netdooka | 5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54

Analysis

max time kernel
94s
max time network
96s
platform
windows7_x64
resource
win7-20220414-en
submitted
10-06-2022 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe
Size

47KB
MD5

0d225faf96ee8d83cb69fbfcceba98bc
SHA1

a7b3c081b405cccfd55b8e64a6922fbc69bd733c
SHA256

5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54
SHA512

dbc0501e031e711a756519dd4dbe83fc18ecc2f25fed205ef5d9fdc7b9e54e5dd6995250bcfa494e26e8f12a497842987af490f82d787033931306aec07edfd9

Score

10^/10

netdooka loader persistence rat

Malware Config

Extracted

Family

netdooka

http://93.115.21.45/gtaddress

Signatures

NetDooka
NetDooka is a malware framework distributed by way of a pay-per-install and written in C#.
loader rat netdooka
Creates new service(s) 1 TTPs
persistence

New Service
T1050

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Drivers\etc\hosts	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe

Executes dropped EXE 1 IoCs

pid	Process
1596	min_id_resolver.exe

Deletes itself 1 IoCs

pid	Process
280	cmd.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Avira	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe
Key opened	\REGISTRY\MACHINE\Software\Avira	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD	min_id_resolver.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD	min_id_resolver.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26E638C519997CC5D7E38BA592ADCFA9	min_id_resolver.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\26E638C519997CC5D7E38BA592ADCFA9	min_id_resolver.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\ExMultimediaStorage\min_id_resolver.exe	cmd.exe
File opened for modification	C:\Program Files\ExMultimediaStorage\min_id_resolver.exe	cmd.exe
File created	C:\Program Files\ExMultimediaStorage\conf.xml	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1504	sc.exe
1428	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
628	schtasks.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	min_id_resolver.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	min_id_resolver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	min_id_resolver.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1476	PING.EXE
1792	PING.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 1476	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	28
PID 684 wrote to memory of 1476	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	28
PID 684 wrote to memory of 1476	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	28
PID 684 wrote to memory of 544	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	30
PID 684 wrote to memory of 544	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	30
PID 684 wrote to memory of 544	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	30
PID 684 wrote to memory of 1504	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	32
PID 684 wrote to memory of 1504	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	32
PID 684 wrote to memory of 1504	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	32
PID 684 wrote to memory of 1428	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	34
PID 684 wrote to memory of 1428	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	34
PID 684 wrote to memory of 1428	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	34
PID 684 wrote to memory of 740	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	37
PID 684 wrote to memory of 740	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	37
PID 684 wrote to memory of 740	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	37
PID 684 wrote to memory of 628	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	38
PID 684 wrote to memory of 628	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	38
PID 684 wrote to memory of 628	684	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	38
PID 740 wrote to memory of 1140	740	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	40
PID 740 wrote to memory of 1140	740	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	40
PID 740 wrote to memory of 1140	740	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	40
PID 740 wrote to memory of 280	740	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	42
PID 740 wrote to memory of 280	740	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	42
PID 740 wrote to memory of 280	740	5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe	42
PID 280 wrote to memory of 1792	280	cmd.exe	44
PID 280 wrote to memory of 1792	280	cmd.exe	44
PID 280 wrote to memory of 1792	280	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe
"C:\Users\Admin\AppData\Local\Temp\5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe"
1⤵
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\System32\PING.EXE
  "C:\Windows\System32\PING.EXE" 22.61.56.108 -n 4
  2⤵
  - Runs ping.exe
  PID:1476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe" "C:\Program Files\ExMultimediaStorage\min_id_resolver.exe"
  2⤵
  - Drops file in Program Files directory
  PID:544
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" create SecureElementDataSrv binpath= "C:\Program Files\ExMultimediaStorage\min_id_resolver.exe delected"
  2⤵
  - Launches sc.exe
  PID:1504
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" start SecureElementDataSrv
  2⤵
  - Launches sc.exe
  PID:1428
- C:\Users\Admin\AppData\Local\Temp\5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe
  "C:\Users\Admin\AppData\Local\Temp\5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe" emulate -v -sh
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Program Files\ExMultimediaStorage\reloadbitex.exe"
    3⤵
    PID:1140
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 8.8.8.8 -n 6 -w 3100 > Nul & echo 0 > "C:\Users\Admin\AppData\Local\Temp\5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe" & for /L %n in (1,1,2048) do @echo jovyhjjfujfijifjifjifujfijfijfdufdjojfduhfdfijddfjdufjdfdjifdjii >> "C:\Users\Admin\AppData\Local\Temp\5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe" & del /f /q "C:\Users\Admin\AppData\Local\Temp\5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:280
  - - C:\Windows\system32\PING.EXE
      ping 8.8.8.8 -n 6 -w 3100
      4⤵
      Runs ping.exe
      PID:1792
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /XML "C:\Program Files\ExMultimediaStorage\conf.xml" /tn ErmodeInstller
  2⤵
  - Creates scheduled task(s)
  PID:628

C:\Program Files\ExMultimediaStorage\min_id_resolver.exe
"C:\Program Files\ExMultimediaStorage\min_id_resolver.exe" delected
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ExMultimediaStorage\conf.xml

Filesize
897B

MD5
0c042624521cffa752cc34d2d54645cf

SHA1
bc9f1cc6133220f21ba721dde3ed2b92f383d787

SHA256
87df8072d9c8ba7c695aed98cea3cf4a0f359a514f9c30419fd0eaa53538a0b1

SHA512
3333e9de599b14d09c08975ec83c6ac3d7793437f4fed865d2bd91f01cd7042b247a997d91a0b7ee573273dcdf4ade2570c26e5e0a7fc2aa116ae4ffe8813bc5

Download Submit
C:\Program Files\ExMultimediaStorage\min_id_resolver.exe

Filesize
47KB

MD5
0d225faf96ee8d83cb69fbfcceba98bc

SHA1
a7b3c081b405cccfd55b8e64a6922fbc69bd733c

SHA256
5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54

SHA512
dbc0501e031e711a756519dd4dbe83fc18ecc2f25fed205ef5d9fdc7b9e54e5dd6995250bcfa494e26e8f12a497842987af490f82d787033931306aec07edfd9

Download Submit
C:\Program Files\ExMultimediaStorage\min_id_resolver.exe

Filesize
47KB

MD5
0d225faf96ee8d83cb69fbfcceba98bc

SHA1
a7b3c081b405cccfd55b8e64a6922fbc69bd733c

SHA256
5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54

SHA512
dbc0501e031e711a756519dd4dbe83fc18ecc2f25fed205ef5d9fdc7b9e54e5dd6995250bcfa494e26e8f12a497842987af490f82d787033931306aec07edfd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\26E638C519997CC5D7E38BA592ADCFA9

Filesize
524B

MD5
c9278e2a24ebada268cbc73701dc4672

SHA1
e8194ee0a5f71ccef82c8260fb845d403acfc9a4

SHA256
8b6881045e2f3887168c90126e1c0d9ab14b6b694c71f41e38b347349d57d37b

SHA512
7baf226f1fa0b019808475d6e4867b365751379e66f2145ca1b3c592b2017e6e82c1f5a88932d00990b8f4dbf3784ff8950646eada3662161929a7d306a723eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26E638C519997CC5D7E38BA592ADCFA9

Filesize
280B

MD5
91d36c28908e4261b1ec0797ca92ab00

SHA1
6b065f328f32b7bf48a41cb158c84cbb66301635

SHA256
149f1028dc8edc6e9b89818a7cf0f73937ce5814d69c59bbc0d62cb2dac9745a

SHA512
ece405c4a7a7cbf7a5fda8169819caf4972c0de17805f5d2e74ce940dbaed00ac0b51db90e802af7c324ac4625b83693f1f9b3e7ba115f16e42800772571588b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
455e51e2e8051a63e213b711c12df27c

SHA1
cabc89781a8dc1bd6c1c23389b066060c678f2d4

SHA256
d334471c0f0ee5288c4ddb63c042493c37504aecad49fa40f449557a9bf8c460

SHA512
b3fe532008648600bc407bddd0a06faceb2c289cd473e2e6b3c6f0fd2f2ea87c40422f3a096b1e6a45cd22972fc6e571916f0f71ada4c500cd85031685855d69

Download Submit
memory/684-54-0x000007FEF3720000-0x000007FEF4143000-memory.dmp

Filesize
10.1MB

Download
memory/684-55-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

Filesize
8KB

Download
memory/740-69-0x000007FEF3720000-0x000007FEF4143000-memory.dmp

Filesize
10.1MB

Download
memory/1596-62-0x000007FEF3720000-0x000007FEF4143000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads