mydoom | 7c70cbb75eea61f140c556eae7848258dc15c15832baccd6cb2a2ea9eaf20af6

General

Target

7c70cbb75eea61f140c556eae7848258dc15c15832baccd6cb2a2ea9eaf20af6.exe
Size

29KB
MD5

b7f98261a87622be55f876f82b7a1a5a
SHA1

c5affa986e488962eeca161c717994c1f60419f2
SHA256

7c70cbb75eea61f140c556eae7848258dc15c15832baccd6cb2a2ea9eaf20af6
SHA512

d1e55aafc83c628abc8e36efb2cd0aac06145d1c85e0a22954ed36b90ebc2f47f7d2ac9f98e0eafb697d224b988e7a76cd504816039e65c9382c9addff15bee6
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/WR:AEwVs+0jNDY1qi/qI

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 7 IoCs

resource	yara_rule
behavioral2/memory/1020-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1020-44-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1020-49-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1020-156-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1020-160-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1020-167-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1020-189-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
1296	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	7c70cbb75eea61f140c556eae7848258dc15c15832baccd6cb2a2ea9eaf20af6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1020-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000c000000023b93-7.dat	upx
behavioral2/memory/1296-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1020-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1296-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1296-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1296-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1296-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1296-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1296-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1296-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1296-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1020-44-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1296-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1020-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1296-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0003000000000705-55.dat	upx
behavioral2/memory/1020-156-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1296-157-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1020-160-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1296-161-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1296-166-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1020-167-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1296-168-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1020-189-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1296-190-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	7c70cbb75eea61f140c556eae7848258dc15c15832baccd6cb2a2ea9eaf20af6.exe
File opened for modification	C:\Windows\java.exe	7c70cbb75eea61f140c556eae7848258dc15c15832baccd6cb2a2ea9eaf20af6.exe
File created	C:\Windows\java.exe	7c70cbb75eea61f140c556eae7848258dc15c15832baccd6cb2a2ea9eaf20af6.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c70cbb75eea61f140c556eae7848258dc15c15832baccd6cb2a2ea9eaf20af6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 1296	1020	7c70cbb75eea61f140c556eae7848258dc15c15832baccd6cb2a2ea9eaf20af6.exe	83
PID 1020 wrote to memory of 1296	1020	7c70cbb75eea61f140c556eae7848258dc15c15832baccd6cb2a2ea9eaf20af6.exe	83
PID 1020 wrote to memory of 1296	1020	7c70cbb75eea61f140c556eae7848258dc15c15832baccd6cb2a2ea9eaf20af6.exe	83

C:\Users\Admin\AppData\Local\Temp\7c70cbb75eea61f140c556eae7848258dc15c15832baccd6cb2a2ea9eaf20af6.exe
"C:\Users\Admin\AppData\Local\Temp\7c70cbb75eea61f140c556eae7848258dc15c15832baccd6cb2a2ea9eaf20af6.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA66.tmp

Filesize
29KB

MD5
e1678096828c3058df283ae4965c6ad6

SHA1
df41ce7876085ec92f8feb321289567a13141b97

SHA256
7786e2491c079d16c75c3b901fe6a1a71c11437a5e0211b275a5b28a77d2a13f

SHA512
92b8e08dbe10748380929a3d2d758bb670ca41677b469cc904bb59ecffaf5eb4833f3de0cf5494281d941b14d7a1900cab07798b6b06a1f1c22087db098e21d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
bf25eddd4a4e59afbba477fe768fc4ec

SHA1
38e7beda90bf2cfc862a70f94a72f777ed97812a

SHA256
f4cc3a9929a2b823228ca2ce054aef77a9517661bed310467b94662565f6e2ec

SHA512
67dd0893ee200af3a9a36d4e3afe4fde58c44b2ddb77f5e1cca3a11da3d6a9ae5bddedf5f5fb80b42a0aaaa615caae448763490f8815a9028e3142a4ed0f8272

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
4a8ecd6baecc5e028e79fbceb431e85b

SHA1
17a53581e91ada433f9615ec8e4dac468cf67ddb

SHA256
a5d15e23bac02057737b701a1747e81a7196fcee2e26849855fdd8b7544bf321

SHA512
78da1f343cecd73ddc196877d1a4053a43e0b5e01e58989296a5cae10fbd0e2b555a60f75fcbfa0bd586b2191864590799596b8cd4b8eef3f93465acd09f29d6

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1020-167-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1020-44-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1020-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1020-160-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1020-156-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1020-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1020-189-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1020-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1296-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1296-157-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1296-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1296-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1296-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1296-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1296-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1296-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1296-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1296-161-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1296-166-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1296-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1296-168-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1296-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1296-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1296-190-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads