mydoom | a72c3853eead4f1986351dab39ff0d8274c3772ac50bebc4481428df1848a072

General

Target

a72c3853eead4f1986351dab39ff0d8274c3772ac50bebc4481428df1848a072.exe
Size

29KB
MD5

0a81f5d3c7cc3cdef7300d324604b8c9
SHA1

2ef7dd12c5d081cb597530ef7b895de927401324
SHA256

a72c3853eead4f1986351dab39ff0d8274c3772ac50bebc4481428df1848a072
SHA512

8d2d0e9a2b12adcce2e81ecce8eb0c3aef13047f8b945746dce5af96f1f5a4338a3043318db6f16097d15fc46039acce4eef1a1ae57061fc8dcf89af829e9bd0
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/6hQ:AEwVs+0jNDY1qi/qCm

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 7 IoCs

resource	yara_rule
behavioral2/memory/5004-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/5004-44-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/5004-49-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/5004-147-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/5004-163-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/5004-170-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/5004-199-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
4816	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	a72c3853eead4f1986351dab39ff0d8274c3772ac50bebc4481428df1848a072.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5004-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4816-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0008000000023cb9-4.dat	upx
behavioral2/memory/5004-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4816-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4816-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4816-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4816-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4816-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4816-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4816-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4816-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5004-44-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4816-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5004-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4816-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0004000000000703-63.dat	upx
behavioral2/memory/5004-147-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4816-148-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5004-163-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4816-164-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4816-169-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5004-170-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4816-171-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5004-199-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4816-200-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	a72c3853eead4f1986351dab39ff0d8274c3772ac50bebc4481428df1848a072.exe
File opened for modification	C:\Windows\java.exe	a72c3853eead4f1986351dab39ff0d8274c3772ac50bebc4481428df1848a072.exe
File created	C:\Windows\java.exe	a72c3853eead4f1986351dab39ff0d8274c3772ac50bebc4481428df1848a072.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a72c3853eead4f1986351dab39ff0d8274c3772ac50bebc4481428df1848a072.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4816	5004	a72c3853eead4f1986351dab39ff0d8274c3772ac50bebc4481428df1848a072.exe	84
PID 5004 wrote to memory of 4816	5004	a72c3853eead4f1986351dab39ff0d8274c3772ac50bebc4481428df1848a072.exe	84
PID 5004 wrote to memory of 4816	5004	a72c3853eead4f1986351dab39ff0d8274c3772ac50bebc4481428df1848a072.exe	84

C:\Users\Admin\AppData\Local\Temp\a72c3853eead4f1986351dab39ff0d8274c3772ac50bebc4481428df1848a072.exe
"C:\Users\Admin\AppData\Local\Temp\a72c3853eead4f1986351dab39ff0d8274c3772ac50bebc4481428df1848a072.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\search[4].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF5B8.tmp

Filesize
29KB

MD5
6d660ec0b12f084dabce22feb2c67f36

SHA1
d12c667ec0a68e7afce1604040dc1915f5aac1d1

SHA256
3535b3767791f2ddeaa45ea43165c75cd6232e33f71b6b153c7dd742095ba7a4

SHA512
2af90d774a976f9cc7417a632af1eb1d4df8ef80af4f5333b6b37236755cc7d5f35d3b59919002390f8ea43713cc0a4c35f6c715f1d2d53f1cf27b383e917274

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF619.tmp

Filesize
29KB

MD5
7a6384d76187227f13996622c7c84570

SHA1
ab0fab0dcaeb64a9f2a581cf42013f763e5fcac3

SHA256
5df3b6fa1ede73c76334c5223d51a9e529c9d240ce6b1213b97824747a8ee9fe

SHA512
37763934f61b482f757b2e3d88e8e08b046c4c701d16f3c32ee042fd64cf621b6116b19aaa0b868ef684d91bff8c0d5add9aa94a28b8ff5b9cbbbb8915c956d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
668ff77c16124b2fdaff28867abf1fcc

SHA1
98f2dc2dfd54a54a8ee992141177ae82c38e0429

SHA256
4497f0a03d0921027ae1dc1bf72464200e0d39b0bd92037371310ad0b03d7fb6

SHA512
a1cfe3ee3611478dff9a2ee8e8760a5dbf5d46dd27beb54bc37443ca9d850f09cf5c8ec7443a826ff76f4f78a782815504f1a5ebc1d62c32f0928e3a407408bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
e125b560e2c6eba2507f1edc61fbb0d3

SHA1
8bb0ceafc35ac25cc5909796f896abdcfd6c22f0

SHA256
951b299b169ff8b45dfcc8e57040044fc79582d4f7715b684f0c60cfd3d28480

SHA512
770f93bcdea802bec9c02045ec788360635cd4b5d3a3544df345444168cfaa6889dcde1aceb566fc6c2e5d861d612008a18243489ae843e7b798e72f32c26a32

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4816-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4816-200-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4816-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4816-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4816-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4816-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4816-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4816-164-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4816-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4816-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4816-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4816-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4816-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4816-171-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4816-169-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4816-148-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5004-44-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5004-163-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5004-147-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5004-170-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5004-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5004-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5004-199-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5004-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads