mydoom | 27a30e26ffc0ecdf1e9d9cd866f270aa9b2bdf805968e1e29bdafb5cd346c43d

General

Target

27a30e26ffc0ecdf1e9d9cd866f270aa9b2bdf805968e1e29bdafb5cd346c43dN.exe
Size

29KB
MD5

efe0f2c98013b64216af30ace7d93410
SHA1

75c6ae5b96889012c414cabd7ad69170b85c9e0a
SHA256

27a30e26ffc0ecdf1e9d9cd866f270aa9b2bdf805968e1e29bdafb5cd346c43d
SHA512

f9a0d87a1a678996371552e93bdddf9c3e6e212a4aa2c45d26472ffe6750f6eda515182fc500ca5205487390a9ee5c1b933d02914601d8fa260401bf6d5661a5
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Ihp:AEwVs+0jNDY1qi/qgT

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral2/memory/4588-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4588-37-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4588-106-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4588-141-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4588-145-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4588-152-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
3908	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	27a30e26ffc0ecdf1e9d9cd866f270aa9b2bdf805968e1e29bdafb5cd346c43dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4588-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000b000000023b93-4.dat	upx
behavioral2/memory/3908-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3908-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3908-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3908-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3908-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3908-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3908-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-37-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3908-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0003000000021f4b-48.dat	upx
behavioral2/memory/4588-106-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3908-107-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-141-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3908-142-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-145-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3908-146-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3908-148-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-152-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3908-160-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	27a30e26ffc0ecdf1e9d9cd866f270aa9b2bdf805968e1e29bdafb5cd346c43dN.exe
File opened for modification	C:\Windows\java.exe	27a30e26ffc0ecdf1e9d9cd866f270aa9b2bdf805968e1e29bdafb5cd346c43dN.exe
File created	C:\Windows\java.exe	27a30e26ffc0ecdf1e9d9cd866f270aa9b2bdf805968e1e29bdafb5cd346c43dN.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27a30e26ffc0ecdf1e9d9cd866f270aa9b2bdf805968e1e29bdafb5cd346c43dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 3908	4588	27a30e26ffc0ecdf1e9d9cd866f270aa9b2bdf805968e1e29bdafb5cd346c43dN.exe	86
PID 4588 wrote to memory of 3908	4588	27a30e26ffc0ecdf1e9d9cd866f270aa9b2bdf805968e1e29bdafb5cd346c43dN.exe	86
PID 4588 wrote to memory of 3908	4588	27a30e26ffc0ecdf1e9d9cd866f270aa9b2bdf805968e1e29bdafb5cd346c43dN.exe	86

C:\Users\Admin\AppData\Local\Temp\27a30e26ffc0ecdf1e9d9cd866f270aa9b2bdf805968e1e29bdafb5cd346c43dN.exe
"C:\Users\Admin\AppData\Local\Temp\27a30e26ffc0ecdf1e9d9cd866f270aa9b2bdf805968e1e29bdafb5cd346c43dN.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8B3ZU6S9\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O4PTG2YB\default[2].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB9D7.tmp

Filesize
29KB

MD5
5d424ee1b363691d2463f92b30cc8351

SHA1
a1a629469e14b1548c2270f9b0875ca4e4a96505

SHA256
8f406dc3a5128b072e074cbde3aa99fbab0bbf9a7dc4589ab602bcfc909e468d

SHA512
9f438beb25fe3b16e6874a6f41dc29f8351503cc53f7a268c55045f8a841aed051b5b01ea8b2576cd65dfbbe98865d2c8286b2c5d785119cdc750a41ef627025

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
a570c7ed09e6fe093a46014ab304649b

SHA1
2f9cb237f44ec7e8bd70af8187f7f4d5fe67c1ea

SHA256
e54bca7e34bd57d9ea0b339a5707c9cade6b5c9f7a146931bbbeba9da2340b71

SHA512
c38d823b50ff5ca75da36e122aef8c285ed77b6ea6356641ee9bd2f90ae018707b57381cbed3f90ca92bf23f8274bc0d63421fdf100fa0ddbe268369f3d8b67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
37fb8ad8b57f450c16e846502b09c853

SHA1
1cf6726c9ca7d90686d1b83507bf1c5eed6c727e

SHA256
1819145c6745455ac8f595ddca6e3113adc4d7749b3f1e7fe13471d13d7e3f8e

SHA512
177fbd0618e759150d0d8a6932ae32eec5420f3d3012e7b0a135dd7ee8b349c53ce2a14aff97e042ad2e6a1c6ab93d0f8dbd1fcf7d273dcfe7300465235b5026

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
3c17cda05ac999799afd50bd6c86849c

SHA1
aa8807cc5f3a152f674bb9768e131bafefd3c6b1

SHA256
29eeee0cfdba617bac70d501914ad575cacb22fa21070f9611a3a9b32fb65890

SHA512
af1be2c599b2124ddd29600223bc47ad8c5ba2353913e5154709a162aced599e996602c7f2bcb4d66fc0d686c7b8f9868be1fd82237f7fbd1fe7dcddbcfdff47

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3908-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3908-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3908-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3908-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3908-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3908-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3908-160-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3908-148-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3908-107-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3908-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3908-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3908-146-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3908-142-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4588-145-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-141-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-106-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-152-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-37-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads