mydoom | a94e4925fa6217000c3ae6b6e1bd01d70cde8c0ae5068c1d90ec3590413d0f3c

General

Target

a94e4925fa6217000c3ae6b6e1bd01d70cde8c0ae5068c1d90ec3590413d0f3c.exe
Size

28KB
MD5

b84c27473b71f69c810e2a3a40d1955b
SHA1

9a1a64a7179d403f4be62545cd3972b4d5af9db7
SHA256

a94e4925fa6217000c3ae6b6e1bd01d70cde8c0ae5068c1d90ec3590413d0f3c
SHA512

229f2ab4bdea7765fc03dae822f68f96c08d1a9be603f9b47485c90f3e82dc1d72fa47ca1ec53aadfc8faf5834a25dcf45efc4b27e75a18bbaba8b95bd1df798
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNCJmpD:Dv8IRRdsxq1DjJcqfXED

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral1/memory/2320-15-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2320-29-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2320-55-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2320-57-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2320-62-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2320-69-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2556	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	a94e4925fa6217000c3ae6b6e1bd01d70cde8c0ae5068c1d90ec3590413d0f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2320-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2320-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0008000000016875-7.dat	upx
behavioral1/memory/2320-15-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2556-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2556-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2556-23-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2556-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2556-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2320-29-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2556-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-45.dat	upx
behavioral1/memory/2556-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2320-55-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2320-57-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2556-58-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2320-62-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2556-63-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2556-68-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2556-70-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2320-69-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2556-75-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	a94e4925fa6217000c3ae6b6e1bd01d70cde8c0ae5068c1d90ec3590413d0f3c.exe
File created	C:\Windows\java.exe	a94e4925fa6217000c3ae6b6e1bd01d70cde8c0ae5068c1d90ec3590413d0f3c.exe
File created	C:\Windows\services.exe	a94e4925fa6217000c3ae6b6e1bd01d70cde8c0ae5068c1d90ec3590413d0f3c.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a94e4925fa6217000c3ae6b6e1bd01d70cde8c0ae5068c1d90ec3590413d0f3c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2556	2320	a94e4925fa6217000c3ae6b6e1bd01d70cde8c0ae5068c1d90ec3590413d0f3c.exe	30
PID 2320 wrote to memory of 2556	2320	a94e4925fa6217000c3ae6b6e1bd01d70cde8c0ae5068c1d90ec3590413d0f3c.exe	30
PID 2320 wrote to memory of 2556	2320	a94e4925fa6217000c3ae6b6e1bd01d70cde8c0ae5068c1d90ec3590413d0f3c.exe	30
PID 2320 wrote to memory of 2556	2320	a94e4925fa6217000c3ae6b6e1bd01d70cde8c0ae5068c1d90ec3590413d0f3c.exe	30

C:\Users\Admin\AppData\Local\Temp\a94e4925fa6217000c3ae6b6e1bd01d70cde8c0ae5068c1d90ec3590413d0f3c.exe
"C:\Users\Admin\AppData\Local\Temp\a94e4925fa6217000c3ae6b6e1bd01d70cde8c0ae5068c1d90ec3590413d0f3c.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9E35.tmp

Filesize
28KB

MD5
2bd103ff8b39644d578c09f2b44816a4

SHA1
810a9a9643447015fb2d04fac673f8b7eb4efc46

SHA256
60850fbdb6981ba9977a4a3dc9b8e488d7cedccfc5369cfa513265f9098595af

SHA512
5d8690a043b8cec76738a3de302f62b8234098e23d9f8c3e21189a72b2db4f0ac47071bf65ea62cdca0ac48bc5c25262c86de9ac0eb25eae6b9909b16ce90f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
5f958e494031ece632f5b19fe6236152

SHA1
856c0afaeda3f41603260164e70d20da8d13f2b1

SHA256
246c3f9068b73a15d34a49deac3e7e7c4afdad42937733a50824188e55287f67

SHA512
9fca9922bc16b0398340ad87887f867f7aee980aa926f4c4169dd169af8083a5e8cd780856e7cccf67576bb04cf0a3be563dc75a3d417cbaad99307ea8751d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
f767020f50ba3dea63757935dd1e89af

SHA1
1c301333a4949af1e4cb38f458ab602fea194c1a

SHA256
c03aaea46566f7af64f153df05b28d9439620e3991ee385d4982ebeeb837e8e3

SHA512
f430695c39247ad6ed42f19ffaf23c0134e695d187d8c13689479499fa71d80eb38a495b94c8e13555179baac2a4bef0f9e3bf1a78fecf022b3b98bcbf687792

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2320-62-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2320-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2320-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2320-69-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2320-57-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2320-29-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2320-55-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2320-15-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2556-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2556-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2556-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2556-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2556-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2556-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2556-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2556-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2556-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2556-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2556-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2556-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads