mydoom | e23f8b1470418a9b9828d07e9b8445870bce123a9500a367c21cfda6c5b90ee3

General

Target

e23f8b1470418a9b9828d07e9b8445870bce123a9500a367c21cfda6c5b90ee3.exe
Size

29KB
MD5

3e0376451c634e88cd6fc2472ca96682
SHA1

32bdde241ee62e5ce2feea580eea1547ae928129
SHA256

e23f8b1470418a9b9828d07e9b8445870bce123a9500a367c21cfda6c5b90ee3
SHA512

be87c11f26bbb875f5edb5c8507dce59dd6ad22bad38a094b835b6db17ca18b6df1c02263cd365b3f143f7c0fa253c16ce173fe1ed93ff10b95493d6725ae184
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/yhA:AEwVs+0jNDY1qi/qaS

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 7 IoCs

resource	yara_rule
behavioral2/memory/1388-13-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1388-44-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1388-136-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1388-149-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1388-153-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1388-160-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/1388-181-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2928	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	e23f8b1470418a9b9828d07e9b8445870bce123a9500a367c21cfda6c5b90ee3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1388-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2928-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000c000000023b7e-4.dat	upx
behavioral2/memory/1388-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2928-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2928-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2928-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2928-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2928-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2928-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2928-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2928-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1388-44-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2928-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0002000000021f51-50.dat	upx
behavioral2/memory/1388-136-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2928-137-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1388-149-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2928-150-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1388-153-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2928-154-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2928-159-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1388-160-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2928-161-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1388-181-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2928-182-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	e23f8b1470418a9b9828d07e9b8445870bce123a9500a367c21cfda6c5b90ee3.exe
File opened for modification	C:\Windows\java.exe	e23f8b1470418a9b9828d07e9b8445870bce123a9500a367c21cfda6c5b90ee3.exe
File created	C:\Windows\java.exe	e23f8b1470418a9b9828d07e9b8445870bce123a9500a367c21cfda6c5b90ee3.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e23f8b1470418a9b9828d07e9b8445870bce123a9500a367c21cfda6c5b90ee3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 2928	1388	e23f8b1470418a9b9828d07e9b8445870bce123a9500a367c21cfda6c5b90ee3.exe	83
PID 1388 wrote to memory of 2928	1388	e23f8b1470418a9b9828d07e9b8445870bce123a9500a367c21cfda6c5b90ee3.exe	83
PID 1388 wrote to memory of 2928	1388	e23f8b1470418a9b9828d07e9b8445870bce123a9500a367c21cfda6c5b90ee3.exe	83

C:\Users\Admin\AppData\Local\Temp\e23f8b1470418a9b9828d07e9b8445870bce123a9500a367c21cfda6c5b90ee3.exe
"C:\Users\Admin\AppData\Local\Temp\e23f8b1470418a9b9828d07e9b8445870bce123a9500a367c21cfda6c5b90ee3.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\84KCLP1T\V6K36G2W.htm

Filesize
153KB

MD5
949ce5da6e776f917092eaed018e1f1e

SHA1
d029ee053bf04d6fcde8382d6340f46706a6923d

SHA256
392c3b8a4816452a6e21d859a5516a7af98896ae2c90996b931b737dadecb971

SHA512
1466b40cee336e71de0e622570805bbaa056762935be17e2f82d5eab7d713a181e8355f7ccf150c7f7ea58e7ff3ebe7589f7fa6b7c71a1a0b273d43e49e0c90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDEC2.tmp

Filesize
29KB

MD5
f8b1a268b95753a334b0b69656d5c879

SHA1
6f11cece9df74454a42ccac836bc1b18793fcc42

SHA256
2e0f748d485ebe8ae82a3844a2bb9767ee0ec2ce663e07350c8518f82d499170

SHA512
e7761c41560ea6d5d4974d3d94a83d1753a44b698bffff089e50370e20d4b5835f11090cf6300e4fd5df22a876a88cedd6e21535070a970e72c10b17cd9db9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
8daa4ef88fc87ff77d82d11919380ba3

SHA1
93ebb8a8d495a578d770edf3143ca496efd60718

SHA256
52ab1c63eaebe6cc38f137bf508a4e68d2133a20c29335983085274eb7f41567

SHA512
49d2370f1da4b2e0cceaa88f1abdf49b84f47b456459f1d29b92ac3c99f59bf04d2c9f8fd3c4e148530e3aab6c68374a0440175de3bc17383a6fe595454de05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
d73cba17e1c0ccd7704f647882def479

SHA1
6f1960e65a41484ffbcd05f5e8d564ceb6bbe77d

SHA256
c4b5bb9590e8e0981826623b9c293a01f85e473da2b15a7a2fda6c8d4244b5a7

SHA512
ade72223e6694fcc6c67ad08c0f7b96f5635fedd96c634953463c7269c214161f1a5f193a17f0f65625df4ea3bb4ed428c832045b5b3dfd004a7a1961d354c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
5f7c852b827f0ea6452867b4a2e88420

SHA1
d3be4aff78556e0a78f31bcef4fe219c5ad540db

SHA256
f9ac5bf1908e57d87115b2ac763ae5de8f77d0d81173f36f91248d5caf98341c

SHA512
b11591d56a70506f7344cab0d933d039c1f9294341ac77b21d83d5811476f140d27d72b91d10c119524588c5582dd9c5dd14887072c66fc766c08452d113b927

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1388-160-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1388-153-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1388-149-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1388-136-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1388-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1388-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1388-44-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1388-181-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2928-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2928-150-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2928-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2928-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2928-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2928-137-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2928-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2928-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2928-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2928-154-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2928-159-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2928-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2928-161-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2928-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2928-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2928-182-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads