mydoom | 7ad3ae9791f9eb2a64865699518644ff46225afa298ed0fea5a0e631b275a3fc

General

Target

7ad3ae9791f9eb2a64865699518644ff46225afa298ed0fea5a0e631b275a3fc.exe
Size

29KB
MD5

921834dfef5e09a6dc9de48231310c24
SHA1

169de65f8a8b23a63a805992c7a38c7fad11eee9
SHA256

7ad3ae9791f9eb2a64865699518644ff46225afa298ed0fea5a0e631b275a3fc
SHA512

12fc38fd3afedadac9df94ed287f92bee7b1634df8bb4782ea5e24bfda4c82ea8d9bcc6ed0fce2179224653650bb98b5ea4a9523585b8b7cddb8dcb1957e1366
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Thw:AEwVs+0jNDY1qi/q7W

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 4 IoCs

resource	yara_rule
behavioral1/memory/1860-16-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1860-48-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1860-72-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/1860-76-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2276	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	7ad3ae9791f9eb2a64865699518644ff46225afa298ed0fea5a0e631b275a3fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1860-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1860-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/files/0x0008000000014b28-9.dat	upx
behavioral1/memory/2276-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1860-16-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2276-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2276-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2276-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2276-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2276-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2276-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2276-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2276-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1860-48-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2276-49-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2276-54-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-64.dat	upx
behavioral1/memory/1860-72-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2276-73-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1860-76-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2276-77-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	7ad3ae9791f9eb2a64865699518644ff46225afa298ed0fea5a0e631b275a3fc.exe
File opened for modification	C:\Windows\java.exe	7ad3ae9791f9eb2a64865699518644ff46225afa298ed0fea5a0e631b275a3fc.exe
File created	C:\Windows\java.exe	7ad3ae9791f9eb2a64865699518644ff46225afa298ed0fea5a0e631b275a3fc.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ad3ae9791f9eb2a64865699518644ff46225afa298ed0fea5a0e631b275a3fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2276	1860	7ad3ae9791f9eb2a64865699518644ff46225afa298ed0fea5a0e631b275a3fc.exe	28
PID 1860 wrote to memory of 2276	1860	7ad3ae9791f9eb2a64865699518644ff46225afa298ed0fea5a0e631b275a3fc.exe	28
PID 1860 wrote to memory of 2276	1860	7ad3ae9791f9eb2a64865699518644ff46225afa298ed0fea5a0e631b275a3fc.exe	28
PID 1860 wrote to memory of 2276	1860	7ad3ae9791f9eb2a64865699518644ff46225afa298ed0fea5a0e631b275a3fc.exe	28

C:\Users\Admin\AppData\Local\Temp\7ad3ae9791f9eb2a64865699518644ff46225afa298ed0fea5a0e631b275a3fc.exe
"C:\Users\Admin\AppData\Local\Temp\7ad3ae9791f9eb2a64865699518644ff46225afa298ed0fea5a0e631b275a3fc.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCF43.tmp

Filesize
29KB

MD5
4d4ad245a923289e327f37977df51cf2

SHA1
978fc9f6e9eb59121e4b2fa54f1049f0d7880cdb

SHA256
750b0e9fc0224e9b6860cdc52a0b8f9204f6871f3ace2ab501b3133f58965760

SHA512
218859531e0c4ba4cb847e7d9882057c277fda27a600e6fcd797c5072441b12cb4e2e72e48c66bc683e0365b080a615f5a43cda517f096b48110d01c08723771

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
b45f5161e204f4ec591ea5e4c9be5f55

SHA1
0e4de101104f1f27cbbf5d75b3b2d473eca51dba

SHA256
67f6c261f2c17250b8972c1f3f0efdb1892761c99f33ed0c691a6c858c17c434

SHA512
7dc1da22efa8b517b756b37aea00a8c7429e37de6b57545c958fa1b8b5ad55000649fad962d703282db496113a708cfd68505a80f0b56766aa4f5d4adad0c62e

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1860-17-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1860-16-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1860-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1860-76-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1860-72-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1860-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1860-48-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2276-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2276-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2276-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2276-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2276-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2276-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2276-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2276-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2276-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2276-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2276-73-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2276-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2276-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads