netdooka | 07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4

General

Target

07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe
Size

54KB
MD5

7d6fff4ae0c7ffd8d68486d2df914087
SHA1

dc65e3e4c4fb12691fa70f964081600adb18a2ae
SHA256

07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4
SHA512

a71ae0c58978c655141670d65649baab3c9e964936e7a9faa4a31ec95f838e691741dc9d230496de494d3ccd5b39b09482f6b317bff8d00c59ef61c322b6b8c4

Score

10^/10

netdooka evasion loader persistence rat

Malware Config

Extracted

Family

netdooka

C2

http://93.115.21.45/gtaddress

Signatures

NetDooka
NetDooka is a malware framework distributed by way of a pay-per-install and written in C#.
loader rat netdooka
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 2 IoCs

Processes:

min_id_resolver.exemin_id_resolver.exe

pid process

1700 min_id_resolver.exe
1264 min_id_resolver.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1700	min_id_resolver.exe
1264	min_id_resolver.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1063

Processes:

07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Avira	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe

Drops file in Program Files directory 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe	cmd.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1168 sc.exe
1536 sc.exe
1816 sc.exe
1848 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

940 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

min_id_resolver.exemin_id_resolver.exe

description pid process

Token: SeDebugPrivilege 1700 min_id_resolver.exe
Token: SeDebugPrivilege 1264 min_id_resolver.exe

pid	process
1168	sc.exe
1536	sc.exe
1816	sc.exe
1848	sc.exe

pid	process
940	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1700	min_id_resolver.exe
Token: SeDebugPrivilege	1264	min_id_resolver.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe

description	pid	process	target process
PID 480 wrote to memory of 940	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	PING.EXE
PID 480 wrote to memory of 940	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	PING.EXE
PID 480 wrote to memory of 940	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	PING.EXE
PID 480 wrote to memory of 940	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	PING.EXE
PID 480 wrote to memory of 2032	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	cmd.exe
PID 480 wrote to memory of 2032	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	cmd.exe
PID 480 wrote to memory of 2032	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	cmd.exe
PID 480 wrote to memory of 2032	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	cmd.exe
PID 480 wrote to memory of 1848	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	sc.exe
PID 480 wrote to memory of 1848	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	sc.exe
PID 480 wrote to memory of 1848	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	sc.exe
PID 480 wrote to memory of 1848	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	sc.exe
PID 480 wrote to memory of 1168	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	sc.exe
PID 480 wrote to memory of 1168	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	sc.exe
PID 480 wrote to memory of 1168	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	sc.exe
PID 480 wrote to memory of 1168	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	sc.exe
PID 480 wrote to memory of 1536	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	sc.exe
PID 480 wrote to memory of 1536	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	sc.exe
PID 480 wrote to memory of 1536	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	sc.exe
PID 480 wrote to memory of 1536	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	sc.exe
PID 480 wrote to memory of 1816	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	sc.exe
PID 480 wrote to memory of 1816	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	sc.exe
PID 480 wrote to memory of 1816	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	sc.exe
PID 480 wrote to memory of 1816	480	07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe
"C:\Users\Admin\AppData\Local\Temp\07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe"
1⤵
- Checks for any installed AV software in registry
- Suspicious use of WriteProcessMemory
PID:480
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" 22.61.56.108 -n 4
  2⤵
  - Runs ping.exe
  PID:940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4.exe" "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe"
  2⤵
  - Drops file in Program Files directory
  PID:2032
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create SecureElementDataSrv binpath= "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe delected"
  2⤵
  - Launches sc.exe
  PID:1848
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start SecureElementDataSrv
  2⤵
  - Launches sc.exe
  PID:1168
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" stop SecureElementDataSrv
  2⤵
  - Launches sc.exe
  PID:1536
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start SecureElementDataSrv
  2⤵
  - Launches sc.exe
  PID:1816

C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe
"C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe" delected
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe
"C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe" delected
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Privilege Escalation

New Service

1

T1050

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Remote System Discovery

1

T1018

Security Software Discovery

1

T1063

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe

Filesize
54KB

MD5
7d6fff4ae0c7ffd8d68486d2df914087

SHA1
dc65e3e4c4fb12691fa70f964081600adb18a2ae

SHA256
07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4

SHA512
a71ae0c58978c655141670d65649baab3c9e964936e7a9faa4a31ec95f838e691741dc9d230496de494d3ccd5b39b09482f6b317bff8d00c59ef61c322b6b8c4

Download Submit
C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe

Filesize
54KB

MD5
7d6fff4ae0c7ffd8d68486d2df914087

SHA1
dc65e3e4c4fb12691fa70f964081600adb18a2ae

SHA256
07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4

SHA512
a71ae0c58978c655141670d65649baab3c9e964936e7a9faa4a31ec95f838e691741dc9d230496de494d3ccd5b39b09482f6b317bff8d00c59ef61c322b6b8c4

Download Submit
C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe

Filesize
54KB

MD5
7d6fff4ae0c7ffd8d68486d2df914087

SHA1
dc65e3e4c4fb12691fa70f964081600adb18a2ae

SHA256
07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4

SHA512
a71ae0c58978c655141670d65649baab3c9e964936e7a9faa4a31ec95f838e691741dc9d230496de494d3ccd5b39b09482f6b317bff8d00c59ef61c322b6b8c4

Download Submit
memory/480-54-0x0000000001120000-0x0000000001130000-memory.dmp

Filesize
64KB

Download
memory/480-55-0x0000000075941000-0x0000000075943000-memory.dmp

Filesize
8KB

Download
memory/940-56-0x0000000000000000-mapping.dmp

Download
memory/1168-59-0x0000000000000000-mapping.dmp

Download
memory/1536-64-0x0000000000000000-mapping.dmp

Download
memory/1700-62-0x00000000012A0000-0x00000000012B0000-memory.dmp

Filesize
64KB

Download
memory/1816-65-0x0000000000000000-mapping.dmp

Download
memory/1848-58-0x0000000000000000-mapping.dmp

Download
memory/2032-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads