mydoom | 6acf28680b08cad73909a30e98aade48b888c65057aea9b62d931d8d0ada6e20

General

Target

6acf28680b08cad73909a30e98aade48b888c65057aea9b62d931d8d0ada6e20.exe
Size

29KB
MD5

eee6b96c32e2e34b3553d4955ba10820
SHA1

0a81d65260744a27608c84052efcbd5540086e13
SHA256

6acf28680b08cad73909a30e98aade48b888c65057aea9b62d931d8d0ada6e20
SHA512

e8255a0f459486dbd63773a4739cb168e222e0bd440b5200def9995cad2582d1107eb79adf25d200523e6e9723f84a4372066b9a99139401d1eabd7363829f48
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/G:AEwVs+0jNDY1qi/qe

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral1/memory/3064-17-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/3064-44-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/3064-67-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/3064-69-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/3064-74-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/3064-81-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2464	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	6acf28680b08cad73909a30e98aade48b888c65057aea9b62d931d8d0ada6e20.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3064-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3064-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/memory/2464-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0008000000017429-10.dat	upx
behavioral1/memory/3064-17-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2464-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2464-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2464-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2464-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2464-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2464-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2464-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3064-44-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2464-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2464-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-60.dat	upx
behavioral1/memory/2464-68-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3064-67-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2464-70-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3064-69-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2464-75-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3064-74-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2464-80-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3064-81-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2464-82-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2464-87-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	6acf28680b08cad73909a30e98aade48b888c65057aea9b62d931d8d0ada6e20.exe
File created	C:\Windows\java.exe	6acf28680b08cad73909a30e98aade48b888c65057aea9b62d931d8d0ada6e20.exe
File created	C:\Windows\services.exe	6acf28680b08cad73909a30e98aade48b888c65057aea9b62d931d8d0ada6e20.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6acf28680b08cad73909a30e98aade48b888c65057aea9b62d931d8d0ada6e20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2464	3064	6acf28680b08cad73909a30e98aade48b888c65057aea9b62d931d8d0ada6e20.exe	30
PID 3064 wrote to memory of 2464	3064	6acf28680b08cad73909a30e98aade48b888c65057aea9b62d931d8d0ada6e20.exe	30
PID 3064 wrote to memory of 2464	3064	6acf28680b08cad73909a30e98aade48b888c65057aea9b62d931d8d0ada6e20.exe	30
PID 3064 wrote to memory of 2464	3064	6acf28680b08cad73909a30e98aade48b888c65057aea9b62d931d8d0ada6e20.exe	30

C:\Users\Admin\AppData\Local\Temp\6acf28680b08cad73909a30e98aade48b888c65057aea9b62d931d8d0ada6e20.exe
"C:\Users\Admin\AppData\Local\Temp\6acf28680b08cad73909a30e98aade48b888c65057aea9b62d931d8d0ada6e20.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE8BC.tmp

Filesize
29KB

MD5
1feae0bb097272f6cb33ddf2ec8e4c98

SHA1
0212cd4c072c80490bac70accdb5a970c142b529

SHA256
4fa6542259cd1781e00311ec3efe67264f0280f5ca8fa64bc2c7b7c0dd5de56e

SHA512
c06fb65dfa28f350a16e62df0432ac909ce077d4e8b6b59f9c8947fb2a3e57ce479fde604f3e2224baa2740a4727ba11d11f21edb01ff427bf12fc9a523ff23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
62682b4ed53b5da574e4a381ab67df84

SHA1
4687207ae56b13ccdd382e4bcc3b069b5d774ca5

SHA256
8292f017d329ea49d687deb62e8d6b86bb931fbb08108d6f569b44d6ce7e8e66

SHA512
e7a2e01cf5cdf8004022d595aa46375bd360121991bdb2e1c44d1b22d0d51050854f81abe20ee0fdb5e2fce20ebae13d0cfddfd592cb2eb528d64e056d46e0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
b19a29270e76ff3200fb04eacbd803c6

SHA1
a51862a0b856bbb46a249e401527b2c11ff9d616

SHA256
42a66acc284322c4c2959327b7698bc656fa687ad7a8903ef15b54412d22def3

SHA512
dc0047bcc72f6f1db480118358d46e11223037c7c033b072359bfe88d7c6453379a9659340d865e4e22735c5a18d8184ab43d05a2a529b379703037f9c408019

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2464-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2464-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2464-80-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2464-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2464-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2464-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2464-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2464-82-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2464-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2464-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2464-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2464-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2464-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2464-87-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2464-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2464-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3064-18-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/3064-67-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3064-69-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3064-44-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3064-74-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3064-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3064-81-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3064-17-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3064-9-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/3064-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads