mydoom | e1c3f0bc84ebd0a0f375ed66266c10cd5e05c48bda2a6324f76ccb03b9df53d3

General

Target

e1c3f0bc84ebd0a0f375ed66266c10cd5e05c48bda2a6324f76ccb03b9df53d3.exe
Size

29KB
MD5

89e922412b869825e717efb34b64f74b
SHA1

4b9eac4d3a713112ae2c07c2acd3742726e1ff9e
SHA256

e1c3f0bc84ebd0a0f375ed66266c10cd5e05c48bda2a6324f76ccb03b9df53d3
SHA512

9ed894cc9ffe4001c620d40bcd3f851eaf3680ba903a1e09d6b604d609443e7f9a433eb7cf5a62d8c0bfdcbd5a56a3a4a20868977af9c0d4e9cdcfc9349e8f35
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/QhD:AEwVs+0jNDY1qi/qIR

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral2/memory/3728-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3728-37-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3728-39-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3728-128-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3728-149-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3728-156-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
964	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	e1c3f0bc84ebd0a0f375ed66266c10cd5e05c48bda2a6324f76ccb03b9df53d3.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3728-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000023caa-4.dat	upx
behavioral2/memory/964-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3728-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/964-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/964-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/964-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/964-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/964-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/964-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3728-37-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/964-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3728-39-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/964-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000900000001e786-53.dat	upx
behavioral2/memory/3728-128-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/964-129-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3728-149-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/964-150-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/964-152-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3728-156-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/964-157-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	e1c3f0bc84ebd0a0f375ed66266c10cd5e05c48bda2a6324f76ccb03b9df53d3.exe
File created	C:\Windows\java.exe	e1c3f0bc84ebd0a0f375ed66266c10cd5e05c48bda2a6324f76ccb03b9df53d3.exe
File created	C:\Windows\services.exe	e1c3f0bc84ebd0a0f375ed66266c10cd5e05c48bda2a6324f76ccb03b9df53d3.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1c3f0bc84ebd0a0f375ed66266c10cd5e05c48bda2a6324f76ccb03b9df53d3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 964	3728	e1c3f0bc84ebd0a0f375ed66266c10cd5e05c48bda2a6324f76ccb03b9df53d3.exe	85
PID 3728 wrote to memory of 964	3728	e1c3f0bc84ebd0a0f375ed66266c10cd5e05c48bda2a6324f76ccb03b9df53d3.exe	85
PID 3728 wrote to memory of 964	3728	e1c3f0bc84ebd0a0f375ed66266c10cd5e05c48bda2a6324f76ccb03b9df53d3.exe	85

C:\Users\Admin\AppData\Local\Temp\e1c3f0bc84ebd0a0f375ed66266c10cd5e05c48bda2a6324f76ccb03b9df53d3.exe
"C:\Users\Admin\AppData\Local\Temp\e1c3f0bc84ebd0a0f375ed66266c10cd5e05c48bda2a6324f76ccb03b9df53d3.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OIPZWEW8\default[1].htm

Filesize
313B

MD5
ffb72ab4faba49ad441ce07db37dd8b6

SHA1
194e13c1c32ebb6e7a1dc912261cbd58a82ff71e

SHA256
7bd7c3676e98ddde8e0d5b63dd22cb9379d975bcd1d68884c97565cdd8d03660

SHA512
517be20d2442489ce39b48dc7f9f6f13f8c45d02703fb1865071f553d36b2289f5abc26c6089fc0bfad1a41fe318bf4b5a806915c5e45898ac744b7e4ed30257

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF328.tmp

Filesize
29KB

MD5
00308c04e77689d8d38dba76ab4d6b7b

SHA1
3e7a4281112a09bc71b0e1b162a43a6909f4bec6

SHA256
4ad3e13a483b190bdbbb360ca775a8376f4c36091aee562bdb077f8c763aa580

SHA512
9220729f9b9075091c8612bc34530e6d61c297286e769ba6b9f515225fb947e335b782066a587ac1b25f4ad460edbb52fd1134597033ea8cabd0c28bc7d679fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
b31c687a3319dd6a1bc79a48590af41c

SHA1
ce09d578c62e5e717d71e44441861446c9101369

SHA256
f179ecffe777a0f28fa8a1b960b53355f04d6b1b8e1eb60cd3cd4058e4320eed

SHA512
012d57a22599c06f6170637c28f9fa7896985dca6a189a7570f415356f3bce59e96d1456acf078bd75c290cfc0b65b361aaaeef04c3214a4e25da1f795fa1dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
0cf9ed2b63841cb3c8cdbccfa88a1025

SHA1
490c3ad51c458c024b71961d1c36a3531e6e7b73

SHA256
263e0cd27cd842e09543fcb41fa690726176e40306637bdcac461277a4a2a04c

SHA512
d51fd47c6d57b024c4a60f26557955e8611b80a438543d9c208ceeb4de2b514601ee27b2392646b1f0afc8292dfbebc00f735dfc0b43c43d3766f71bc4a812aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
d4249f4c094410c69db9667ac3594c63

SHA1
05bf005330999d144b94ee3b82c20bc42d85c5d7

SHA256
ba935785fc794812d0e058d3814c3ce65271b003bd6b7d9fea6b127f0a2f9114

SHA512
9ea1dbc04ed2acbf37a11e63887d43be795cd0581c5591fbbf8315ae8fc02f44daa1b70305d630f027633e2e4f6d944035a6cef70631b0e49a358de9c0d18ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
335B

MD5
632ab0601e2b27bee3043cc61a8b8a34

SHA1
87296b79280b16db9c9fb2c7c5757ded413c33cd

SHA256
faf61729dec52dc2440906a6036e2ae7d885bf129b6a58030f8581bd406dea65

SHA512
34ebd59e279836df5c1ddecf41d4f7caf31153097142bec80d7b4a85f893d9d80c9f65e990e9c74b576460987c36a2d0e8ba4197926b61d3b3e70ba2c449b3e0

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/964-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-150-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-157-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-152-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-129-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3728-39-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3728-149-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3728-128-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3728-156-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3728-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3728-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3728-37-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads