mydoom | 2860cdd858735028c22cc60a52bd89ce09c14c51a841c77e68d108abc8320150

General

Target

2860cdd858735028c22cc60a52bd89ce09c14c51a841c77e68d108abc8320150.exe
Size

29KB
MD5

172a1538fda5a9ac14d2f1eff7ab9601
SHA1

fac9207d09f7d00527e52ba6a5449517c46bb590
SHA256

2860cdd858735028c22cc60a52bd89ce09c14c51a841c77e68d108abc8320150
SHA512

f64baf95b7448c00359a37fb1fa00324b9fdd1aa3a60d894c34ab094b535b59ac3838ab6d5d51c42f662dca74312b373ee35ce6568b5335950dd6f8629d52ace
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/1hD:AEwVs+0jNDY1qi/qNR

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 5 IoCs

resource	yara_rule
behavioral2/memory/1832-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1832-51-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1832-107-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1832-153-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1832-169-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
4000	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	2860cdd858735028c22cc60a52bd89ce09c14c51a841c77e68d108abc8320150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1832-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000b000000023b7e-4.dat	upx
behavioral2/memory/4000-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1832-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4000-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4000-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4000-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4000-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4000-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4000-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4000-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4000-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4000-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4000-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1832-51-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4000-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0004000000000709-65.dat	upx
behavioral2/memory/1832-107-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4000-108-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1832-153-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4000-167-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1832-169-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4000-170-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4000-174-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	2860cdd858735028c22cc60a52bd89ce09c14c51a841c77e68d108abc8320150.exe
File opened for modification	C:\Windows\java.exe	2860cdd858735028c22cc60a52bd89ce09c14c51a841c77e68d108abc8320150.exe
File created	C:\Windows\java.exe	2860cdd858735028c22cc60a52bd89ce09c14c51a841c77e68d108abc8320150.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2860cdd858735028c22cc60a52bd89ce09c14c51a841c77e68d108abc8320150.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 4000	1832	2860cdd858735028c22cc60a52bd89ce09c14c51a841c77e68d108abc8320150.exe	82
PID 1832 wrote to memory of 4000	1832	2860cdd858735028c22cc60a52bd89ce09c14c51a841c77e68d108abc8320150.exe	82
PID 1832 wrote to memory of 4000	1832	2860cdd858735028c22cc60a52bd89ce09c14c51a841c77e68d108abc8320150.exe	82

C:\Users\Admin\AppData\Local\Temp\2860cdd858735028c22cc60a52bd89ce09c14c51a841c77e68d108abc8320150.exe
"C:\Users\Admin\AppData\Local\Temp\2860cdd858735028c22cc60a52bd89ce09c14c51a841c77e68d108abc8320150.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WQOY74U4\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4629.tmp

Filesize
29KB

MD5
03043ffd1d56b4702c2889a1919cc84e

SHA1
e56d5671429ab8f0e6220a891f39de2db829c14d

SHA256
a01b0e34b8c21bd91263466cd427846b6bae37e4bf926ef1d997264c30395f4a

SHA512
27e2062178b465cc678015b89a11922dcbccaa1d84af68e2c903de4a8310d64f31dd38121ef5840e7c1aaec476499032041e09382a71b9fb47bde73ad6a6ab87

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
1802dae5a5f01d9d1d94693c822a7fc6

SHA1
9bcdc587f83dd4856a926f521f73b215f4b5ff4f

SHA256
2b026a4bf9c0c836d0e02426eeaa094875f1027dee8afc9476d8fcfc026fb7bc

SHA512
15cdeeb770db1990fe838f21b4a36438029bb4885e76c3f1b854220bccefaff5b30e1d06b9569bb0c22a1e5eb68915bb70c0d0e9daad2613c29938f52bf09a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
d2e67af0d9d50462409a17612864da8b

SHA1
cd9d80f90210e6a9e334e6a20400cf579a462173

SHA256
fdfc805a83202cc2e496fce7d1b4aae92c212379ac53b78db1685aa04d944029

SHA512
11a6abe599f10577af5d8439bd5e9a62fe7019dabc83e1236c9f05202b3d79531c9259f112f2050bb07cdbd4253b74b581a4a88907fd00588a033b9e36b42712

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1832-51-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1832-169-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1832-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1832-153-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1832-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1832-107-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4000-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4000-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4000-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4000-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4000-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4000-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4000-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4000-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4000-108-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4000-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4000-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4000-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4000-167-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4000-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4000-170-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4000-174-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads