mydoom | 2e32e046fbd4de5487a019130966a571693be060b5fa76f72f18f2354c79a1b2

General

Target

2e32e046fbd4de5487a019130966a571693be060b5fa76f72f18f2354c79a1b2N.exe
Size

29KB
MD5

3a2eb331baf84b450f09f1f0cbb8c840
SHA1

198e3144626fd3189024323f2bf6092fa1b9a154
SHA256

2e32e046fbd4de5487a019130966a571693be060b5fa76f72f18f2354c79a1b2
SHA512

834f42cf76ba0fdc5dc22dab3e1730a73ec5487a7d9f9051cb7604570474ab1d41d933d63116840642bb3ccd4fca993f3ded68aa33684536a6c1b611d66db98c
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/w:AEwVs+0jNDY1qi/qY

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 4 IoCs

resource	yara_rule
behavioral2/memory/1064-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1064-49-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1064-51-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1064-131-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
1568	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	2e32e046fbd4de5487a019130966a571693be060b5fa76f72f18f2354c79a1b2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1064-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000023c87-4.dat	upx
behavioral2/memory/1568-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1064-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1568-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1568-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1568-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1568-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1568-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1568-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1568-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1568-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1568-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1064-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1568-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1064-51-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1568-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0004000000000707-62.dat	upx
behavioral2/memory/1064-131-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1568-137-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	2e32e046fbd4de5487a019130966a571693be060b5fa76f72f18f2354c79a1b2N.exe
File opened for modification	C:\Windows\java.exe	2e32e046fbd4de5487a019130966a571693be060b5fa76f72f18f2354c79a1b2N.exe
File created	C:\Windows\java.exe	2e32e046fbd4de5487a019130966a571693be060b5fa76f72f18f2354c79a1b2N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e32e046fbd4de5487a019130966a571693be060b5fa76f72f18f2354c79a1b2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1568	1064	2e32e046fbd4de5487a019130966a571693be060b5fa76f72f18f2354c79a1b2N.exe	83
PID 1064 wrote to memory of 1568	1064	2e32e046fbd4de5487a019130966a571693be060b5fa76f72f18f2354c79a1b2N.exe	83
PID 1064 wrote to memory of 1568	1064	2e32e046fbd4de5487a019130966a571693be060b5fa76f72f18f2354c79a1b2N.exe	83

C:\Users\Admin\AppData\Local\Temp\2e32e046fbd4de5487a019130966a571693be060b5fa76f72f18f2354c79a1b2N.exe
"C:\Users\Admin\AppData\Local\Temp\2e32e046fbd4de5487a019130966a571693be060b5fa76f72f18f2354c79a1b2N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O4PTG2YB\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfwPe.log

Filesize
320B

MD5
790d4547659617e5b429e9d768cd54e9

SHA1
47912c36a484af0598238353dae806b46cd106bb

SHA256
02c2b0d77ec2e7a0f4a95be86e81d45841751031b5c7051fb05f6748acd6a3dd

SHA512
aacf8b26afaca989dd8b96faa657e56e4bf14daa77b5f5880adc8d5e5222f51d016f4dbf48fc342d4d52445836b1ea2996ce9d2dc7fdfe656a11677d5d0706bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F46.tmp

Filesize
29KB

MD5
4b863482784cb8482f1dd845c589176b

SHA1
1788f3bea8765bc24a9d009cea98a6be402e0651

SHA256
de5f4c01ba2bc3aa5b87cbd6c12d9d361f01eb1175f4a742d3a72134b71fe6ab

SHA512
5238d36373ccc6cf42b1bc94c1acbd58d2f725402fbf451081729d75d93f30f4172058c3954d8c067316bcb2d300a8c574e559de1eee35b29ed1b45361f7c518

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
e60bf105a8472fd88bca7f321ee1bbb0

SHA1
cd4448cfb5e14579c15910efa903d067591da363

SHA256
1a485cc4af5b418bdec8db988e5c6a46c04aed86211cb2a1da9ef7751cdd1572

SHA512
411433f725eda00a12586a9c8d034b6366ee06d71c2eabc7de5016e1a652fb68325ad68970062aa41e7db2f982f29026baf0bc82a5bfd64cd1d3c36fb64bd7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
6a29dd9c7e434afea5c9c89a1b15d52e

SHA1
2ad685c000b9bbcec481050e7e75e21a740b2dba

SHA256
d87e782b2270a466cf7c384daff380a474d43891ffe414deee6bc7c8fde7100b

SHA512
39b7cf94fd623c7bb722313809cbbb58627ab5e4dee7fdc8d4f7bd58c1a95e3869a4bae6d4dd5d69e83b08a2e0a50cdbf16c21c9a7d5a512fae746843a55c214

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1064-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1064-131-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1064-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1064-51-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1064-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1568-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1568-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1568-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1568-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1568-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1568-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1568-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1568-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1568-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1568-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1568-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1568-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1568-137-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads