mydoom | f1f1cf7891d6a02c148c856039f3a9bda567cccc7a9ca6454ca8c0f109634c89

General

Target

f1f1cf7891d6a02c148c856039f3a9bda567cccc7a9ca6454ca8c0f109634c89.exe
Size

29KB
MD5

c8173b2f67f6a3cdecd7ff6ca9aef8e5
SHA1

b69cea638a628982c3cc33f1b4b02bbd7ff70ef2
SHA256

f1f1cf7891d6a02c148c856039f3a9bda567cccc7a9ca6454ca8c0f109634c89
SHA512

3ea0a44685cee0e73ca784116fa7bd2b874fff96040632bf95e6e7248f0fe59cac8dfc712ec57ab0750eac5bdada56f829d238c4a20c657544da60617f7c59f0
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/ghv:AEwVs+0jNDY1qi/q49

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 7 IoCs

resource	yara_rule
behavioral1/memory/2368-17-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2368-33-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2368-38-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2368-53-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2368-60-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2368-65-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2368-67-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2164	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	f1f1cf7891d6a02c148c856039f3a9bda567cccc7a9ca6454ca8c0f109634c89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2368-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/files/0x0008000000018d68-6.dat	upx
behavioral1/memory/2164-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2368-17-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2164-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2368-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2164-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2164-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2164-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2164-34-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2368-33-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2368-38-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2164-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-44.dat	upx
behavioral1/memory/2164-54-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2368-53-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2164-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2164-61-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2368-60-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2164-66-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2368-65-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2164-68-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2368-67-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2164-73-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	f1f1cf7891d6a02c148c856039f3a9bda567cccc7a9ca6454ca8c0f109634c89.exe
File opened for modification	C:\Windows\java.exe	f1f1cf7891d6a02c148c856039f3a9bda567cccc7a9ca6454ca8c0f109634c89.exe
File created	C:\Windows\java.exe	f1f1cf7891d6a02c148c856039f3a9bda567cccc7a9ca6454ca8c0f109634c89.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1f1cf7891d6a02c148c856039f3a9bda567cccc7a9ca6454ca8c0f109634c89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2164	2368	f1f1cf7891d6a02c148c856039f3a9bda567cccc7a9ca6454ca8c0f109634c89.exe	30
PID 2368 wrote to memory of 2164	2368	f1f1cf7891d6a02c148c856039f3a9bda567cccc7a9ca6454ca8c0f109634c89.exe	30
PID 2368 wrote to memory of 2164	2368	f1f1cf7891d6a02c148c856039f3a9bda567cccc7a9ca6454ca8c0f109634c89.exe	30
PID 2368 wrote to memory of 2164	2368	f1f1cf7891d6a02c148c856039f3a9bda567cccc7a9ca6454ca8c0f109634c89.exe	30

C:\Users\Admin\AppData\Local\Temp\f1f1cf7891d6a02c148c856039f3a9bda567cccc7a9ca6454ca8c0f109634c89.exe
"C:\Users\Admin\AppData\Local\Temp\f1f1cf7891d6a02c148c856039f3a9bda567cccc7a9ca6454ca8c0f109634c89.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9119.tmp

Filesize
29KB

MD5
e5b243a843aa455d4f647719f4688102

SHA1
68d618fd259e0691c139d3b38958d2878886486f

SHA256
8cb59949b8a851df3bc56ffd7cddf88cbdec4ef6d7ca751cf95b4d46af17c577

SHA512
53e83c6d6ed104465a599d3cf896e6e18b1f2c1d62247137560dc93ec89e1f96237ee12cd75650f22b063d5d4d9bd727daf149bb68df29860c47a0d98f30b843

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
ed32143d63d56ca6311e5fd5a2761fdd

SHA1
d1d4dd9b72a49a107535e590b16159406b8100c8

SHA256
641b559fc5bf168d1db56a602f738492fdd54c8b097b07b556bca50c5692af86

SHA512
6e18e3c281eaa40333e7d54ba8f2773aa524abab32bdd0721c0f0bfe0f07f3db7056fe19d82e2d673b071b25b48d2df685349634ab72117bf68f8fe60c2f0b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
0514575993ac8cd4f766db1b54858d6c

SHA1
d1700a2dd5fca7ace063d49197415270564e060f

SHA256
ef7b6e82e9b7fa72e405c452ae6d57f79fba5cfc4808135517865eed3d16ee83

SHA512
491477a56cb4d5455725faeccf0eb9668d51224e133724a4fbb6958bc6f005ff4c12ebfd2af52e3d8595f16432aba2ef0bec7a287d2717039c02015dc60d254b

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2164-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-73-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-53-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2368-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2368-38-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2368-60-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2368-17-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2368-65-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2368-33-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2368-67-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2368-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads