mydoom | f854ed4a56a9fbf565c8ce03808fa3fa44afca1fb36d0b3c8ad5b205effd2afe

General

Target

f854ed4a56a9fbf565c8ce03808fa3fa44afca1fb36d0b3c8ad5b205effd2afe.exe
Size

29KB
MD5

1b5bbe81905cd1d6a7f947f7927db142
SHA1

14843cfc131c9ea68952e60fb9de0fc98d9d3fcd
SHA256

f854ed4a56a9fbf565c8ce03808fa3fa44afca1fb36d0b3c8ad5b205effd2afe
SHA512

f0536c5cf37d09f3de816585d56873e858df3055665799cbaf9ef5a961354e6a3d5b18d75595e4c5eed5eba191e199a196d0f5aa96a89fccf885e3816d8e7c7b
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/nQ:AEwVs+0jNDY1qi/qo

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral2/memory/3672-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3672-37-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3672-90-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3672-148-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3672-150-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/3672-159-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2008	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	f854ed4a56a9fbf565c8ce03808fa3fa44afca1fb36d0b3c8ad5b205effd2afe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3672-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2008-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0008000000023c61-4.dat	upx
behavioral2/memory/3672-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2008-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2008-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2008-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2008-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2008-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2008-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3672-37-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2008-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000800000001e786-43.dat	upx
behavioral2/memory/3672-90-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2008-91-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3672-148-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2008-149-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3672-150-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2008-153-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2008-155-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3672-159-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2008-160-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	f854ed4a56a9fbf565c8ce03808fa3fa44afca1fb36d0b3c8ad5b205effd2afe.exe
File opened for modification	C:\Windows\java.exe	f854ed4a56a9fbf565c8ce03808fa3fa44afca1fb36d0b3c8ad5b205effd2afe.exe
File created	C:\Windows\java.exe	f854ed4a56a9fbf565c8ce03808fa3fa44afca1fb36d0b3c8ad5b205effd2afe.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f854ed4a56a9fbf565c8ce03808fa3fa44afca1fb36d0b3c8ad5b205effd2afe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 2008	3672	f854ed4a56a9fbf565c8ce03808fa3fa44afca1fb36d0b3c8ad5b205effd2afe.exe	83
PID 3672 wrote to memory of 2008	3672	f854ed4a56a9fbf565c8ce03808fa3fa44afca1fb36d0b3c8ad5b205effd2afe.exe	83
PID 3672 wrote to memory of 2008	3672	f854ed4a56a9fbf565c8ce03808fa3fa44afca1fb36d0b3c8ad5b205effd2afe.exe	83

C:\Users\Admin\AppData\Local\Temp\f854ed4a56a9fbf565c8ce03808fa3fa44afca1fb36d0b3c8ad5b205effd2afe.exe
"C:\Users\Admin\AppData\Local\Temp\f854ed4a56a9fbf565c8ce03808fa3fa44afca1fb36d0b3c8ad5b205effd2afe.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YB8IB6GH\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE7B.tmp

Filesize
29KB

MD5
bc2618d1cd4e0bf1b615e4f07d3a4b26

SHA1
6c3f65918d921b1af71b83f40bab36d6565d53b0

SHA256
ab1bb6d62927f86c8eaa422282ff427f021b796d666820ddd676b9a8ab9c8bbf

SHA512
586f13c7a8e33c45146271d5cdbef248b74ae32ff02ae9e42ed58d508e10657ca2418219ccfcae27755efe030bf1b4c8a07394a7df71d5f0c4635217c8648edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
2ca88469d9568328d17c0ee4ef2a669a

SHA1
6f53c75a11f59306ad282389bc8cca950441df64

SHA256
1ffb8f2a69c326626c7af112473ecd3b345a8d6b2b78f022d861441da96d9a82

SHA512
066ed41c39b07983648fca9ac40f278e3481daefffed5f52f7be22c5a9595fd4411e5e5223ab32aaa0575aa69b28de22a714506864866b775be61ecc1622471c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
dec12921eabbaf06ec0122f46b56f6f7

SHA1
b05376c5208591879a4f3815c8d86e1ecd8e0077

SHA256
9fa95889aeab482e3f35ef5b1b6962e29a9e5cb9a85be3199ca271829abbd795

SHA512
9ba728210cd4ca11f8f9d1f45a2cb612effafaf344cfc5072caadbbdf24c14b322bfe581fcfb2fe7a51385628fa8a55888bf3c8154fdb354b5ec5b8c01ad2075

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
9a0a191b268a8ae46934faa3dc6e9e3d

SHA1
aa2debc6503c985863ff278161c5855d13277c50

SHA256
7d6a27214ad2d70e286b7ccad234c05d64f778cb6085dbe31ae9794098a89519

SHA512
235fe6f41136463fff42038a08400abac8a5d6ad35a1b6d2cef3df4e47dde763162733f0a1fc5e93b72a87e02bc8eb242a31cf3069e4f288377249a268c92696

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2008-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-91-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-160-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-155-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-153-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-149-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3672-148-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3672-150-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3672-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3672-90-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3672-159-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3672-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3672-37-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads