mydoom | df611ed40dfcbd1f8b1036c3e9ceda5770a3c9e72fbee56ae511b2c7f547ac0d

General

Target

df611ed40dfcbd1f8b1036c3e9ceda5770a3c9e72fbee56ae511b2c7f547ac0d.exe
Size

29KB
MD5

3e328757071ce4e198e979206576442b
SHA1

1567975ad0770edf64ba3fc1477c11610f4543ab
SHA256

df611ed40dfcbd1f8b1036c3e9ceda5770a3c9e72fbee56ae511b2c7f547ac0d
SHA512

17067e37e5a5e4f186b8424210bd59a4161e1f4e7ee9d409bce4ae28395bc23fd6b25610dab8e9227ac773910bffc3872e1dfab74ffb9ee1e1bbb6cd3c8a032f
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/z:AEwVs+0jNDY1qi/qL

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 5 IoCs

resource	yara_rule
behavioral2/memory/4452-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4452-56-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4452-123-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4452-167-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4452-171-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
4236	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	df611ed40dfcbd1f8b1036c3e9ceda5770a3c9e72fbee56ae511b2c7f547ac0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4452-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000b000000023b71-4.dat	upx
behavioral2/memory/4236-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4452-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4236-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4236-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4236-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4236-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4236-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4236-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4236-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4236-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4236-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4236-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4236-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4452-56-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4236-57-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0003000000000707-62.dat	upx
behavioral2/memory/4452-123-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4236-130-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4452-167-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4236-168-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4452-171-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4236-172-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	df611ed40dfcbd1f8b1036c3e9ceda5770a3c9e72fbee56ae511b2c7f547ac0d.exe
File opened for modification	C:\Windows\java.exe	df611ed40dfcbd1f8b1036c3e9ceda5770a3c9e72fbee56ae511b2c7f547ac0d.exe
File created	C:\Windows\java.exe	df611ed40dfcbd1f8b1036c3e9ceda5770a3c9e72fbee56ae511b2c7f547ac0d.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df611ed40dfcbd1f8b1036c3e9ceda5770a3c9e72fbee56ae511b2c7f547ac0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 4236	4452	df611ed40dfcbd1f8b1036c3e9ceda5770a3c9e72fbee56ae511b2c7f547ac0d.exe	83
PID 4452 wrote to memory of 4236	4452	df611ed40dfcbd1f8b1036c3e9ceda5770a3c9e72fbee56ae511b2c7f547ac0d.exe	83
PID 4452 wrote to memory of 4236	4452	df611ed40dfcbd1f8b1036c3e9ceda5770a3c9e72fbee56ae511b2c7f547ac0d.exe	83

C:\Users\Admin\AppData\Local\Temp\df611ed40dfcbd1f8b1036c3e9ceda5770a3c9e72fbee56ae511b2c7f547ac0d.exe
"C:\Users\Admin\AppData\Local\Temp\df611ed40dfcbd1f8b1036c3e9ceda5770a3c9e72fbee56ae511b2c7f547ac0d.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PTWQX4L2\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp73AF.tmp

Filesize
29KB

MD5
3aa38a58ba2826efed7294022ae3494b

SHA1
e12454e405d7c60a15aa2f628e75a34578ea82a0

SHA256
3e80a4936519d16f0995d65e7231327d95c2b0e94c9608feed47d9216b8582a7

SHA512
4cb99aa19be70f9ea13f7782a44bb08e91eafe84c84ec2ad2b1bedb8302d598cd9b9d19d4c621fdcb6b7a0caad886b3ba35d518b09a8eaf385baf39a7b3915b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
69923755ce64a2b9a1fbe39639fc4a5e

SHA1
8c713ff8a17af1f43f46068ff848be57490cabc7

SHA256
9762855c8a837c54f8e4f1a2b42c5a2ae74be78c252de8d4aaf0b15fb9853545

SHA512
94004f1f9a3b13b2484b2992616e82218b534315355fdcb1855a059463bd6c3624135c322a98945fa54064328f7490f0103bf6c4f9efa48c20b3a9ba29dd0d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
4213d644ffb75a7cc16276424e36ad94

SHA1
737435adde0fd3caba8dbba6ac391c524ea0aadb

SHA256
88299ee69f12dbfbfa9b86dbc096ab7dea5e9b7464a4f760af11133c879e6445

SHA512
49115294ebfeb466d28e7f764116a5a7edfb7e05b7f3d4f9e5be5937ab87810241cbcda1fee487b9f9f300492099ae7724dd807c1489f84feac92b856dba062a

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4236-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4236-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4236-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4236-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4236-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4236-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4236-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4236-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4236-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4236-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4236-172-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4236-168-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4236-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4236-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4236-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4236-130-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4452-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4452-123-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4452-167-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4452-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4452-171-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4452-56-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads