mydoom | af3819610445ac52fac38b7475e6fca21e000ff5104e104a83994d385f29695f

General

Target

af3819610445ac52fac38b7475e6fca21e000ff5104e104a83994d385f29695fN.exe
Size

29KB
MD5

a40c83c420a6f6a0557c106e77bc8b60
SHA1

f603def0417bd157030a5347c605b8825587162d
SHA256

af3819610445ac52fac38b7475e6fca21e000ff5104e104a83994d385f29695f
SHA512

aec375c073e92cc5406f3d216f881ed7fb55194a4cc3a34da2f564e1c2e3f9f447d3f4b05fc7432d805267538417f8779e0f6d09e24bf13af0a6a6f33a489fda
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/2:AEwVs+0jNDY1qi/qu

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 4 IoCs

resource	yara_rule
behavioral1/memory/2244-17-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2244-48-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2244-72-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral1/memory/2244-76-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2380	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	af3819610445ac52fac38b7475e6fca21e000ff5104e104a83994d385f29695fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2244-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2244-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/files/0x0007000000019259-7.dat	upx
behavioral1/memory/2380-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2244-9-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/memory/2244-17-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2380-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2380-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2380-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2380-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2380-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2380-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2380-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2380-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2244-48-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2380-49-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2380-54-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x00350000000191f6-64.dat	upx
behavioral1/memory/2244-72-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2380-73-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2244-76-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2380-77-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	af3819610445ac52fac38b7475e6fca21e000ff5104e104a83994d385f29695fN.exe
File opened for modification	C:\Windows\java.exe	af3819610445ac52fac38b7475e6fca21e000ff5104e104a83994d385f29695fN.exe
File created	C:\Windows\java.exe	af3819610445ac52fac38b7475e6fca21e000ff5104e104a83994d385f29695fN.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af3819610445ac52fac38b7475e6fca21e000ff5104e104a83994d385f29695fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2380	2244	af3819610445ac52fac38b7475e6fca21e000ff5104e104a83994d385f29695fN.exe	30
PID 2244 wrote to memory of 2380	2244	af3819610445ac52fac38b7475e6fca21e000ff5104e104a83994d385f29695fN.exe	30
PID 2244 wrote to memory of 2380	2244	af3819610445ac52fac38b7475e6fca21e000ff5104e104a83994d385f29695fN.exe	30
PID 2244 wrote to memory of 2380	2244	af3819610445ac52fac38b7475e6fca21e000ff5104e104a83994d385f29695fN.exe	30

C:\Users\Admin\AppData\Local\Temp\af3819610445ac52fac38b7475e6fca21e000ff5104e104a83994d385f29695fN.exe
"C:\Users\Admin\AppData\Local\Temp\af3819610445ac52fac38b7475e6fca21e000ff5104e104a83994d385f29695fN.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBB94.tmp

Filesize
29KB

MD5
f5292b8ee79b4aa7b0646c209e1f08ff

SHA1
f67ba1f36f417a1d8275d23d7515ed05a2dd1b18

SHA256
5abf7c3de94949dc2bf5ffee49aa80b1f8f305577cbc6dd3ad72a82d1403603c

SHA512
9b833b5fcba7ec98bb3f357e980ed1f10e1e50c3ac0234a7bda8921d7097bb7b2881b44032cd2eb1ae1e6a10f7ec9c9ab46cf94c6740bc525bf377f7500f9e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
95536a5fb92b560e56a67badd5688627

SHA1
55d173dcbb3d34f24f351e967a881f09fc598f9d

SHA256
d746c8e345fe1e775113a19a52cb6a61a8faa31ab378b2c3903d00c11e866a1a

SHA512
3eb7f59598a81158a1dd1baee6e918dad5af6ed3c0b0ee25ad3b1140566afdd16cc426c8cc7284e2283970686251c51600e985526997a68e0b775f9af36d329b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zjg9emFVcj.log

Filesize
320B

MD5
07535b3d8fa5c9b41d49783bf8660292

SHA1
b2557b2ce56b95d1da4f2edb48e2cc894f90bbd5

SHA256
ddff51d6d625670f6f688ecafad2d3b03827d9e5274b8addb63958877c19fb1a

SHA512
071face8c8b31be68d9b6a82a211639d956ef99dc9b89dd47a8631dfa4767448f7c553659979afc2ee339632baaeeb1ac3cd17dc2ff32541ca848a8011486045

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2244-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2244-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2244-76-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2244-9-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2244-17-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2244-72-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2244-48-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2380-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-73-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads