mydoom | 9cbe5df67bba06741551b959c36d93f3c6c4e760dd65135949cd5785423ae32b

General

Target

9cbe5df67bba06741551b959c36d93f3c6c4e760dd65135949cd5785423ae32bN.exe
Size

28KB
MD5

7ac8519739efea6f047844a4d31ac290
SHA1

51774cb59441595bdaf4ef651b80368ddd509a33
SHA256

9cbe5df67bba06741551b959c36d93f3c6c4e760dd65135949cd5785423ae32b
SHA512

a5e3d46e3dea2c240f1024456cbf672605b4926032ffbf5f2bac8e08b41928458fb36a3c435b2ed8eac46882736a17ecfcc6ac70c12e6359bf5f98dd7d5de7b7
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN+P/9Ej:Dv8IRRdsxq1DjJcqfNH9g

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral2/memory/1692-13-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/1692-37-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/1692-39-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/1692-140-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/1692-166-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/1692-173-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
4404	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	9cbe5df67bba06741551b959c36d93f3c6c4e760dd65135949cd5785423ae32bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1692-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0008000000023c8a-4.dat	upx
behavioral2/memory/4404-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1692-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4404-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4404-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4404-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4404-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4404-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4404-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1692-37-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4404-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1692-39-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4404-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0003000000021f51-50.dat	upx
behavioral2/memory/1692-140-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4404-142-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1692-166-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4404-167-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4404-169-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4404-174-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1692-173-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	9cbe5df67bba06741551b959c36d93f3c6c4e760dd65135949cd5785423ae32bN.exe
File opened for modification	C:\Windows\java.exe	9cbe5df67bba06741551b959c36d93f3c6c4e760dd65135949cd5785423ae32bN.exe
File created	C:\Windows\java.exe	9cbe5df67bba06741551b959c36d93f3c6c4e760dd65135949cd5785423ae32bN.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9cbe5df67bba06741551b959c36d93f3c6c4e760dd65135949cd5785423ae32bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 4404	1692	9cbe5df67bba06741551b959c36d93f3c6c4e760dd65135949cd5785423ae32bN.exe	82
PID 1692 wrote to memory of 4404	1692	9cbe5df67bba06741551b959c36d93f3c6c4e760dd65135949cd5785423ae32bN.exe	82
PID 1692 wrote to memory of 4404	1692	9cbe5df67bba06741551b959c36d93f3c6c4e760dd65135949cd5785423ae32bN.exe	82

C:\Users\Admin\AppData\Local\Temp\9cbe5df67bba06741551b959c36d93f3c6c4e760dd65135949cd5785423ae32bN.exe
"C:\Users\Admin\AppData\Local\Temp\9cbe5df67bba06741551b959c36d93f3c6c4e760dd65135949cd5785423ae32bN.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\84KCLP1T\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA594.tmp

Filesize
28KB

MD5
95518181bbb21d2c175993dcd55b84f8

SHA1
37cc0216802c5a6e7e992700fd5fb6d1272742f6

SHA256
9d4e5102e135e99e3ca2df35ab9e7a8b47ed6f2afd208bdbbb894d3251fa3859

SHA512
915017032ec5f366069669fc7873f4b5ad578848534e1accffba7f634d4a8defcd17a2070ac7f4c63f5748bbdcffa2f3cf7b009a51891bb8f1598352cff1553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
494a9f47f18a2ee5d5431957f574e907

SHA1
8ae5641c4543a4e02ebd90fe5be5fd16bb7c4149

SHA256
9abe647df7c887b98a748a8b29561cb363f6fbf460d3ee8822a9433ea29d2f45

SHA512
460b5e2327bdcdfad6b904674075357f1d69f05f9ae533985f94235e4624b78d59a5cb139ffab0e699e63bced593942d90154e42548ff8309f960b0ee8aa29ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
caac883a059a78a3a3b40c1e7924c953

SHA1
dd24ccaba5b92db58bce96a566f60bc521a8123f

SHA256
2187fdbc6315851b2c82830903bea1fdf462671138ebe1b2791b6b3f105dd16f

SHA512
7c7fa3812018f9e1deeb29ed2065f39ae1d0714475ad70c7f6f6c58766cb09a8e501a1e6bde51d41ba9d1814a26a86af4924d1373778677238fcdbe9bdb2824d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
123a620c77be2c64a3d14ff1fb3f4aab

SHA1
feb41e9dfacb317d51ac1007f477e8e5e5d1a4fb

SHA256
dd9cea42b9985dab43f2e1e62a7e4c5f800d16eeb3ee1df603b254362c7e82cb

SHA512
d3675377d6214480e2d2e05d8650d2d785086f5522f45de76e4addef465a8741e78fefe9d337b795050e0646cb0d627923780c81ff70489d91529fd198a0c8ac

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1692-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1692-166-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1692-140-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1692-173-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1692-37-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1692-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1692-39-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4404-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4404-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4404-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4404-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4404-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4404-142-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4404-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4404-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4404-167-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4404-169-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4404-174-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4404-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4404-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads