mydoom | ab0a7987950879076732463e85bbf4c440930ad046578695cc0934bf564ea40e

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab0a7987950879076732463e85bbf4c440930ad046578695cc0934bf564ea40e.exe
Size

29KB
MD5

3c6caa90fa3f58e6df122093f4c6efa3
SHA1

a7255e25c5f8b38bcf138232144a647afff1e255
SHA256

ab0a7987950879076732463e85bbf4c440930ad046578695cc0934bf564ea40e
SHA512

ea02c65560976ea3b41acd9b1e3b8c7191f99ca52a18961b9a1e279139620b1f244667542a2647d45a6c7f4eacf5cf76e9792ca17989b97809f1202ffcf77bf3
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/hhg:AEwVs+0jNDY1qi/qpi

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 8 IoCs

resource	yara_rule
behavioral1/memory/1680-17-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1680-33-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1680-47-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1680-59-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1680-61-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1680-66-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1680-71-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1680-73-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2496	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	ab0a7987950879076732463e85bbf4c440930ad046578695cc0934bf564ea40e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1680-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/files/0x0008000000016d49-6.dat	upx
behavioral1/memory/2496-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1680-17-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1680-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2496-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2496-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2496-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2496-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1680-33-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2496-34-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1680-47-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2496-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-49.dat	upx
behavioral1/memory/1680-59-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2496-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1680-61-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2496-62-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1680-66-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2496-67-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1680-71-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2496-72-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2496-74-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1680-73-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2496-79-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	ab0a7987950879076732463e85bbf4c440930ad046578695cc0934bf564ea40e.exe
File opened for modification	C:\Windows\java.exe	ab0a7987950879076732463e85bbf4c440930ad046578695cc0934bf564ea40e.exe
File created	C:\Windows\java.exe	ab0a7987950879076732463e85bbf4c440930ad046578695cc0934bf564ea40e.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab0a7987950879076732463e85bbf4c440930ad046578695cc0934bf564ea40e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ab0a7987950879076732463e85bbf4c440930ad046578695cc0934bf564ea40e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ab0a7987950879076732463e85bbf4c440930ad046578695cc0934bf564ea40e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2496	1680	ab0a7987950879076732463e85bbf4c440930ad046578695cc0934bf564ea40e.exe	30
PID 1680 wrote to memory of 2496	1680	ab0a7987950879076732463e85bbf4c440930ad046578695cc0934bf564ea40e.exe	30
PID 1680 wrote to memory of 2496	1680	ab0a7987950879076732463e85bbf4c440930ad046578695cc0934bf564ea40e.exe	30
PID 1680 wrote to memory of 2496	1680	ab0a7987950879076732463e85bbf4c440930ad046578695cc0934bf564ea40e.exe	30

C:\Users\Admin\AppData\Local\Temp\ab0a7987950879076732463e85bbf4c440930ad046578695cc0934bf564ea40e.exe
"C:\Users\Admin\AppData\Local\Temp\ab0a7987950879076732463e85bbf4c440930ad046578695cc0934bf564ea40e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ae6339fed36a7993039ade48a445b02

SHA1
a218b3c7b07fe4f6e80f4959b0d4d4eded1cf025

SHA256
78febbe6037bdbf7a1e1abbe44400c2f10d94a91efcbf87cfdcebe686b0e42e0

SHA512
c501de3ad33a6e48f988e29eccff337f20e3597ca9c3f5676638c18232457b08ff3f48227a900c5ad60afd0c880155f3170e9e61034763432b2752b60d25a00f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a81ebb5007542b53d0ac267f365b4c79

SHA1
7da4a6781717657d701b8985860c806f6e40b97b

SHA256
e83e188105c766602ab2be779c08fa21eaaad729d7934294fcbfb0f29c430457

SHA512
9bf7f882f0ed3ad70803d2bb3d467491398d3720937701f0692c56021427d00aac66cf3e587a65ef4d0f713c93b10bbefd384b2f57da75e665d853b2c096230b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17fa17123f21e27dfbea5564729e1def

SHA1
e37cb1131c7356d4788e74f556af947d3ac57597

SHA256
47b0923343b70e07cdb274c977695bb17119a72ca66789b9cf0b6a3b13e427fd

SHA512
2f01afd803c464d47ef5368a1ade2cab5c6545e60e93bb81e78a6e6058b3abbf4451142bed7aca19811f0f1d7d2bbd9d439d58ebfe55f179fe225113178b5146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab78E1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar79A0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp712C.tmp

Filesize
29KB

MD5
c63160113f9cba052c29b63d87524a84

SHA1
28f2a0537789709ba8199be6cb844aaf84b97021

SHA256
8f255f7058d75ac329dc6dab27d128babb10b4354477e610b47e5363f4ed43a3

SHA512
f979614cf8b5957d6d119085e4d98b1923e0494dded07617cc713f1924a3a1bb856fad91cc2bfaf0f69a8448d48fc25eb85b201e0b93a719d0c056d31c61f5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
0dd0028e70987bce48d4026b48f8af94

SHA1
aac46b6c75585bbd7c8f7231c732288c52c76bd2

SHA256
4438bbb8e12c8828549dda602cf5fda73556ca56e7a1b14598866aa5aefbfabb

SHA512
8e70612f64658e3125d68ae4fa56d2195a4e3010e0d31bcfbfdcce94f0fb9f361054040289b1ecf5beec332378e923d59f8d94789c10ec995e8a799bc89763e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
58db9b929423621fbd29ea25da9039f6

SHA1
e02e702acb28cb0a9c64b5cd964347c3524a0bb7

SHA256
6565de617b89787cfbb12ca90c953ef24140ea689aa7ee1d5d088302f4ff577c

SHA512
7771064e2e05e19d3f8a33fbd7e29533ac7f5e64126418965bd25ba70fe5948219457943d8fd9d20d571c041bb1a019143fe131508f2ec2478bf372372fa28ec

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1680-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1680-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1680-33-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1680-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1680-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1680-47-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1680-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1680-71-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1680-59-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1680-17-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1680-61-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1680-73-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1680-66-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2496-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2496-67-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2496-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2496-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2496-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2496-79-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2496-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2496-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2496-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2496-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2496-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2496-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2496-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads