b3b067345a350ced80933757ce875bf53cdaf3413ddf1ed14968adc233f7cb6bb2fcda0fa19c4d68e2e9d86416b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PTWQX4L2\default[4].htm

Filesize
305B

MD5
157431349a057954f4227efc1383ecad

SHA1
69ccc939e6b36aa1fabb96ad999540a5ab118c48

SHA256
8553409a8a3813197c474a95d9ae35630e2a67f8e6f9f33b3f39ef4c78a8bfac

SHA512
6405adcfa81b53980f448c489c1d13506d874d839925bffe5826479105cbf5ba194a7bdb93095585441c79c58de42f1dab1138b3d561011dc60f4b66d11e9284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PTWQX4L2\default[5].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp42E2.tmp

Filesize
29KB

MD5
b0e490e64b5dd1e545630a237aecb87c

SHA1
5c27fbcb145a86aeb0d437f9a3ca980473340052

SHA256
6ad30e3731f49982cfb7ac3fac6c7f8f9abf5bbdbd8cb19757b5edb374a55d73

SHA512
47fe9e0ea9184fc0dde0ddd63003e0f0cd42ac50d36ea7be0ed54441e78cfb2e6fd1e7ace6184d94b90433cba1635ed27db8ecc453c10110856104669a53ea2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp43F4.tmp

Filesize
29KB

MD5
1d48ddeb97c60fbc95ef543f4a129e8b

SHA1
c012563da3249c52f70d51f2537426b649439a9b

SHA256
163822f27287be9cffa10741df2dd444234b6a676f3645ac2bc721bd54e3f095

SHA512
87bf1cdc97996976f47d9b0f5843fecc3de235c86aef29ffc3d00ad458b40b6103596c40b853af486e909ab07eb0ec0a9a8a128f62dbe9c30c85178f97d729e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
128b24de04e5d6538c38cde2d41d29f4

SHA1
00fb861b4cbb8e03daef65fed69eac99afab6f62

SHA256
9266cac1b4cfc49e02f743755c7e5694023082a4b926543b92ce2c1fb8d0f219

SHA512
89a08c0340f1353d919cc9a61d84deaf0d1141cc7c00cd573551ccb72ac43a368462b2aacfda7df30115f237fad0f1ee71a7b598974b01271f0bd7a7f12f753f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
cc9fd22b00381c0f2934f261b031df25

SHA1
e6d6b0be5e410043e701f3eaac84581eb4f07d43

SHA256
ac14fa1c470f3d60fac9f6542f9a223502b8d1f75c76752b643a5ed52c22bc7c

SHA512
1479a169cf04fc6a40473e0a2b5ea0f9351e5397dc67bab6b6741fa93914621b0d433e36c0508779e2c13d812bfc845affc7cb415596795d7edd525eb74631ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
230af942ab3a77fd137fb3d9321a5dc8

SHA1
a469a7645f3def8e836c2af7258533cb60e9eb1f

SHA256
2046b44ebba931b3054e87793efa31794024a96fd4d153abaed94022cc9e7d94

SHA512
6f6ce3ba478d1a1425b3e28bcd7b47bb14dd1cc963c01e187a9f7ce0705acc329534f7c14458a0f5e786aa893b77be71f3d3bfadd5833fd328286e1936b7a8a4

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2544-161-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2544-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2544-368-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2544-168-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2544-253-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2544-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2544-191-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2544-121-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2544-218-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2544-327-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2544-27-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2544-289-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4596-169-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-259-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-293-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-219-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-328-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-192-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-164-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-369-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-162-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-122-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads