mydoom | 0068c64392a9a39ef837cf6ebcae5e57e56caf3edff4796cea900532e74b72be

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Email-Worm.MyDoom.M.exe
Size

40KB
MD5

a787dc1219ef5f319246fd848afccc5f
SHA1

0d199e91ae3c06403afd15bd6c051b0c65aae422
SHA256

a1b092b57018640fea82c46da2d79f6c008ee74864da03839144b52d91e9f842
SHA512

8659c8b75833020cb59c0876286a21e271aa9865eac7011b6dc1044a337d5d93ce9fdf4de69ecee4525d94f056b0e78521bbda9d11dfb05b22c88de056251430
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHnhvr:aqk/Zdic/qjh8w19JDHnhz

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 2 IoCs

resource	yara_rule
behavioral2/memory/1488-0-0x0000000000500000-0x000000000050D000-memory.dmp	family_mydoom
behavioral2/files/0x00150000000240a7-38.dat	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
4500	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	Email-Worm.MyDoom.M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000024225-4.dat	upx
behavioral2/memory/4500-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4500-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4500-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4500-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4500-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4500-23-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4500-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4500-67-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4500-145-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4500-148-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4500-152-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4500-153-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4500-181-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4500-185-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4500-272-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4500-275-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	Email-Worm.MyDoom.M.exe
File opened for modification	C:\Windows\java.exe	Email-Worm.MyDoom.M.exe
File created	C:\Windows\java.exe	Email-Worm.MyDoom.M.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Email-Worm.MyDoom.M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 4500	1488	Email-Worm.MyDoom.M.exe	85
PID 1488 wrote to memory of 4500	1488	Email-Worm.MyDoom.M.exe	85
PID 1488 wrote to memory of 4500	1488	Email-Worm.MyDoom.M.exe	85

C:\Users\Admin\AppData\Local\Temp\Email-Worm.MyDoom.M.exe
"C:\Users\Admin\AppData\Local\Temp\Email-Worm.MyDoom.M.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2YBYQYG0\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LK221CO5\search[4].htm

Filesize
123KB

MD5
3faa11f7c637424d7869c93bd3c5179b

SHA1
d799fcd7b1ef079413fd0e7f8863991bbdd92e20

SHA256
6b50305affa68f02184a2bb1b47526dd4b1e6786c544dd4401ca9269a7d89b4f

SHA512
a089a673696e78e7e5287931dd4985b1bf2c51b24ef75a45ea8a3611f76c00f5c5bccbd260a8765f4cb7d5222e183441ca0ed77ecf1591d15043d8818ddcf05f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp41E8.tmp

Filesize
40KB

MD5
1c1e89551ea9abafb7fa719d741b7c22

SHA1
7a90544a13aec741f4fd217eff08e5cd826cfadf

SHA256
b1bf8b0301a22619a72cfaa5c0e720e5ccaed26d4994a26a99138286cdfbe686

SHA512
157a24696b22877723002950db9c24eabd78ed4bbd163ca0f27f572fac84a31ba9050d7cf540943eb47868253d2bd3a8f607182f96c3b695b878096c1fec450d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
ce395c3164843d64ebdda6e5ad5949ca

SHA1
3893e5ec2cee33a3aaba9e7919cec1aef06c0975

SHA256
f74a5d4e84b168a3b056f791bac53021e06774532a5f9e2b5175f8168885f4e7

SHA512
2ca89ad75272fece5a1663beddc25ed2d27e9ad4853b58d0159692ddd56a6749cd1aaa4954dadfe10926f73d0a727386b913244c2e646817243588e030b8ea11

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
122f388310eb6d3fb6a95a5f623a6f2a

SHA1
b704d51ea7fd25a8cf108d57f48b7980fa8c7058

SHA256
e18db0b4855fc14fd130ca8339d4c8876f78413487cb2b685f8164b761f11486

SHA512
6f1572fc5c206497e4cd2ca92f2d15ef85b7089f0d6455df94501a59fca3809673a46ae77ad000d10f20cd4bc9aa4211ea1b65166d7bd72a7577baf7aecb0e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
0ac486aee5cd669ebfa4a29614040d43

SHA1
13072061ceac6b250d05d4db92f5e63fb0d92d7f

SHA256
41692d9eae32627a6de1fe321b3443ff27a263ecc73a6d4e4dd99d548b0c07fd

SHA512
091c9fd128f1fa891dcc56ed8d8eba9b808306112410b063947db7b2c28363b12130795144d70a537b446d82a15c90fe0c8d683940057723a5fe2d72539d11db

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
32B

MD5
a21d83db1dbf0ee55b65a8305f284653

SHA1
ee05c2f73bff1287bba82aba5dc34134ac9be42d

SHA256
9447b16547d19ef76c88db2672389460afa344cca27459c48672bf41e5644b8b

SHA512
2809e8b94eec17d83f4dbd75e39aa3b880cd9275a73cad703ee7757518560c32f4ec8236e31c403a239ab524fc7a2b96d1232e445550b501667af1cb7cd7b23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
a75692f6829cb8872c3e42a4e713636a

SHA1
1e7ac27278cd6e109f9b39d6cfdc71780af899e1

SHA256
c184440befad95ce1458e7e334badc175108457f2c2cf4bc585ee6d78a272521

SHA512
2bf011ed6d86caecfb3b21669c2a4d19ddd5b336a46c7178e8e3f2d6e79b2ad685c943a1f5865ac088016eca02222c0baa448f7d594ee26f30cd8f9d07a04d49

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1488-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/4500-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4500-153-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4500-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4500-67-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4500-145-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4500-148-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4500-152-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4500-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4500-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4500-181-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4500-185-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4500-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4500-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4500-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4500-272-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4500-275-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads