mydoom | ac317202a97cad6983f3913b6287e7f380eccaff8a199b2371c0482fec80e7aa

General

Target

ac317202a97cad6983f3913b6287e7f380eccaff8a199b2371c0482fec80e7aa.exe
Size

29KB
MD5

74b986036b8d8aad2457b25af20a93b4
SHA1

8203088da87dcafb93296c3f8ecef4466e949777
SHA256

ac317202a97cad6983f3913b6287e7f380eccaff8a199b2371c0482fec80e7aa
SHA512

05e7ecf8eb682bce3ef2695e0f911a4a80782a44e97a0aecd19d1a9730a0d0241d9a757ef4450e4a7d572b3099c523b84e9ee189ea9715d7aba0f91e46ef8526
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/ZhH:AEwVs+0jNDY1qi/qR9

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 8 IoCs

resource	yara_rule
behavioral2/memory/2328-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2328-27-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2328-32-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2328-114-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2328-138-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2328-147-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2328-173-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2328-208-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
3412	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	ac317202a97cad6983f3913b6287e7f380eccaff8a199b2371c0482fec80e7aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2328-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0009000000023c95-4.dat	upx
behavioral2/memory/3412-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2328-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3412-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3412-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3412-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3412-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2328-27-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3412-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2328-32-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3412-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000300000001e742-38.dat	upx
behavioral2/memory/2328-114-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3412-115-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2328-138-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3412-139-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3412-143-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2328-147-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3412-148-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2328-173-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3412-176-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2328-208-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3412-209-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	ac317202a97cad6983f3913b6287e7f380eccaff8a199b2371c0482fec80e7aa.exe
File created	C:\Windows\services.exe	ac317202a97cad6983f3913b6287e7f380eccaff8a199b2371c0482fec80e7aa.exe
File opened for modification	C:\Windows\java.exe	ac317202a97cad6983f3913b6287e7f380eccaff8a199b2371c0482fec80e7aa.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac317202a97cad6983f3913b6287e7f380eccaff8a199b2371c0482fec80e7aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 3412	2328	ac317202a97cad6983f3913b6287e7f380eccaff8a199b2371c0482fec80e7aa.exe	83
PID 2328 wrote to memory of 3412	2328	ac317202a97cad6983f3913b6287e7f380eccaff8a199b2371c0482fec80e7aa.exe	83
PID 2328 wrote to memory of 3412	2328	ac317202a97cad6983f3913b6287e7f380eccaff8a199b2371c0482fec80e7aa.exe	83

C:\Users\Admin\AppData\Local\Temp\ac317202a97cad6983f3913b6287e7f380eccaff8a199b2371c0482fec80e7aa.exe
"C:\Users\Admin\AppData\Local\Temp\ac317202a97cad6983f3913b6287e7f380eccaff8a199b2371c0482fec80e7aa.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9IEW0KLU\default[2].htm

Filesize
315B

MD5
14b82aec966e8e370a28053db081f4e9

SHA1
a0f30ebbdb4c69947d3bd41fa63ec4929dddd649

SHA256
202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf

SHA512
ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L6PPXFHA\default[3].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A8A.tmp

Filesize
29KB

MD5
d106e79c8cb207ecb9913335fa11275f

SHA1
4a2e0374b53acb3bce01913fc04549590686e2ad

SHA256
806e800c44cc0df1b71c57d8b5b0d3df0114eabddf2e3189a996a32ce9c8f5f4

SHA512
cdbfc76c65ff34effd468ba4e6094195c76cda6ea2305a6a7f29503a1271b0443fd02fd7674c4d842fc90656723dfdd08fc1042d89a11011ef5ebc7d5be528c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
213f481afa267c0a47fefe5c9cdc123f

SHA1
3f25a4f188456877d852c48e38488374b30fb5cb

SHA256
44cc94acd181aeecbd1e809b8f305aed80cffc1d836096a6014b75bdadfff6c6

SHA512
55b2933b94e529a3252164667d1ff88d12ec4f214c7bb4154d679d87847ddc2f5a97b8e6d921323b9a9f2d04bc5c1c77a822ea37a184c471f6df166bedc51c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
34a6e9b057dc306dc8c685db0ad3caa7

SHA1
652aa1f20c4cb53e18531e2179503b9228d28a59

SHA256
78cd06e74bfa9c67a6b99d60450c165863690e9edf9431c8cc1d644d958b116d

SHA512
c0610aa04b2bf82d23462c38efbdc2dbc27e9bfc2e9b547cf35b1bb3b36f98b81382e9bbd39f1ad3db4ac1b17fef79dcbcd06e10d888857d13bf9fa2aa687e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
a331ea6be82f9a2aa05853715b8481c3

SHA1
7e25f79cda8d9d410708d7d6fbe177f749444360

SHA256
2a2fab1a7e238c9251f0dc7b238fea3a4486688334bf0d5ab08a8ea654f3e266

SHA512
ed987b1698d34c2e2bc4245964cd318a7e3b56cbb3577f40cd6059a6ec01f88f5af9390143e5a4acfa88ff5a6d38e6298e6a37ff66661af0874a152fb2c003a7

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2328-173-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2328-27-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2328-32-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2328-147-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2328-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2328-208-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2328-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2328-114-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2328-138-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3412-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3412-115-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3412-139-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3412-143-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3412-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3412-148-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3412-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3412-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3412-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3412-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3412-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3412-209-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3412-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads