mydoom | 354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9

General

Target

354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe
Size

29KB
MD5

98f307d849e939da0ee7a9b1dd787db7
SHA1

859f9e85275bfca8b8585bb5ff6d45234c377a7b
SHA256

354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9
SHA512

51c2942be009eef9ea50c9d5cfc832065d5b7a307e3b2647506014d1a55cc94d16e7851b5fe2ad180706d5a1f4142d7733d561f632ceabeb1321bbe8ee5f8771
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Y:AEwVs+0jNDY1qi/qA

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 10 IoCs

resource	yara_rule
behavioral2/memory/3292-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3292-27-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3292-32-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3292-163-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3292-165-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3292-175-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3292-188-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3292-192-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3292-208-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3292-215-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
3112	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3292-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000023cca-7.dat	upx
behavioral2/memory/3112-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3292-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3112-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3112-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3112-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3112-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3112-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3292-27-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3292-32-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3112-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0012000000023ce8-43.dat	upx
behavioral2/memory/3292-163-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3112-164-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3292-165-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3112-166-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3112-171-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3292-175-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3112-176-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3292-188-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3112-189-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3292-192-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3112-193-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3292-208-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3112-209-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3112-211-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3292-215-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3112-216-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe
File opened for modification	C:\Windows\java.exe	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe
File created	C:\Windows\java.exe	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 3112	3292	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe	82
PID 3292 wrote to memory of 3112	3292	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe	82
PID 3292 wrote to memory of 3112	3292	354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe	82

C:\Users\Admin\AppData\Local\Temp\354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe
"C:\Users\Admin\AppData\Local\Temp\354c88db5b6ef2efb09b6cdca067d35f9d810ac13177df0d9daa3d712eeae7c9.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0TSRVAPX\E37ZDN6H.htm

Filesize
162KB

MD5
c4c6e7400093498dabb2c230ea0b0ec8

SHA1
b151d225b2d26cfcbfe7ed4124adbf8e1432dbd4

SHA256
a9170432f53991ee1b98298b5401f98d8b1bcf12fa78643d2af517048d5cb8ad

SHA512
327b4f3b6fc33edc246dfe12f80b20a9b193407457fe30925a7992c32280072019efb5599851db973540e62ccb5d709d31b88c05a411bd444fbcf764ff06aa13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0TSRVAPX\search[2].htm

Filesize
119KB

MD5
3bfd939c55b9b941fe0beb7d0b789307

SHA1
73e9537ba40171971e58a2e775f14ad59956f22b

SHA256
c732af83a348ca695a76fc2b9e2c1281a2c882495c6126e54e15ad9bc4fcbb1c

SHA512
2d72ad357efb111c729c59a99fa0bcf9cb41a8bdb3166403f2884fb43235f9b3cc90ceac6297b88142456adcbcff7fda5f7fb855cea826f87cc6adc23ae1d632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JAZ6MGFU\H7VBQSST.htm

Filesize
162KB

MD5
569c084498e2180742f7347dbd23adb8

SHA1
19fcaf8bb815969bf1e53b1fb21977686a9864df

SHA256
bfa253a70c98a3d78a6ed581c781cc1af17ec76fc296735c6346cbbaeedbd3ed

SHA512
da439fca91e3422f495713884a42276570f0b8a640c8d2bf88fb52849e5d8aaaf89d93d1380c57f424dc0e1ec70d9b2f39e0b836900cf4a1bea67d5da29f133e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8DD6.tmp

Filesize
29KB

MD5
e84215988c2b6eb08aa3aebbf4a31bf5

SHA1
ed2f5b8da2b4c8670d784865a889314785e9fb23

SHA256
f9e2cffcc117004ab727d7e1fecea73989ef96fcf59b65d96a6e6fcc6325714f

SHA512
476600a4d2a6e6e1aea8470f094c498be0aa9f3927193ea81f194103c60d315204d9c98011abc403d3d6f0ee6f6c0e5c4135473bfea6464984d764ce748f9f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
22890a6a383d3f72efe2e4666aede440

SHA1
38c46c8113a0e2655a9e8ebc09ddb982c2198000

SHA256
771be58530b2cc278e4d9d106b6b425f5f71f2009021691c9bd441cda895558b

SHA512
aad6eed80c4f557a7029c9c63d08f33fab2c786c8ded6521c357fcd63c82e26d7aa9cb172e8e96cb944b22c307c4f0df4290e1d96b9e7c4ed0f2e3ca3c973315

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
ad73bc4af37f524bf03554627f4903c6

SHA1
bf5a1cb2e19d08426cbf561de4e3fa5a663b29fd

SHA256
a09aeb8508947df6955161b21c122876334ca893bceca255394ea19ee39c7917

SHA512
af77388b28e5785fbcba21889625ecc804585c57fac83d916c5e782dc39237d26f47c64edc5e2244c3b80cbd1501a7785552cfc1db84854ff8590fbc74f87340

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
8a4dacee7078e8ba0f281faf1d742996

SHA1
6b080d2665d4d68f60ee48ff666f941aaeaf4d2f

SHA256
f7cb2fbd8aaa4af2f06bc2dfcbffc62857a9c1a9a119fe0406f09ece8716b14d

SHA512
1ec68da2825853604d52312cf919ffaaf01eff70ba7fd0cc81718539f4a37e00e44be24ce55c8ec2f77f66c31d5c589b5fe649dcf7205bf03dc4a0c4b6ec6298

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3112-189-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3112-171-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3112-216-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3112-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3112-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3112-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3112-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3112-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3112-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3112-211-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3112-164-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3112-209-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3112-166-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3112-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3112-193-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3112-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3292-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3292-188-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3292-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3292-192-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3292-175-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3292-27-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3292-208-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3292-165-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3292-163-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3292-215-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3292-32-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads