Overview

overview

10

Static

static

1cc21e3bbf...72.exe

windows7_x64

10

1cc21e3bbf...72.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    10-06-2022 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1cc21e3bbfc910ff2ceb8e63641582bdcca3e479029aa425c55aa346830c6c72.exe

  • Size

    36KB

  • MD5

    4f6d5d0ba1aa54880f1bcce5ed4858a4

  • SHA1

    06d7f2150ebe20a6c3a0e65a46459b5fe2e9ceb2

  • SHA256

    1cc21e3bbfc910ff2ceb8e63641582bdcca3e479029aa425c55aa346830c6c72

  • SHA512

    fa78f6a16ded41d10bf5a09bfc849452b21e9f0b9d9fe29e9162811aae5912264bf117f30cf2dfd443fa073b925e999ba484ecb6f38b7d8a0f05d839ee40792f

Score
10/10
netdookaevasionloaderpersistencerat

Malware Config

Extracted

Family

netdooka

C2

http://93.115.21.45/gtaddress

Signatures

  • NetDooka

    NetDooka is a malware framework distributed by way of a pay-per-install and written in C#.

    loaderratnetdooka
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 2 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks for any installed AV software in registry 1 TTPs 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1cc21e3bbfc910ff2ceb8e63641582bdcca3e479029aa425c55aa346830c6c72.exe
    "C:\Users\Admin\AppData\Local\Temp\1cc21e3bbfc910ff2ceb8e63641582bdcca3e479029aa425c55aa346830c6c72.exe"
    1⤵
    • Checks for any installed AV software in registry
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" 22.61.56.108 -n 4
      2⤵
      • Runs ping.exe
      PID:1108
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\1cc21e3bbfc910ff2ceb8e63641582bdcca3e479029aa425c55aa346830c6c72.exe" "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe"
      2⤵
      • Drops file in Program Files directory
      PID:1992
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" create SecureElementDataSrv binpath= "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe delected"
      2⤵
      • Launches sc.exe
      PID:948
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" start SecureElementDataSrv
      2⤵
      • Launches sc.exe
      PID:1720
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" stop SecureElementDataSrv
      2⤵
      • Launches sc.exe
      PID:1632
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" start SecureElementDataSrv
      2⤵
      • Launches sc.exe
      PID:1960
  • C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe
    "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe" delected
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:288
  • C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe
    "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe" delected
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Privilege Escalation

New Service

1
T1050

Defense Evasion

Impair Defenses

1
T1562

Credential Access

Discovery

Security Software Discovery

1
T1063

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe
    Filesize

    36KB

    MD5

    4f6d5d0ba1aa54880f1bcce5ed4858a4

    SHA1

    06d7f2150ebe20a6c3a0e65a46459b5fe2e9ceb2

    SHA256

    1cc21e3bbfc910ff2ceb8e63641582bdcca3e479029aa425c55aa346830c6c72

    SHA512

    fa78f6a16ded41d10bf5a09bfc849452b21e9f0b9d9fe29e9162811aae5912264bf117f30cf2dfd443fa073b925e999ba484ecb6f38b7d8a0f05d839ee40792f

    Download Submit
  • C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe
    Filesize

    36KB

    MD5

    4f6d5d0ba1aa54880f1bcce5ed4858a4

    SHA1

    06d7f2150ebe20a6c3a0e65a46459b5fe2e9ceb2

    SHA256

    1cc21e3bbfc910ff2ceb8e63641582bdcca3e479029aa425c55aa346830c6c72

    SHA512

    fa78f6a16ded41d10bf5a09bfc849452b21e9f0b9d9fe29e9162811aae5912264bf117f30cf2dfd443fa073b925e999ba484ecb6f38b7d8a0f05d839ee40792f

    Download Submit
  • C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe
    Filesize

    36KB

    MD5

    4f6d5d0ba1aa54880f1bcce5ed4858a4

    SHA1

    06d7f2150ebe20a6c3a0e65a46459b5fe2e9ceb2

    SHA256

    1cc21e3bbfc910ff2ceb8e63641582bdcca3e479029aa425c55aa346830c6c72

    SHA512

    fa78f6a16ded41d10bf5a09bfc849452b21e9f0b9d9fe29e9162811aae5912264bf117f30cf2dfd443fa073b925e999ba484ecb6f38b7d8a0f05d839ee40792f

    Download Submit
  • memory/288-62-0x0000000001250000-0x0000000001260000-memory.dmp
    Filesize

    64KB

    Download
  • memory/884-54-0x0000000001170000-0x0000000001180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/884-55-0x0000000074C81000-0x0000000074C83000-memory.dmp
    Filesize

    8KB

    Download
  • memory/948-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1108-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1632-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1720-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1960-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1992-57-0x0000000000000000-mapping.dmp
    Download