mydoom | 442996773df97fdf90be55054442a92e9debcf3a681646c97c71b223db5e212e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

442996773df97fdf90be55054442a92e9debcf3a681646c97c71b223db5e212e.exe
Size

42KB
MD5

c05cf8d758084c147048adc1f1850929
SHA1

61c4fea566a51ad41e703cf2589cbfc01ebb62b1
SHA256

442996773df97fdf90be55054442a92e9debcf3a681646c97c71b223db5e212e
SHA512

15248b84555d5f21e3a44ca1003cfc5c64fae4096f91aeb4f662b90ca3049e1673e9d19d45bdd2643cf44b6f80ca2c11668acd7c1e15876d20e6c59a1b3626cf
SSDEEP

768:tdAkXGqv1GypfcHrk1DqAHNS/BHPmeWcTeYdC9VOV0rxAdeVV:tdAkXGqECcwYgw9PNSa0Go

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 1 IoCs

resource	yara_rule
behavioral2/memory/3020-130-0x0000000000500000-0x0000000000511000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
4352	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	442996773df97fdf90be55054442a92e9debcf3a681646c97c71b223db5e212e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023cb0-4.dat	upx
behavioral2/memory/4352-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4352-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4352-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4352-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4352-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4352-23-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4352-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4352-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4352-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4352-131-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4352-135-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4352-136-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4352-140-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4352-163-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4352-164-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4352-231-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	442996773df97fdf90be55054442a92e9debcf3a681646c97c71b223db5e212e.exe
File created	C:\Windows\java.exe	442996773df97fdf90be55054442a92e9debcf3a681646c97c71b223db5e212e.exe
File created	C:\Windows\services.exe	442996773df97fdf90be55054442a92e9debcf3a681646c97c71b223db5e212e.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	442996773df97fdf90be55054442a92e9debcf3a681646c97c71b223db5e212e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 4352	3020	442996773df97fdf90be55054442a92e9debcf3a681646c97c71b223db5e212e.exe	83
PID 3020 wrote to memory of 4352	3020	442996773df97fdf90be55054442a92e9debcf3a681646c97c71b223db5e212e.exe	83
PID 3020 wrote to memory of 4352	3020	442996773df97fdf90be55054442a92e9debcf3a681646c97c71b223db5e212e.exe	83

C:\Users\Admin\AppData\Local\Temp\442996773df97fdf90be55054442a92e9debcf3a681646c97c71b223db5e212e.exe
"C:\Users\Admin\AppData\Local\Temp\442996773df97fdf90be55054442a92e9debcf3a681646c97c71b223db5e212e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8B3ZU6S9\search[1].htm

Filesize
116KB

MD5
1353390c94924c67b530f82078744538

SHA1
d6bf2b5374eb2cd3fbc3b8ae7e6939559d3ddfb8

SHA256
62a22cb5ae06f0da5a532db17263e61605366e4a662f56a32030349dc67264d0

SHA512
2124f9a7b89f982ee8f9ecd0f5d095a2c1e1a3ad8ee8d3a9bff4326ce3bfdf3ceafd21af250f3786715d4eea82b7825ff47daf4a3ca385a22ee0785ed52f98e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FGDWJGSY\search[2].htm

Filesize
122KB

MD5
53cc114d2dbf8781635e7bd35ded8d78

SHA1
04f4c861cd68bf0c87705f4a5f04ea60c296c06a

SHA256
c051d82c4d2e1327beb01e1f0b7fc9b233d151c6a2b5ecf421e041b9d790a6f3

SHA512
8fc78195598285e06af7a418e95f9a064ba32b44c744ece6bf5ad0a542c18a27bef004a1d6c33bacb11845657fd414d4a3568b5b53516dd81d0b297f435929f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FGDWJGSY\search[5].htm

Filesize
139KB

MD5
65d77d70a6c3e55878b23639bbfe8321

SHA1
be8171acb9706611baa6b32a1cb30da98954946d

SHA256
8ada307805128c17b886933d0ba495cd59a8301efe32b19e0283239798599524

SHA512
16ce72a1b77ef79d08e907919a7a0c5da9d775da8b967e42855d3a7400a8f58d85806a8e5bb871dd4cdaecbe6594a1315755d5dd540178ded78e6271474bb0cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6JHG9EK\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O4PTG2YB\U19HCUZF.htm

Filesize
153KB

MD5
da94c54011e8a76bead9f47e60ad6e3c

SHA1
8d5fa4eac052d3734a31b579c38dfacd8b130097

SHA256
d21f19279d01f55321ead6d327cf2e34fa54eb847c06577c821ba5faec11f8a9

SHA512
f81960ff8102cae50e7c1dbaef36be11e5f3bc8beddbe644c0c7c645ca2d0ae739ae599f46bfa337c09318a864d1bab5114e46003f6f26fdc9cb6727994f4a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC270.tmp

Filesize
42KB

MD5
7a3ff301d9c3fa8288f3e37c97c2d9ee

SHA1
4067ac149f79be7d94f0927ab06c8849e7b08d24

SHA256
979def5c4ac44ec2936b8a4364ce142dbc2301b2040023f3fda329a1da4f2086

SHA512
e6fe707522f2627dc282f3d90ddc3dc9336314e3882308f3eadf9dae1edc559367b25cd6bd7bac8c4dc93ba2e4643a0227f014b7ee6736e37360bc910b3c9c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
128B

MD5
a15c687d775f70380c88cd6872f4af2f

SHA1
3f56194a15592e5b784002b13d91c2d96b282e07

SHA256
77b97b94410ee6ba7adb981bf9bfa72d1d05966c04f10dac7e1e7c2871eb0ce2

SHA512
172c51242d2b241698fa366b33f91c725e37d7e1ed6bec7552194761cb650cf7cf6360bf8258cc3fec1e4d6d1dcf8aa551ed4049e113f9c8fcae514db811382e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
128B

MD5
be216a0b8f834f1b90916f6ba9bf0e0b

SHA1
e146b558928f99d5ca1f6157dba21f61d4575de9

SHA256
b2df1207f34aa189d68f93aa182e5cb39bd821b416728004e05d8077e0e5aff0

SHA512
8d866646cbe866e8367173b53962a14c4e3115f64f10a83d77c778e899b53c2df085fcc4e7c2f8dabf47a1e838246d3c536235a93ba333b83db1280ea4129acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
128B

MD5
b94cb5cd1e74b84a3798ac757582b188

SHA1
3381b2cf763ca71f0b61d23c7e23215d9e880724

SHA256
c879bac7201db2d8ce0d434a904d8290294da9e7c6ece7f388e3ba43f3c8f9d6

SHA512
3106f4cc1c4165d8ecbd5429df3ea3091338be9083a5d0146f11cb7111e89127da1dcb98aec6678ba296549f57472d2b98418b11c2bff5e024a2c5012b0b6d47

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3020-0-0x0000000000500000-0x0000000000511000-memory.dmp

Filesize
68KB

Download
memory/3020-130-0x0000000000500000-0x0000000000511000-memory.dmp

Filesize
68KB

Download
memory/4352-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4352-163-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4352-131-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4352-135-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4352-136-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4352-140-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4352-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4352-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4352-164-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4352-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4352-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4352-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4352-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4352-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4352-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4352-231-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads