mydoom | b53d72cf3b77c3091fb88dbd5187e5f46c38648b46f1f3d8f857dac13ec08bca

General

Target

b53d72cf3b77c3091fb88dbd5187e5f46c38648b46f1f3d8f857dac13ec08bca.exe
Size

29KB
MD5

208682c8473ab001e96263ee6953d863
SHA1

c99b184a5e97aa6d2696b30cc6573a225f8ddf7f
SHA256

b53d72cf3b77c3091fb88dbd5187e5f46c38648b46f1f3d8f857dac13ec08bca
SHA512

7ffb6e907b756732cb199ffb2fe4e1693165c6a4f48ea83bcdb6055685f28345923f7f79aa58969b1266d988de1efbe5cde5aa97c88a7ba469fb55ba5a9d6657
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/ehQ:AEwVs+0jNDY1qi/qGm

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral2/memory/3564-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3564-49-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3564-51-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3564-129-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3564-151-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3564-158-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
1948	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	b53d72cf3b77c3091fb88dbd5187e5f46c38648b46f1f3d8f857dac13ec08bca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3564-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000023ce0-4.dat	upx
behavioral2/memory/1948-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3564-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1948-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1948-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1948-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1948-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1948-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1948-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1948-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1948-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1948-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3564-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1948-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3564-51-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0003000000000707-56.dat	upx
behavioral2/memory/1948-58-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3564-129-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1948-134-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3564-151-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1948-152-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1948-154-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3564-158-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1948-159-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	b53d72cf3b77c3091fb88dbd5187e5f46c38648b46f1f3d8f857dac13ec08bca.exe
File created	C:\Windows\java.exe	b53d72cf3b77c3091fb88dbd5187e5f46c38648b46f1f3d8f857dac13ec08bca.exe
File created	C:\Windows\services.exe	b53d72cf3b77c3091fb88dbd5187e5f46c38648b46f1f3d8f857dac13ec08bca.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b53d72cf3b77c3091fb88dbd5187e5f46c38648b46f1f3d8f857dac13ec08bca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 1948	3564	b53d72cf3b77c3091fb88dbd5187e5f46c38648b46f1f3d8f857dac13ec08bca.exe	85
PID 3564 wrote to memory of 1948	3564	b53d72cf3b77c3091fb88dbd5187e5f46c38648b46f1f3d8f857dac13ec08bca.exe	85
PID 3564 wrote to memory of 1948	3564	b53d72cf3b77c3091fb88dbd5187e5f46c38648b46f1f3d8f857dac13ec08bca.exe	85

C:\Users\Admin\AppData\Local\Temp\b53d72cf3b77c3091fb88dbd5187e5f46c38648b46f1f3d8f857dac13ec08bca.exe
"C:\Users\Admin\AppData\Local\Temp\b53d72cf3b77c3091fb88dbd5187e5f46c38648b46f1f3d8f857dac13ec08bca.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G94T3PNL\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4FCC.tmp

Filesize
29KB

MD5
de0fb0332f981c9d3b75816e5f1366ff

SHA1
820b6cf18e3c51d93df522379c100a388e6a5707

SHA256
3b6b697d1e243f71bfd9889429f870098aa6893197a2c23f312a16695b15df21

SHA512
09b7e01789b3f99d49b43551103baa4b1add1922ab0a928b8b81fbc0fd6e09635cf6037e3c8ea4b350716377b81f3fb3410f034e36af4b20852a5759c1c6943e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
2a283cb3d5ca449241a20541de8d1720

SHA1
8ffc24b67ed26fce6fee20ca0fa15154a9aec749

SHA256
23285ed044980f0ec65a1e1d643561b1b2c4474d3b7b1b8bcb7747b1c5f1373a

SHA512
5e8f8384503d1e9947d6bee00faf89c75e4871f246248e50619c5fa72bca59f273e325b5c02e108915a0a7209d488aa9cce83eb060df07f51aa6cacd589d45ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
f0cad423a24caa7aaa739a6ac40de5cd

SHA1
0ebe3563b9f6b464799ec3c878b290c4fb78c3a1

SHA256
7e5ed2e17399c1ffc535f78105155423e316a4db4e4a83e988eca6cbeb51a9cd

SHA512
e916dcc0511fedcd587897b6ece815f2a580d6d0aa345addca3f7d5c27c7461cb08e2c81bb4862405b86e2d435d116d21fe7a223c0319feb911088800a9050f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
3993fd1ffbdb52bb2a44eea35c063daa

SHA1
6977633fc21a29671aa90c723db25ca8d6251974

SHA256
13272257d57857c9e5daaa67fc20cb7f6be3fef6fbab27f945f268735355bf9b

SHA512
5515d82033d84a9e582f5e4a6176db8fa26f8c4ed82bd6437b426e8a4940cf8a0bfa71df474195515ae0bb8a0796a38ab352fcbdbdcdad0c2cd1b567e39f3778

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
4145ccc7ad7c84d172b02c6966f8ddbf

SHA1
418e5e1e5a58eb038c3c087a6d89a6a02a64c301

SHA256
aafb4b2897b205ea27e7eba0129e7bdb3776e8a080f0993d19188f26e350dbf9

SHA512
ff645b099ea5d6017f903bd2a8064a915913129225b9f2ec5434c05c9aeaf9a57b2de6544ae3c548ef16e335e7b38db22d4126d98a577ad12a27236b55387da9

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1948-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-159-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-154-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-152-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-134-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3564-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3564-151-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3564-129-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3564-51-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3564-158-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3564-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3564-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads