mydoom | c94521fd80678b71dc70c93410f9ea23184e2490b98e34c12e423bebf19a78cd

General

Target

c94521fd80678b71dc70c93410f9ea23184e2490b98e34c12e423bebf19a78cdN.exe
Size

29KB
MD5

6fc71e1c10912d7c16d87624c871d530
SHA1

aef95cc44b2fbdd50270b5fc0f521008a43ad27f
SHA256

c94521fd80678b71dc70c93410f9ea23184e2490b98e34c12e423bebf19a78cd
SHA512

3cebb266192aa2dece38865b26b8f04fed71a5a9a709bd6038b38b49d3a9565823db14fbe7bbfa3a6affaf03feeaf2ba8f0ed6cc7edd7373da77cfc21dfd4cfd
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/A:AEwVs+0jNDY1qi/qY

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral1/memory/2208-16-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2208-41-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2208-57-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2208-61-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2208-66-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2208-73-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
1832	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	c94521fd80678b71dc70c93410f9ea23184e2490b98e34c12e423bebf19a78cdN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2208-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2208-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0007000000019467-7.dat	upx
behavioral1/memory/1832-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2208-16-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1832-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1832-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1832-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1832-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1832-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1832-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2208-41-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1832-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-52.dat	upx
behavioral1/memory/2208-57-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1832-58-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2208-61-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1832-62-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2208-66-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1832-67-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1832-69-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1832-74-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2208-73-0x0000000000500000-0x0000000000510200-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	c94521fd80678b71dc70c93410f9ea23184e2490b98e34c12e423bebf19a78cdN.exe
File opened for modification	C:\Windows\java.exe	c94521fd80678b71dc70c93410f9ea23184e2490b98e34c12e423bebf19a78cdN.exe
File created	C:\Windows\java.exe	c94521fd80678b71dc70c93410f9ea23184e2490b98e34c12e423bebf19a78cdN.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c94521fd80678b71dc70c93410f9ea23184e2490b98e34c12e423bebf19a78cdN.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1832	2208	c94521fd80678b71dc70c93410f9ea23184e2490b98e34c12e423bebf19a78cdN.exe	31
PID 2208 wrote to memory of 1832	2208	c94521fd80678b71dc70c93410f9ea23184e2490b98e34c12e423bebf19a78cdN.exe	31
PID 2208 wrote to memory of 1832	2208	c94521fd80678b71dc70c93410f9ea23184e2490b98e34c12e423bebf19a78cdN.exe	31
PID 2208 wrote to memory of 1832	2208	c94521fd80678b71dc70c93410f9ea23184e2490b98e34c12e423bebf19a78cdN.exe	31

C:\Users\Admin\AppData\Local\Temp\c94521fd80678b71dc70c93410f9ea23184e2490b98e34c12e423bebf19a78cdN.exe
"C:\Users\Admin\AppData\Local\Temp\c94521fd80678b71dc70c93410f9ea23184e2490b98e34c12e423bebf19a78cdN.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n5sBnguk.log

Filesize
320B

MD5
b699b5d33c8ef54e05a87df8eefeccd7

SHA1
3afdc1d67be0d6e3e88638735e112fe4477e1619

SHA256
f88f36f0574245e0e60a904b51c489d293620304ed829e61134d6198c72aaca2

SHA512
6962783acd0925c1f757833f453fa7610630b182016bcbc4f41d04933857d67feb7e6964adee8a3eaa6575f16c9c14c37e8b13301f32ff5387a70424aec0b0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE340.tmp

Filesize
29KB

MD5
26b90714fee09e6c5061a7c1a84fda6b

SHA1
6805ae798b80d98ae4d79aa39045bae4c3c3e850

SHA256
5038f99d8b5765c43d6291416ed9586c508b6995bed1023b505ac02db8e316da

SHA512
5fca8234542ca48a06d614f13aebe026242d3ffb1555fcb9b96156055ef3176f6e66a9deee02bf879802ec78dee44fd3d89fb9188da6b49a7fb9fbf40933653a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
9e6ffbe3127ae5cb8de3aa47ce142163

SHA1
4f0838f57036f5a3533b4bd150e08fb43ab2dfe1

SHA256
ca89b37fdd571f1a562bb0b7c0a669dc9cc956074b9a99642fdf32e9c7a5913e

SHA512
0ac8a1dd3575f8a1f9132d6a0761bd3044b3df415df2b89a6af16c1da3ba8aba1fff2fe08f81ea011cf6aa590978231a11420d8f146fd0fba50a2c73e8c41267

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1832-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1832-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1832-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1832-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1832-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1832-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1832-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1832-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1832-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1832-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1832-69-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1832-67-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1832-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2208-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-61-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2208-57-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2208-66-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2208-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-16-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2208-41-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2208-73-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads