mydoom | 39c9ea76c583e91c46cfd2f4d09fb9ceb50966d3e4a903c60be2eb0990727116

General

Target

39c9ea76c583e91c46cfd2f4d09fb9ceb50966d3e4a903c60be2eb0990727116.exe
Size

29KB
MD5

dfa9eead6b62ef2db8de41ac02a568d2
SHA1

2a1c1520c26196012322e336d7a2d3ca9a37f3fe
SHA256

39c9ea76c583e91c46cfd2f4d09fb9ceb50966d3e4a903c60be2eb0990727116
SHA512

145e0fb2f17ec8eeccfaa1450a083f3979baf8a7e89511d9559cb60c0226ad2051e2496788edf06aa72a54653cdd05040192fe705aca6fc98f1a3994800e8ecb
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/phQ:AEwVs+0jNDY1qi/qRm

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 5 IoCs

resource	yara_rule
behavioral2/memory/4856-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4856-56-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4856-132-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4856-215-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4856-219-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
4288	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	39c9ea76c583e91c46cfd2f4d09fb9ceb50966d3e4a903c60be2eb0990727116.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4856-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000c000000023b86-4.dat	upx
behavioral2/memory/4288-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4856-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4288-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4856-56-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4288-57-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0004000000000709-67.dat	upx
behavioral2/memory/4856-132-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4288-144-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4856-215-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4288-216-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4856-219-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4288-220-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	39c9ea76c583e91c46cfd2f4d09fb9ceb50966d3e4a903c60be2eb0990727116.exe
File created	C:\Windows\java.exe	39c9ea76c583e91c46cfd2f4d09fb9ceb50966d3e4a903c60be2eb0990727116.exe
File created	C:\Windows\services.exe	39c9ea76c583e91c46cfd2f4d09fb9ceb50966d3e4a903c60be2eb0990727116.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39c9ea76c583e91c46cfd2f4d09fb9ceb50966d3e4a903c60be2eb0990727116.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4288	4856	39c9ea76c583e91c46cfd2f4d09fb9ceb50966d3e4a903c60be2eb0990727116.exe	82
PID 4856 wrote to memory of 4288	4856	39c9ea76c583e91c46cfd2f4d09fb9ceb50966d3e4a903c60be2eb0990727116.exe	82
PID 4856 wrote to memory of 4288	4856	39c9ea76c583e91c46cfd2f4d09fb9ceb50966d3e4a903c60be2eb0990727116.exe	82

C:\Users\Admin\AppData\Local\Temp\39c9ea76c583e91c46cfd2f4d09fb9ceb50966d3e4a903c60be2eb0990727116.exe
"C:\Users\Admin\AppData\Local\Temp\39c9ea76c583e91c46cfd2f4d09fb9ceb50966d3e4a903c60be2eb0990727116.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IQ93NPJ1\H153DBL0.htm

Filesize
162KB

MD5
e06f090fdf889bec1d6711ab9a34c532

SHA1
798192836096a7f3ac97b657c006c79e3ded5e55

SHA256
96472db993b9421edb9c98cec3104640f8585d3ce6753c6ea4ddcffc895d1db2

SHA512
22df1be77cdf4bd3d4bebb658cf6e24f9d6c119a74f5238fc54fff307d3e59cfa49d354c5ccda79403c3521fb0b857f21a7c2ed03ebca8eb36adb4af6fbcbaf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZA7RG4JF\RKXNZTCY.htm

Filesize
162KB

MD5
7ea19df5659811fcd3143375d12bcd21

SHA1
e294fa5a1256793f1c02df864d52de85a24ff510

SHA256
5105c1fd281596da54e9954c92f0a6e3fdd8def7bc1f332644b8aa5461316589

SHA512
f3ed8181a719b6f9c658a7b1ff997954f5ff3d1b68126f79298396fb0609d3ef50cbb4c1dba476303e48f1b4aace112c120dad4f274a1c1a2da082512f129a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4203.tmp

Filesize
29KB

MD5
0bc0f86cb8ec4e9878950e1f274652ac

SHA1
fea7ebb51bd6694deadbaa945f17c17a4cf00448

SHA256
47a98dc08566e49add20761cd8460ff58a989c60d00b8e9bdc82b5e5c3095dbe

SHA512
985e5d63ca49295c4a7e4a1c739ff404d22cbc6c03f38edad10adf704d73db8bda13f8be034034ba92869d98c8c8d163b046401b35b18625ff903ae76790659d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
935707548daa3102e7557dc09f8d45d7

SHA1
edee6960f5e1b1afae9816137ef607918be80b23

SHA256
c9be0e8f5ce77bdafdcf24d073b1db26c3e8eb0d6faa56cb164c057bc1d75c35

SHA512
b765254b3249eb1982c9050c5d0aab9d9c06c222d0648f52ef9efa95f92c31737f66f6843005c8e271edd1c3bc01918e0a1cb06ce9c60b0532ff01b5d442e7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
e3bd102cb9fb3281a99bc77bd0c15482

SHA1
23eef6b3156081fc8bde746802056cf54ec7700d

SHA256
93a73dabeb41e4f9ca6b191e725f204ae68791d7502cf0cf88b09d5f89bb697c

SHA512
a9b48bfb61578d8fce621dc2a5181fd1ee564798e76be541dbf6b3c5e7d20b8f8e69fc3aa6b327cb6184d3df976de339f8567c967811478ab24e3b687509b890

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4288-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-220-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-216-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-144-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4856-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4856-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4856-215-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4856-132-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4856-219-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4856-56-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads