mydoom | b19cbf1df784f42b66c841c304b7cdc6ab6eb1bfee10122de2ccf834c783a317

General

Target

b19cbf1df784f42b66c841c304b7cdc6ab6eb1bfee10122de2ccf834c783a317.exe
Size

29KB
MD5

a3f2d945aaf22d67b3996febcdffbb23
SHA1

062ebdc9c3a6c2a95d5176c997d3bab10e8e761a
SHA256

b19cbf1df784f42b66c841c304b7cdc6ab6eb1bfee10122de2ccf834c783a317
SHA512

22ad4dd120e8436552c07a68bfa65a5efd7716fb370d0140d4936d890bd747771131a0b8725b6a7acbbeff1ee2c8363c9baffb609a351cca33e896a3e8f807a1
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/ohD:AEwVs+0jNDY1qi/qgR

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 9 IoCs

resource	yara_rule
behavioral2/memory/3788-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3788-37-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3788-178-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3788-182-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3788-189-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3788-214-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3788-218-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3788-229-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3788-233-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
3396	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	b19cbf1df784f42b66c841c304b7cdc6ab6eb1bfee10122de2ccf834c783a317.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3788-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000c000000023b83-4.dat	upx
behavioral2/memory/3396-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3788-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3396-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3396-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3396-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3396-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3396-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3396-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3788-37-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3396-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0003000000021f51-49.dat	upx
behavioral2/memory/3788-178-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3396-179-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3788-182-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3396-183-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3396-188-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3788-189-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3396-190-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3788-214-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3396-215-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3788-218-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3396-219-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3788-229-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3396-230-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3788-233-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3396-234-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	b19cbf1df784f42b66c841c304b7cdc6ab6eb1bfee10122de2ccf834c783a317.exe
File opened for modification	C:\Windows\java.exe	b19cbf1df784f42b66c841c304b7cdc6ab6eb1bfee10122de2ccf834c783a317.exe
File created	C:\Windows\java.exe	b19cbf1df784f42b66c841c304b7cdc6ab6eb1bfee10122de2ccf834c783a317.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b19cbf1df784f42b66c841c304b7cdc6ab6eb1bfee10122de2ccf834c783a317.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 3396	3788	b19cbf1df784f42b66c841c304b7cdc6ab6eb1bfee10122de2ccf834c783a317.exe	82
PID 3788 wrote to memory of 3396	3788	b19cbf1df784f42b66c841c304b7cdc6ab6eb1bfee10122de2ccf834c783a317.exe	82
PID 3788 wrote to memory of 3396	3788	b19cbf1df784f42b66c841c304b7cdc6ab6eb1bfee10122de2ccf834c783a317.exe	82

C:\Users\Admin\AppData\Local\Temp\b19cbf1df784f42b66c841c304b7cdc6ab6eb1bfee10122de2ccf834c783a317.exe
"C:\Users\Admin\AppData\Local\Temp\b19cbf1df784f42b66c841c304b7cdc6ab6eb1bfee10122de2ccf834c783a317.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\84KCLP1T\search[4].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H6N4U6J0\N37784KI.htm

Filesize
162KB

MD5
08aefffe0819c4bf2a5c379ae51a96a1

SHA1
df853f4e5bb0dfc2c2f0122deab4b10a4e6b7e4d

SHA256
2d2aa99956e7f07d32e4b653d551dc3bface7a508122ee4467547ef43538f069

SHA512
651794ba8b94042ac619cb2a905337e49a73c24d7562f667f494a1d07e6842aea25800037224d3324bd2f0903a76e7cd8f60bb265be04fac1acf77f6ac0c324d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp88A5.tmp

Filesize
29KB

MD5
ce798b6b47ae7143a226c176ced3184d

SHA1
5c5cdefea3ef86b28a1dceb62e435208d552787d

SHA256
9906240d569f593fb2a96315b5f3313b6adbfab23c15e886fb8869633d06b2f9

SHA512
ebb0ded0a8eecd36b63fcac6ac28d77c40e4d398e174830a04fbdb841437271853e3f32f7af75c6d5f93fd2c588469f6d5ffc18592e7a00ab0b0354bd088feec

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
121f915ba830467d5c8ca2e99fa0108a

SHA1
6c6676d6caa8d8cc5e3a860d95d6c2f996124e1b

SHA256
0ae3d96361bc3bccc954addcb08f5bbad7df0b9cda421c6b4a496f0c553ea15f

SHA512
2964de1d9060ebc14c746d16e51d4f1c6f6ef2d03b1696466c3c6a5103815016ac45a013c5fd154ed2e0a67ca2a2d5d40c06332a37c3fb80d9527fd09c87ff20

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
8d79b5d2f68997eb1b6c4eb8d7903681

SHA1
09dd8adb5a5c68d3b97ed7c51beccd573fbd7797

SHA256
abe60fd789d8add77c931cbe4c04c02f1fc9cd691a61c305f2e180d2acf9bcaf

SHA512
ef12cff0ff8c46488e217d36b8e185b9d25133bafe5c5924aaeb9c6706fb3c16a5230c4c2a9e20225a91ed8b76af135914c29926d6c34397f6739f8f467c07b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
041d564bb9a0fb68c15dd7c60bdee242

SHA1
7e4c9ce654af5c6d190158fccc881e74f203bcca

SHA256
8c32de93a45c4cdfc331865e1bc886d8e31bb0582a274dd9ec3bb31a5dd09eb3

SHA512
411372b618acf4fbef844adb943f5de7caa1e9d6cd1206b04ad07a2bf8cec0dfa310c8f7d23e424af79a51c9fd18484acebee016eead0760be189700a8ba62f5

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3396-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3396-215-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3396-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3396-230-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3396-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3396-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3396-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3396-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3396-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3396-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3396-234-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3396-179-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3396-183-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3396-188-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3396-219-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3396-190-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3788-37-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3788-214-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3788-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3788-218-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3788-189-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3788-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3788-229-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3788-182-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3788-233-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3788-178-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads