mydoom | 241d5e932144d6bf59010cad15af1524ea22da9152d3ab6f1639a8d47be28000

Analysis

max time kernel
150s
max time network
175s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/02/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2023.11.29/04c187920db980d8db16c5acb58049ae.exe
Size

29KB
MD5

04c187920db980d8db16c5acb58049ae
SHA1

80eb023fdc6fd7b7b0e576348afe0d7485007490
SHA256

901cb61d59c7292bc8dae4a997c10fc46908f7cdb1bffe7b4df7a868459aec88
SHA512

bf50729baa724759d57bf9d64d6d9453d03557dc0dc9e7998cff04a0a132b5133f651130bf39e2b6b0e56301b7e627e5a55101461bf5755fbcdfdf3cefd42f6b
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/T:AEwVs+0jNDY1qi/qr

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral19/memory/1164-12-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral19/memory/1164-49-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral19/memory/1164-81-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral19/memory/1164-135-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral19/memory/1164-150-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral19/memory/1164-168-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Downloads MZ/PE file 1 IoCs

flow	pid	Process
29	3612	Process not Found

Executes dropped EXE 1 IoCs

pid	Process
3660	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	04c187920db980d8db16c5acb58049ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral19/memory/1164-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral19/files/0x0008000000027f49-4.dat	upx
behavioral19/memory/3660-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral19/memory/1164-12-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral19/memory/3660-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral19/memory/3660-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral19/memory/3660-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral19/memory/3660-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral19/memory/3660-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral19/memory/3660-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral19/memory/3660-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral19/memory/3660-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral19/memory/3660-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral19/memory/1164-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral19/memory/3660-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral19/files/0x000900000002873f-66.dat	upx
behavioral19/memory/1164-81-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral19/memory/3660-82-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral19/memory/1164-135-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral19/memory/3660-136-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral19/memory/1164-150-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral19/memory/3660-151-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral19/memory/3660-164-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral19/memory/1164-168-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral19/memory/3660-169-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	04c187920db980d8db16c5acb58049ae.exe
File opened for modification	C:\Windows\java.exe	04c187920db980d8db16c5acb58049ae.exe
File created	C:\Windows\java.exe	04c187920db980d8db16c5acb58049ae.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04c187920db980d8db16c5acb58049ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2788	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 3660	1164	04c187920db980d8db16c5acb58049ae.exe	84
PID 1164 wrote to memory of 3660	1164	04c187920db980d8db16c5acb58049ae.exe	84
PID 1164 wrote to memory of 3660	1164	04c187920db980d8db16c5acb58049ae.exe	84

C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\04c187920db980d8db16c5acb58049ae.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\04c187920db980d8db16c5acb58049ae.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3660

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTI0QjlEQTUtQjc3Mi00MUUwLTk1REQtRjU2NkJBMTc5NDI3fSIgdXNlcmlkPSJ7OTk5NUVGQjAtM0I5NC00M0Y4LUFGNjUtQjNBNTczQ0I4Q0NGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OEY1RTg4RjgtQzdCQi00QkVDLTlEMzktQTQ3Qzk1NkNBNUUyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NDE3IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NTg5MzQwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTM5Mjg1NzI0MSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9D8Y038L\default[1].htm

Filesize
305B

MD5
157431349a057954f4227efc1383ecad

SHA1
69ccc939e6b36aa1fabb96ad999540a5ab118c48

SHA256
8553409a8a3813197c474a95d9ae35630e2a67f8e6f9f33b3f39ef4c78a8bfac

SHA512
6405adcfa81b53980f448c489c1d13506d874d839925bffe5826479105cbf5ba194a7bdb93095585441c79c58de42f1dab1138b3d561011dc60f4b66d11e9284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MOFDGMT2\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D7A.tmp

Filesize
29KB

MD5
524fb42cb45aa0aac3e845b8f6440636

SHA1
c68715be14f8ccb6c502eb326cc7bdb84cb93459

SHA256
1b133d3097dfe7bf1f1f3783041e8a27fed2338d8d2b53e183fe30a445dc9c2a

SHA512
7d9891016f982fd4cf233597e0c65689da6304fac2875a3fd44c0358cb87b5ee07b9d7f516f813903ce5a5db1e00da0e629ec3f37fc2500db231e6043d37da77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E48.tmp

Filesize
29KB

MD5
36a2c8065f8e7249fae028f1ac0b142a

SHA1
f85dc81aaaef87a1b466abdd72d797f678e78a87

SHA256
128e4a2952883f074d98c311a1e8d07c8d1225850ba83c2b2761aad8e1a40987

SHA512
04df44cf80dc790869ed5859c0e988aa3624908e3feac62b02de272d3982e4d038e6c1109e57595eefbd3740e4a49bfec2409b22377ee00a03831164c4238f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
8fce3b0d5072f4bff301365b23aa6bac

SHA1
66f8f3c82b56e29217ad13e946bd38f25a3b9d29

SHA256
d2a24a6c690f18595e3588ebcca6ed5f81a8967d8432a7e15267aa7bfb6aec06

SHA512
0037654c4c80127cb12a9e8dc59e1e53980f532f65c3aa393edb253309712f18311ec36b571416af695e57ff93ae108179cda0e415e5320468b508e97a3a9740

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
1e048c9e37e867312b562e09cde88912

SHA1
fc84e1f47eca5a408227ad69534a6e924fd6a39a

SHA256
7f56f5ff5fc609050b5b26b12ded819b3eab6c2893e3fcbdbde67eacf44e5f28

SHA512
27a3d09d121c1bf3b6539a78c7f8ebe1a577a1b3e38cbe05f62afb430c59119d23eb8c91296e3467165c6eefaf1a10b4f82e6ca4a3459ae6f3a36e914cca9fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
07e57c84765b74be47240d5ae6fb3d58

SHA1
17322ee64ecce4239956466290d7b6c1119a0da2

SHA256
173dc1261ebe47bffba46a3f85378e9a404c797ee266922d1f03fb584ac640b6

SHA512
20872ebc6b855d392d93f4753a6b7271335cbb8b6d8006976269374bb3f7098a77f441ac0fb7642eb7c8bf36ebf116bb9ed57e46ec450cb71a8ecf68f3833d24

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1164-150-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1164-12-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1164-168-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1164-135-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1164-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1164-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1164-81-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3660-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3660-136-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3660-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3660-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3660-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3660-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3660-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3660-82-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3660-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3660-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3660-151-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3660-164-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3660-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3660-169-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3660-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3660-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads