mydoom | 9daf7c9b12d2c5f255d149de09ebf834064464b257cb3b908e98b3824f665d14

General

Target

9daf7c9b12d2c5f255d149de09ebf834064464b257cb3b908e98b3824f665d14.exe
Size

29KB
MD5

176439a85acc39503b8f6eabf69af799
SHA1

4a7f7e1f853750fdb2da2c6855d98fee2205981a
SHA256

9daf7c9b12d2c5f255d149de09ebf834064464b257cb3b908e98b3824f665d14
SHA512

3f282319669a17b6c6710453e505875f7d80066fc8e66cac4f46e00b5372aa8156eae8ce5fd4067424c0754e91cd9586daf947538027ca72fe569da26196e67d
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/3h3:AEwVs+0jNDY1qi/qPV

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral2/memory/772-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/772-49-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/772-51-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/772-184-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/772-189-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/772-196-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
3904	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	9daf7c9b12d2c5f255d149de09ebf834064464b257cb3b908e98b3824f665d14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/772-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000d000000023b8e-4.dat	upx
behavioral2/memory/3904-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/772-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3904-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3904-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3904-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3904-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3904-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3904-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3904-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3904-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3904-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/772-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3904-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/772-51-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0006000000000034-61.dat	upx
behavioral2/memory/3904-74-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/772-184-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3904-185-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/772-189-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3904-190-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3904-192-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/772-196-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3904-197-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	9daf7c9b12d2c5f255d149de09ebf834064464b257cb3b908e98b3824f665d14.exe
File opened for modification	C:\Windows\java.exe	9daf7c9b12d2c5f255d149de09ebf834064464b257cb3b908e98b3824f665d14.exe
File created	C:\Windows\java.exe	9daf7c9b12d2c5f255d149de09ebf834064464b257cb3b908e98b3824f665d14.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9daf7c9b12d2c5f255d149de09ebf834064464b257cb3b908e98b3824f665d14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 3904	772	9daf7c9b12d2c5f255d149de09ebf834064464b257cb3b908e98b3824f665d14.exe	82
PID 772 wrote to memory of 3904	772	9daf7c9b12d2c5f255d149de09ebf834064464b257cb3b908e98b3824f665d14.exe	82
PID 772 wrote to memory of 3904	772	9daf7c9b12d2c5f255d149de09ebf834064464b257cb3b908e98b3824f665d14.exe	82

C:\Users\Admin\AppData\Local\Temp\9daf7c9b12d2c5f255d149de09ebf834064464b257cb3b908e98b3824f665d14.exe
"C:\Users\Admin\AppData\Local\Temp\9daf7c9b12d2c5f255d149de09ebf834064464b257cb3b908e98b3824f665d14.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JAZ6MGFU\R8CN4QY6.htm

Filesize
162KB

MD5
0beb8d830d2cf263f7a7d2698553aba1

SHA1
43ca137c728c03bf47a884a4ea1a302a5fa5cc7f

SHA256
5ea5485621172560aa94c1b7648f1a8a8c2909755fa835f60ad086b667a9cdfb

SHA512
6d44de558a25d18a27fe9b92b02375375a3633644bde8316da7762e97bc94dc95dd560d7d8e8a118208cf642959cff54a461b27f3ff92426d1e5cf95f2480ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JAZ6MGFU\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFBA3.tmp

Filesize
29KB

MD5
23afad032b4a3a9208f613ea39ef2176

SHA1
fc7f91a33ec231d7fbfeb05a09b384d6f1c6efa9

SHA256
0c0981242f15225833a3794acd3f0f1d1b88ac5ec80af8bb59581ca4851637d2

SHA512
82b6d2e164688133f4f2dd4fc0f2dbe4d3ccb5e9f1828f179874a787e6aaac090fab43590aeeb7ea066597c242620b77330ab67375a96240b314cfc9430613d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
0d5e19839d5ed409a2a9003d863dc62a

SHA1
070a2a79f7c521d3a1564fc5f1377e5f355a8df5

SHA256
8bf50723d3705175a9aa6a620faaecad29702f70327151f4f217d914d2b482b7

SHA512
1b12e249b6ac5222ea8ed1056d2a43e50a9d6ff80401a372e0a891f0ca7f9ca7cc0e5de8d7a28da821cbcde59713aff294ba0898b5b86646c750360a5b9bb253

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
da80aed32925f0eafb7022f51004adef

SHA1
326c64149816a604980d02ec8b1df2eb94499f4b

SHA256
71b9e09fa55bd96eb689947f5d3840683cb0e16362ebbb9eb40eaa0380778ca4

SHA512
27623a894a1a435f907da5a8a1c4b6fa4234c23b47ecd842dcb6270062221ebd0a4f342816847a1cdcd11163db756ccf002e361c954281b914668800ca00ccfd

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/772-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/772-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/772-196-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/772-189-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/772-184-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/772-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/772-51-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3904-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-185-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-190-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-192-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-197-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads