mydoom | d7e919bb69bb9633519d719d04386d2314cb0a9ceea220413a24cc486ea0a9b7

General

Target

d7e919bb69bb9633519d719d04386d2314cb0a9ceea220413a24cc486ea0a9b7.exe
Size

29KB
MD5

c50c7448e1b8c3f0eb5ec7b3d9918ba9
SHA1

2e64b58b55ce026d4903f47c3d9116eb50f439e2
SHA256

d7e919bb69bb9633519d719d04386d2314cb0a9ceea220413a24cc486ea0a9b7
SHA512

b98166ec886847c3cee8f36362c71925547d05f422b46a8d66db50ffe5e85ab555e3a2710c5085991fa238b73aa6ddf8f0836fb23777b95f85003d1793d083a2
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/E:AEwVs+0jNDY1qi/qc

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 2 IoCs

resource	yara_rule
behavioral1/memory/2832-17-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2832-56-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2488	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	d7e919bb69bb9633519d719d04386d2314cb0a9ceea220413a24cc486ea0a9b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2832-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/files/0x0008000000016d42-7.dat	upx
behavioral1/memory/2832-9-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/memory/2488-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2832-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/memory/2832-17-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2488-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2488-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2488-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2488-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2488-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2488-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2488-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2488-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2488-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2488-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2832-56-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2488-57-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2488-62-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0008000000016dbc-72.dat	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	d7e919bb69bb9633519d719d04386d2314cb0a9ceea220413a24cc486ea0a9b7.exe
File opened for modification	C:\Windows\java.exe	d7e919bb69bb9633519d719d04386d2314cb0a9ceea220413a24cc486ea0a9b7.exe
File created	C:\Windows\java.exe	d7e919bb69bb9633519d719d04386d2314cb0a9ceea220413a24cc486ea0a9b7.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7e919bb69bb9633519d719d04386d2314cb0a9ceea220413a24cc486ea0a9b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2488	2832	d7e919bb69bb9633519d719d04386d2314cb0a9ceea220413a24cc486ea0a9b7.exe	30
PID 2832 wrote to memory of 2488	2832	d7e919bb69bb9633519d719d04386d2314cb0a9ceea220413a24cc486ea0a9b7.exe	30
PID 2832 wrote to memory of 2488	2832	d7e919bb69bb9633519d719d04386d2314cb0a9ceea220413a24cc486ea0a9b7.exe	30
PID 2832 wrote to memory of 2488	2832	d7e919bb69bb9633519d719d04386d2314cb0a9ceea220413a24cc486ea0a9b7.exe	30

C:\Users\Admin\AppData\Local\Temp\d7e919bb69bb9633519d719d04386d2314cb0a9ceea220413a24cc486ea0a9b7.exe
"C:\Users\Admin\AppData\Local\Temp\d7e919bb69bb9633519d719d04386d2314cb0a9ceea220413a24cc486ea0a9b7.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sjN4knybix.log

Filesize
320B

MD5
afc0297a57b4a2dbe1d1e914501363c8

SHA1
5787e087bc0cff21e5577db616251022806c4059

SHA256
5c7788bb71ec7e0275e03f0a0f7be25e59972d8cc7876cb0f73210fdf747622d

SHA512
b729529e13dee87d6e02499f28cc4a399e362d96b541ae554891cfc279b6dda067e94fb2d8cd3c815ae2f5b082567288246522df98128bfb9e41a5b1886e1558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A8C.tmp

Filesize
29KB

MD5
3c20a9edff5c4f25d3f18709c05ddc5d

SHA1
c8b68e29e195c77f9fed86541f5dfbe189624d47

SHA256
569f18249513ea4d6376ed756796f90f4f43fee487c380b178f3b59350c82923

SHA512
41dd8f8cdc20ca7eb815913be57ac7193752c5509a8f35e9becedf24dd8f2693088c1b9ba0898329f96d6ebc8cfda8b927f69759dcdca146904c860c84e9d4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
391B

MD5
8241dbb63fa47b0aa3d3ec4492c29945

SHA1
4850879438f9548a3994cfa646545cda0bb83971

SHA256
d9d730f43a6b1870f976939b8c619cf37295cfbd2a5e01e1e40cdac2b37f4c66

SHA512
78ba4282bfd4d7ba22c700ba6236707bcb74f63e043c1ea8d7c8f79a5958ab93f8501d9e9373842f99eee85b7c99986a8186e5b94a7371d9ad2de35831b244e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
bad98c1b3b6b453e81ffef44892d3418

SHA1
37b98addca1ff5cfd38751206bb29bdd4c4abbc2

SHA256
17cac990c5f6024d9906574f9eb0c44f376d3b8b3c01b35ab2cf454bfdd6a265

SHA512
65ef509c9bd0eed8af40d88304ad763ff6bdbeb39b5c25389c95e8c5c5688f59406f4401e5468ab830f44d0a170d8337c9c50074d4368b15629bf464bb8fe06f

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2488-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2488-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2488-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2488-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2488-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2488-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2488-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2488-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2488-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2488-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2488-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2488-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2488-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2832-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2832-56-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2832-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2832-17-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2832-18-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2832-9-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads