mydoom | ed559fe05a95d6ad0eb31198c7af51a89b75f00d1c1762f8f634e6c6f4886cb5

General

Target

ed559fe05a95d6ad0eb31198c7af51a89b75f00d1c1762f8f634e6c6f4886cb5N.exe
Size

29KB
MD5

2dd6c9cd2c582dff57c7609d737ba7c0
SHA1

7c1f2b04a55158726bd0f482d8ad10ed12027161
SHA256

ed559fe05a95d6ad0eb31198c7af51a89b75f00d1c1762f8f634e6c6f4886cb5
SHA512

dcbefb77cbd36cab8f22a7f7eeec94d464be1ed1aa7c9ddcee5c5d433ef01c68967a46179dd268c313b4edadcfa2d9ea7e0b8416692890f4f1edd6cbcc193044
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/k:AEwVs+0jNDY1qi/qs

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 7 IoCs

resource	yara_rule
behavioral2/memory/4048-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4048-32-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4048-115-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4048-150-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4048-159-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4048-180-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4048-211-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
3264	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	ed559fe05a95d6ad0eb31198c7af51a89b75f00d1c1762f8f634e6c6f4886cb5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4048-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000023c61-4.dat	upx
behavioral2/memory/3264-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4048-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3264-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3264-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3264-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3264-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3264-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4048-32-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3264-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0008000000023c7f-38.dat	upx
behavioral2/memory/4048-115-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3264-116-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4048-150-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3264-151-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3264-155-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4048-159-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3264-160-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4048-180-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3264-181-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4048-211-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3264-214-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	ed559fe05a95d6ad0eb31198c7af51a89b75f00d1c1762f8f634e6c6f4886cb5N.exe
File opened for modification	C:\Windows\java.exe	ed559fe05a95d6ad0eb31198c7af51a89b75f00d1c1762f8f634e6c6f4886cb5N.exe
File created	C:\Windows\java.exe	ed559fe05a95d6ad0eb31198c7af51a89b75f00d1c1762f8f634e6c6f4886cb5N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed559fe05a95d6ad0eb31198c7af51a89b75f00d1c1762f8f634e6c6f4886cb5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 3264	4048	ed559fe05a95d6ad0eb31198c7af51a89b75f00d1c1762f8f634e6c6f4886cb5N.exe	83
PID 4048 wrote to memory of 3264	4048	ed559fe05a95d6ad0eb31198c7af51a89b75f00d1c1762f8f634e6c6f4886cb5N.exe	83
PID 4048 wrote to memory of 3264	4048	ed559fe05a95d6ad0eb31198c7af51a89b75f00d1c1762f8f634e6c6f4886cb5N.exe	83

C:\Users\Admin\AppData\Local\Temp\ed559fe05a95d6ad0eb31198c7af51a89b75f00d1c1762f8f634e6c6f4886cb5N.exe
"C:\Users\Admin\AppData\Local\Temp\ed559fe05a95d6ad0eb31198c7af51a89b75f00d1c1762f8f634e6c6f4886cb5N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3DWZNJ32\default[1].htm

Filesize
315B

MD5
14b82aec966e8e370a28053db081f4e9

SHA1
a0f30ebbdb4c69947d3bd41fa63ec4929dddd649

SHA256
202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf

SHA512
ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YB8IB6GH\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7347.tmp

Filesize
29KB

MD5
0ed80729ba251a2f7595adcc76617aea

SHA1
868e757b4a324342aa6bb24c2ac4617ae1d2ad43

SHA256
a4c42248f07687d6ed83037b98418a4d5706ca9e6cc755891544f23ebbb739fa

SHA512
9a893ee2815349487ceb5c8a7ee373214c838e69200e3f440af468e18e8631a0ea93b837d18fb0b8335f9867dbca09df26292c9d5f7497099116bf42271eaf4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
3356811f4ca777692144341db254498d

SHA1
fd25b741a7a3d90d41f2316cf1cdb0e61e9abba2

SHA256
115a06aa9a9912bc4cc8ba33639ca9c1ceb3312b6359cb43d966d452745f6260

SHA512
368a736ccd2aadeac23b2fc23ecbe8876200b7ae9fa3b88ba712e25d368f2100662ae4d96ca3a01f5ba4eca546608f44aeb980a4e03f42ea6002fbf459788026

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
88e3f50a6d5499ab7f0d6cdfc0718cc4

SHA1
982b691e3a17befd40bcad84b8ea06baeccbd345

SHA256
5e404c21f655242f48d017cd517554b34c3bf96171c47465678b2f5246a7b0ec

SHA512
2826205dce0dfd6e24560bd00c6e3750fbac95ac2e696a8186cef248b8db75a03cc227043ec8138e85747a3ed121cf9ab04583e93b927a15bb08010d9cb950da

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
e2e5353d5269820051c6cde2f5abda5f

SHA1
6a638a26317f401930ff220834a2c6373c719db6

SHA256
9685528e8a2b71649214b8a1547f0f75cc0e8ac0f568d9a5d6f177ee15878eb1

SHA512
6fbc971723399cf30def9ecc9d4c7663865683b9bddf843b105a745d8ae8301c93fcaf4b81171610d7435a62aee582c37b0d01ae8f4b9fcb9e81cfd4f79d88f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
375B

MD5
350505a567a0f832811d065cb91495ff

SHA1
eb77211ffa5390c05694cb8d44933a61d3b707e7

SHA256
75e0e459074446d07b3cc2603dc7fed18d0004b5aec6747a4097335b40880671

SHA512
976656d6676bc9df2f75f93c215e843162e12838af7a25c8f7afbf78c7434f642ba05d38cda1849beb1d424ef5acbc8b9fdf3d89775139c9196db6db8097cf2c

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3264-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3264-151-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3264-214-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3264-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3264-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3264-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3264-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3264-181-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3264-116-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3264-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3264-160-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3264-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3264-155-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4048-159-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4048-150-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4048-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4048-180-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4048-115-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4048-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4048-211-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4048-32-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads