mydoom | 354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9

General

Target

354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe
Size

29KB
MD5

98f307d849e939da0ee7a9b1dd787db7
SHA1

859f9e85275bfca8b8585bb5ff6d45234c377a7b
SHA256

354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9
SHA512

51c2942be009eef9ea50c9d5cfc832065d5b7a307e3b2647506014d1a55cc94d16e7851b5fe2ad180706d5a1f4142d7733d561f632ceabeb1321bbe8ee5f8771
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Y:AEwVs+0jNDY1qi/qA

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 7 IoCs

resource	yara_rule
behavioral1/memory/2332-3-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2332-18-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2332-43-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2332-67-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2332-71-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2332-73-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2332-83-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
1952	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016cf0-6.dat	upx
behavioral1/memory/1952-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2332-3-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2332-18-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1952-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-34-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2332-43-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1952-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-46-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0015000000005587-54.dat	upx
behavioral1/memory/2332-67-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1952-68-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2332-71-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1952-72-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2332-73-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1952-74-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-79-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2332-83-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1952-84-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-86-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1952-91-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe
File opened for modification	C:\Windows\java.exe	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe
File created	C:\Windows\java.exe	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1952	2332	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe	31
PID 2332 wrote to memory of 1952	2332	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe	31
PID 2332 wrote to memory of 1952	2332	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe	31
PID 2332 wrote to memory of 1952	2332	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe	31

C:\Users\Admin\AppData\Local\Temp\354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe
"C:\Users\Admin\AppData\Local\Temp\354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd8b6af1dde8dc39305b34fea69a8c4b

SHA1
7ded8a17a14895eebda5c02feb0dae95622d8bb6

SHA256
a4370ad4f5af1713fcba993ce8bf2c8aea7d77cc9f512ffd3d142a169a72bb90

SHA512
25a4b89d5eb44328f3ed1abeacdafa3d2b0a8b5ebae853179bcb7b4c4e351f5845bed979bf94f42b8f3ef7db1e83373d71006af63f64fcfea40a72edf004b64c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23cf90fdccfdc8cb01f4172367254383

SHA1
6f26d96f24ab43fd380c9ba0c48720650d111d84

SHA256
f991d843fc12efc8cd8cb54d5e32f8f780a611d2f1cea4e624b9d17aa0e42eb3

SHA512
cbf112e37bf7dfab05c66e7d72fa4d89ccea62a806a1326e0aef759b804189a4db281ce4e1180aabf371d41f08c64c113d102eae9b3b2b7e916a5581c403e8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4979.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4A76.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp343A.tmp

Filesize
29KB

MD5
5ca3a401548b520ce8f3a9d52c4ba8e6

SHA1
57704007ea95713ea507cf87ce21d2cf96a97c20

SHA256
06b7be9e8f5da5445766074b38328d94b80e598d75e949f28f5c1a99bd2cdf09

SHA512
c14cdba885ef22e971a48738b700e022365ca9ea1c5547b734658bed8271df7f9b539cf1a85c2af9a1e6b31f2d15e45c68309c51d3942b3bc298ddcfebdd1e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
3a940c2fb974c3668cad57b931563cf9

SHA1
e2e19903ba5c131d77caa8eaff6c6c8195ef4157

SHA256
43799d4d701f9c3f45800db7d7a54b3efd455ff63ce46c352fe9372f3852d5b1

SHA512
e35e390afd54c49a6486e2742e652a155ee73479773c6431e0a002d08f82fd13b1a29142db422bddec7faa4dfdf08539d91d61520c020798e37569148c019df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
61495438239e50b3a1acb1d595d8ff59

SHA1
c7d8c2cf6e05f04098f9d2a8fec39dac559424ce

SHA256
ae95df455fd6a5b56569436021f2f763bd9785749a3e80d778137b791103b291

SHA512
c33fbd6e1b9777cfb3589b8e9ab67f5653b9eb69310d60c1313b7da283b576f04c1d2c9f9c3ed83bcf105d2e2d3c1ea7dd125c438da6bd40899dc7e78d164ef4

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1952-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-46-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-91-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-86-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-79-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1952-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-73-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2332-71-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2332-83-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2332-67-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2332-18-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2332-19-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2332-17-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2332-3-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2332-7-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2332-8-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2332-43-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads