mydoom | 705c62c4344fc1829580c88a8168554e5da7fa7f5a0073348a93920b90849e84

General

Target

705c62c4344fc1829580c88a8168554e5da7fa7f5a0073348a93920b90849e84N.exe
Size

29KB
MD5

d6049965cf9d1e19184e9ef3b089a7d0
SHA1

82d31b76a631c95f85288015dc0ac3d3092b6b23
SHA256

705c62c4344fc1829580c88a8168554e5da7fa7f5a0073348a93920b90849e84
SHA512

db055c185165665ff45a01066d7a7d2cb3bc954d47966cb120566026b00c49bc7f09d52ec5d34c916e3c92958e98676129afaadc42ed502c74b197fbe9db6ab2
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/xhQ:AEwVs+0jNDY1qi/qZm

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 7 IoCs

resource	yara_rule
behavioral2/memory/3212-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3212-32-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3212-120-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3212-162-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3212-166-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3212-181-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3212-217-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
3268	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	705c62c4344fc1829580c88a8168554e5da7fa7f5a0073348a93920b90849e84N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3212-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000b000000023b4a-4.dat	upx
behavioral2/memory/3268-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3212-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3268-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3268-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3268-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3268-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3268-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3212-32-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3268-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000300000001e733-46.dat	upx
behavioral2/memory/3212-120-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3268-121-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3212-162-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3268-163-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3212-166-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3268-167-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3268-172-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3212-181-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3268-182-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3212-217-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3268-224-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	705c62c4344fc1829580c88a8168554e5da7fa7f5a0073348a93920b90849e84N.exe
File created	C:\Windows\services.exe	705c62c4344fc1829580c88a8168554e5da7fa7f5a0073348a93920b90849e84N.exe
File opened for modification	C:\Windows\java.exe	705c62c4344fc1829580c88a8168554e5da7fa7f5a0073348a93920b90849e84N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	705c62c4344fc1829580c88a8168554e5da7fa7f5a0073348a93920b90849e84N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 3268	3212	705c62c4344fc1829580c88a8168554e5da7fa7f5a0073348a93920b90849e84N.exe	82
PID 3212 wrote to memory of 3268	3212	705c62c4344fc1829580c88a8168554e5da7fa7f5a0073348a93920b90849e84N.exe	82
PID 3212 wrote to memory of 3268	3212	705c62c4344fc1829580c88a8168554e5da7fa7f5a0073348a93920b90849e84N.exe	82

C:\Users\Admin\AppData\Local\Temp\705c62c4344fc1829580c88a8168554e5da7fa7f5a0073348a93920b90849e84N.exe
"C:\Users\Admin\AppData\Local\Temp\705c62c4344fc1829580c88a8168554e5da7fa7f5a0073348a93920b90849e84N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WQOY74U4\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6262.tmp

Filesize
29KB

MD5
8ad79e8f772083e96830668224aed4d5

SHA1
daa354232006097ebd4177a50fad2d3a6f45acb0

SHA256
cc3e7cdc2e12011594eec829a46039d9223931d0d2d44fd5950531a33b980220

SHA512
35180a4d417df930dce263aa0b36edee5f72814eb11b84268927f32c2556db5af66c413236673ccd5e3237574383a328ab4c2dd64d7b61ab72c4ba7e90101b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
1be428420739c0e20509a78b04d6f62b

SHA1
dc97a04672bbe99bd254f854eb4cc7ff5a4f5e34

SHA256
4ef22375e36a90eab99d47c8871ed25b71c4e886d55da8dfbf9aa0d17a02746c

SHA512
8259eae1c1a2b7bcf8f1348ead145167c99863e624d82943a0fb919fab25ed74c14c0cca2b1ec8df57bd28bb2bd0d2345bdc348e0736b969fbbea8371e71b870

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
f40fa6f96d0b19a170b3e95d8d446ddb

SHA1
7d3c6301d19142962670a0cea860fa6dc8ad5206

SHA256
2cc62724abf8526d8e74e51a320cb879bfdfb01204cceaa85d92b8455859ff3d

SHA512
a624eb296a7097f2f53c10a8a7698da3efac944b4952f7387988eef2347df6d757c8af822b35482f0a27bc134c857045ba276a602cc28930f8e8293d02580b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
1f1d32a60f13e9beabc0dcb86cbb3b09

SHA1
2ce1c12ad9504ba051676c91e3f6b7aa12a0a373

SHA256
26593c18f218d92b3de53439730625b8c20a7cb520085513c45f9f551ea31630

SHA512
3524b9b5a3141311c579ca488c108aa64ccf0a026cc66e176652130193723ebe7c8a87f9727303f745ebc46b5426644b28f5683555bd48b1b08d07897db1f9e0

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3212-181-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3212-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3212-166-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3212-162-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3212-32-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3212-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3212-217-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3212-120-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3268-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3268-121-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3268-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3268-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3268-163-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3268-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3268-167-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3268-172-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3268-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3268-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3268-182-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3268-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3268-224-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads