mydoom | dde0e61c331b04ab2441b09f25dabab30802bcd02992d094477e04323f1930c9

General

Target

dde0e61c331b04ab2441b09f25dabab30802bcd02992d094477e04323f1930c9N.exe
Size

29KB
MD5

113106100d910562b3d1d60877ab3070
SHA1

13d1c49da09e52bc955a1ab2e4eb09e2c18adfe8
SHA256

dde0e61c331b04ab2441b09f25dabab30802bcd02992d094477e04323f1930c9
SHA512

9c262be5286a907f0e3ddbca500bd7603b203b8d75ecc4ae0f1188aeaf69b418fbdb4bf15722a186c1355178149809add7bd0a5a84b5a59fdffeaf4286ee738c
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/0:AEwVs+0jNDY1qi/qc

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 8 IoCs

resource	yara_rule
behavioral2/memory/4648-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4648-27-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4648-32-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4648-120-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4648-140-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4648-149-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4648-180-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4648-205-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
4884	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	dde0e61c331b04ab2441b09f25dabab30802bcd02992d094477e04323f1930c9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4648-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4884-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000b000000023b57-4.dat	upx
behavioral2/memory/4648-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4884-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4884-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4884-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4884-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4648-27-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4884-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4648-32-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4884-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000300000001e760-43.dat	upx
behavioral2/memory/4648-120-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4884-121-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4648-140-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4884-141-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4884-145-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4648-149-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4884-150-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4648-180-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4884-181-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4648-205-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4884-211-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	dde0e61c331b04ab2441b09f25dabab30802bcd02992d094477e04323f1930c9N.exe
File opened for modification	C:\Windows\java.exe	dde0e61c331b04ab2441b09f25dabab30802bcd02992d094477e04323f1930c9N.exe
File created	C:\Windows\java.exe	dde0e61c331b04ab2441b09f25dabab30802bcd02992d094477e04323f1930c9N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dde0e61c331b04ab2441b09f25dabab30802bcd02992d094477e04323f1930c9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 4884	4648	dde0e61c331b04ab2441b09f25dabab30802bcd02992d094477e04323f1930c9N.exe	82
PID 4648 wrote to memory of 4884	4648	dde0e61c331b04ab2441b09f25dabab30802bcd02992d094477e04323f1930c9N.exe	82
PID 4648 wrote to memory of 4884	4648	dde0e61c331b04ab2441b09f25dabab30802bcd02992d094477e04323f1930c9N.exe	82

C:\Users\Admin\AppData\Local\Temp\dde0e61c331b04ab2441b09f25dabab30802bcd02992d094477e04323f1930c9N.exe
"C:\Users\Admin\AppData\Local\Temp\dde0e61c331b04ab2441b09f25dabab30802bcd02992d094477e04323f1930c9N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\default[3].htm

Filesize
304B

MD5
cde2c6ec81201bdd39579745c69d502f

SHA1
e025748a7d4361b2803140ed0f0abda1797f5388

SHA256
a81000fc443c3c99e0e653cca135e16747e63bccebd5052ed64d7ae6f63f227f

SHA512
de5ca6169b2bb42a452ebd2f92c23bad3a98c01845a875336d6affe7f0192c2782b1f66f149019c0b880410c836fc45b2e9157dcccc7ad0d9e5953521a2151d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TTJXD3SW\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4CB6.tmp

Filesize
29KB

MD5
4f99d741ad2c238798035f24ae186f64

SHA1
7677eec2e14e64247f794b7f1f8ee7a8c645a516

SHA256
9e1117c2cb509c5c34c00c5d73391a43d932ed4f9e725527605f13d12565276a

SHA512
a6cc732e086a67a762bde713df47f5e3b543e871d4d8050ed1926fe8663a1b0edd3b49b2ea9467441de3cbd7d0b53427149d89cc2c18a54e4a94a2540cc32a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
a7a556530981fa02f68d84cad4111f09

SHA1
bd22b735cb157627c51ef39fb0ee64de6be2c750

SHA256
58a420b8c23895b78882da3f20c3bf67bc6041b6bfd948f74bb05c581abe4c6b

SHA512
cb0adf32a64ada5729fc0bf8874b7be3d19817babaa07b4499d2e8425e7f4ef84d1f2a92cb0e977fd6a3aeb5b4d50af6eac61f879f6dea9c72cfb911825f9210

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
657109b41fc874d5d01c7998c15a7703

SHA1
3ee7b451ead3853f8cf0fdb63327d65674eda5f4

SHA256
19514ae1017fe16abd5ace8ee61790231e4c2dfe4c74c9f026301d9125ebf52f

SHA512
eba78aa6ecb3cdfdb51535fe261d197395bd3a8eac3c0d56617e6a01b9cbf0f2c89b6aa7017fd413ab06c85d94b4bc2917b82101b80fc411815abbdd1379f250

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
9d002691353aafafc117ec8ae6490836

SHA1
e4c5317aca991f2b5998d910af3f785128b068d9

SHA256
4f4244548eb3b0f491c611180a176fb1d40b55a99c47dbcaccdb40340d02bab6

SHA512
efa9634fdc40d7a0eae6afa10944b8cef83ebc8531b6c16dc5609ce4e91f98790470a5d23b68fbc985cb08e0ee31db2e21df2a1d132bc891d077a460785bfaed

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4648-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4648-27-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4648-149-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4648-32-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4648-140-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4648-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4648-180-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4648-205-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4648-120-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4884-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4884-121-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4884-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4884-141-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4884-145-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4884-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4884-150-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4884-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4884-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4884-181-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4884-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4884-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4884-211-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads