mydoom | 9254a278b07cf83beefddea814e412f07f3847e28d91db98abb1a4436ed1c36a

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9254a278b07cf83beefddea814e412f07f3847e28d91db98abb1a4436ed1c36a.exe
Size

29KB
MD5

e8f572e2f8be85245569bfc4d3a9aff3
SHA1

0e994acb48af9dd13215dfc69436c39f786e3099
SHA256

9254a278b07cf83beefddea814e412f07f3847e28d91db98abb1a4436ed1c36a
SHA512

6c2d1f81f79ff20cbdcf600be02155c15d4250f02dc5722e50935011ebc368edae2520e964a617ee072c56bafab2d1c4f468f977c60f8201abc3b9f6e1009158
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/OhP:AEwVs+0jNDY1qi/qmd

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 8 IoCs

resource	yara_rule
behavioral2/memory/4264-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4264-27-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4264-110-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4264-144-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4264-151-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4264-176-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4264-210-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/4264-253-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
3624	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	9254a278b07cf83beefddea814e412f07f3847e28d91db98abb1a4436ed1c36a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4264-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3624-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000c000000023b59-4.dat	upx
behavioral2/memory/4264-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3624-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3624-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3624-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3624-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4264-27-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3624-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000c000000023b7e-41.dat	upx
behavioral2/memory/4264-110-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3624-111-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4264-144-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3624-145-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3624-147-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4264-151-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3624-152-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4264-176-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3624-177-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4264-210-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3624-211-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4264-253-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3624-254-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	9254a278b07cf83beefddea814e412f07f3847e28d91db98abb1a4436ed1c36a.exe
File opened for modification	C:\Windows\java.exe	9254a278b07cf83beefddea814e412f07f3847e28d91db98abb1a4436ed1c36a.exe
File created	C:\Windows\java.exe	9254a278b07cf83beefddea814e412f07f3847e28d91db98abb1a4436ed1c36a.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9254a278b07cf83beefddea814e412f07f3847e28d91db98abb1a4436ed1c36a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 3624	4264	9254a278b07cf83beefddea814e412f07f3847e28d91db98abb1a4436ed1c36a.exe	82
PID 4264 wrote to memory of 3624	4264	9254a278b07cf83beefddea814e412f07f3847e28d91db98abb1a4436ed1c36a.exe	82
PID 4264 wrote to memory of 3624	4264	9254a278b07cf83beefddea814e412f07f3847e28d91db98abb1a4436ed1c36a.exe	82

C:\Users\Admin\AppData\Local\Temp\9254a278b07cf83beefddea814e412f07f3847e28d91db98abb1a4436ed1c36a.exe
"C:\Users\Admin\AppData\Local\Temp\9254a278b07cf83beefddea814e412f07f3847e28d91db98abb1a4436ed1c36a.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IQ93NPJ1\default[1].htm

Filesize
310B

MD5
2a8026547dafd0504845f41881ed3ab4

SHA1
bedb776ce5eb9d61e602562a926d0fe182d499db

SHA256
231fe7c979332b82ceccc3b3c0c2446bc2c3cab5c46fb7687c4bb579a8bba7ce

SHA512
1f6fa43fc0cf5cbdb22649a156f36914b2479a93d220bf0e23a32c086da46dd37e8f3a789e7a405abef0782e7b3151087d253c63c6cefcad10fd47c699fbcf97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IQ93NPJ1\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WQOY74U4\default[2].htm

Filesize
315B

MD5
14b82aec966e8e370a28053db081f4e9

SHA1
a0f30ebbdb4c69947d3bd41fa63ec4929dddd649

SHA256
202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf

SHA512
ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WQOY74U4\default[6].htm

Filesize
308B

MD5
5243568476eb2052b2f3b67dc9053e86

SHA1
b126aa6506772f9024b76580bdf28b45e3a7f051

SHA256
2d458622dc76eb87e44cc7db89309efdf50f99821145ae86864fd1b714cbaa80

SHA512
3c68cef4e3daa4bca6e8b3aa5a31874be1e4dec38fe9781c6fe4890980744527d0c6818eeb519f8e6b322118e1f08302d85972fa7da4ba8be9421aabf9a77833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZA7RG4JF\default[6].htm

Filesize
312B

MD5
e5c2364375c0a8a786a9508a840b6299

SHA1
bec1874db0d2348274b6656d1383e262f73e2bc6

SHA256
51b67ae1066eb179562cf80a8a156bbd4b139b83072f610bf62c0b6d58ed17f3

SHA512
ee19a8fa40bc7e991ac289eb30ceec8264d6071f124e99791022961c99f25b97def4f13fa96149eb52786d1104d85d20410e65a333304c0df6ba858472a557d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp19FE.tmp

Filesize
29KB

MD5
d976125db4035db8933049a653e16f95

SHA1
f51ac7b568e7ff2c0610dd404a89ffc4110caf7f

SHA256
4b6168155576ffcd3003267462d18a502cef0631ee729b2cb3360cefddc16c15

SHA512
ae594f55e176e426ff87bf44e8abf3f7f8c4a6903a4d614b35d2d69274e86a287fbac0d818a16b8c8c59cd18ab38bf20324971f3345de61ab0b6e2405cd4aff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
c31252d1f174a46f259bae024ac14652

SHA1
853349039a7d8a16141f4bc042d453520afdd680

SHA256
ebca8bd705fce6d9862141da06ad2b3e76864c36b0f2b08cd96aa26c2f3a6d95

SHA512
b80572595bcb54b7003d356e9f898207b685b362186f25f88194661b5c9103819c3ca86c00d2fb981f3d8eec8db467cf01fb0f006bf5aab40e8e747cea63139a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
8e9f5086444fdaebbad7e6e79a08f501

SHA1
54c4bde3b80521a351b455bdd8560651916fec74

SHA256
5637d6ef799db98e31028da8c0b693d0d2b04c8cca474f5e49ab9fafe30e1a15

SHA512
8cfec203870837464dd7b4a2685ff026c8c5b7a9c3592688e68b9b22f52a06626ca74790b15b9ad2afe851fda8caa0e1f74fb17e0fa4445d6602ad221329afcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
cafac7b30a54d5be112b2b8bf22c3093

SHA1
ccf1ebf9a1100bb7773ce63e8a3c90af4d89df3d

SHA256
90df9ea724cb0bc9f89a50fd2a5d9c4e65997a18891e059c80018efff023310a

SHA512
fbf48f814deaa98abacaa89a766d3e9c2eb6b28b110e61ce33478ec9db24164e115169124b15eb9785740c135612e1e1fc13e2d8d21d130aecf19f1eace9ec08

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3624-111-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3624-211-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3624-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3624-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3624-254-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3624-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3624-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3624-145-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3624-147-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3624-177-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3624-152-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3624-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3624-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4264-176-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4264-151-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4264-210-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4264-144-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4264-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4264-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4264-253-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4264-110-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4264-27-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads