mydoom | 2fc79a6e8dc4dc836610ffed85e3c091bb9bf97de3e6ea167ab2dbf23a8d0391

General

Target

2fc79a6e8dc4dc836610ffed85e3c091bb9bf97de3e6ea167ab2dbf23a8d0391.exe
Size

29KB
MD5

fd1551b9b2e5efac053b6d0bc941735d
SHA1

e188abcff2e81067ce36fe1f0791775f3bd7a736
SHA256

2fc79a6e8dc4dc836610ffed85e3c091bb9bf97de3e6ea167ab2dbf23a8d0391
SHA512

653efeb013d4a2a6a69a7e8f9a773e1ee68b4852b13bdc6928dd7836c785c0bcd2db4d80597a9d751ec891a348aa4639dae1cc327edf779a57da6afd2514c6cb
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/RhQ:AEwVs+0jNDY1qi/qZm

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 5 IoCs

resource	yara_rule
behavioral1/memory/2436-3-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2436-18-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2436-55-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2436-57-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2436-78-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2284	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	2fc79a6e8dc4dc836610ffed85e3c091bb9bf97de3e6ea167ab2dbf23a8d0391.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016f02-10.dat	upx
behavioral1/memory/2284-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2436-3-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2436-18-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2284-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2284-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2284-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2284-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2284-34-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2284-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2284-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2284-46-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2284-51-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2436-55-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2284-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2436-57-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2284-58-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-68.dat	upx
behavioral1/memory/2436-78-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2284-79-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	2fc79a6e8dc4dc836610ffed85e3c091bb9bf97de3e6ea167ab2dbf23a8d0391.exe
File opened for modification	C:\Windows\java.exe	2fc79a6e8dc4dc836610ffed85e3c091bb9bf97de3e6ea167ab2dbf23a8d0391.exe
File created	C:\Windows\java.exe	2fc79a6e8dc4dc836610ffed85e3c091bb9bf97de3e6ea167ab2dbf23a8d0391.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fc79a6e8dc4dc836610ffed85e3c091bb9bf97de3e6ea167ab2dbf23a8d0391.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2284	2436	2fc79a6e8dc4dc836610ffed85e3c091bb9bf97de3e6ea167ab2dbf23a8d0391.exe	31
PID 2436 wrote to memory of 2284	2436	2fc79a6e8dc4dc836610ffed85e3c091bb9bf97de3e6ea167ab2dbf23a8d0391.exe	31
PID 2436 wrote to memory of 2284	2436	2fc79a6e8dc4dc836610ffed85e3c091bb9bf97de3e6ea167ab2dbf23a8d0391.exe	31
PID 2436 wrote to memory of 2284	2436	2fc79a6e8dc4dc836610ffed85e3c091bb9bf97de3e6ea167ab2dbf23a8d0391.exe	31

C:\Users\Admin\AppData\Local\Temp\2fc79a6e8dc4dc836610ffed85e3c091bb9bf97de3e6ea167ab2dbf23a8d0391.exe
"C:\Users\Admin\AppData\Local\Temp\2fc79a6e8dc4dc836610ffed85e3c091bb9bf97de3e6ea167ab2dbf23a8d0391.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6D84.tmp

Filesize
29KB

MD5
f1c04b43f30258b9ac1ef019e4123d9b

SHA1
9215ddb886caa426e04b90b5dfcf3f548f20873b

SHA256
155b36cc904bcfa9b98e4e0a2521f8398dd10eb8aaf3a54be5b633abf0ed42f8

SHA512
ae4a2d900698ad0716f039ac43ebfb2e15c4d8172b8d1a61a37d599864c771e00c49d54fd8e78c9832c85d073602de86a81d44c6e8dd2fe626ab859d353ccb69

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
956e99dc02c0effcbf701daa5b00134b

SHA1
8b2e46b5f750ad5bd01bcaf4a099397e6874a075

SHA256
4f9cfba9fda5e550e96088c2d0f32d986011629c810400da057a62b16d22fda0

SHA512
648bd38937706762667d8386e6cb7265d966c4691282b8fba5302612ada811b28bd171a1fc44000862f8411d342877850b38f1282404db7b9fdfcf6f1e822196

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2284-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-79-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-51-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-46-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2436-17-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2436-55-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2436-19-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2436-57-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2436-18-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2436-8-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2436-3-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2436-78-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2436-7-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads