Analysis

  • max time kernel
    136s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    10-06-2022 15:37

General

  • Target

    8ed34bfc102f8217dcd6e6bdae2b9d4ee0f3ab951d44255e1e300dc2a38b219e.exe

  • Size

    36KB

  • MD5

    a00a73cdc75178a115112a584c5a4dbf

  • SHA1

    0a862f5f6b8dd211e966e74a3de3e4f1224bae6d

  • SHA256

    8ed34bfc102f8217dcd6e6bdae2b9d4ee0f3ab951d44255e1e300dc2a38b219e

  • SHA512

    91e30c84c03e46a9c232b7d628d280b841c5391be7e871b8b1b117422e41dd732a23ec8fe71126e1a38ac69ee1b7f190c666f637cf5cae358cac374c6d114cff

Malware Config

Extracted

Family

netdooka

C2

http://93.115.21.45/gtaddress

Signatures

  • NetDooka

    NetDooka is a malware framework distributed by way of a pay-per-install and written in C#.

  • Creates new service(s) 1 TTPs
  • Executes dropped EXE 2 IoCs
  • Stops running service(s) 3 TTPs
  • Checks for any installed AV software in registry 1 TTPs 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ed34bfc102f8217dcd6e6bdae2b9d4ee0f3ab951d44255e1e300dc2a38b219e.exe
    "C:\Users\Admin\AppData\Local\Temp\8ed34bfc102f8217dcd6e6bdae2b9d4ee0f3ab951d44255e1e300dc2a38b219e.exe"
    1⤵
    • Checks for any installed AV software in registry
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" 22.61.56.108 -n 4
      2⤵
      • Runs ping.exe
      PID:1280
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\8ed34bfc102f8217dcd6e6bdae2b9d4ee0f3ab951d44255e1e300dc2a38b219e.exe" "C:\Program Files\ExMultimediaStorage\min_id_resolver.exe"
      2⤵
      • Drops file in Program Files directory
      PID:856
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" create SecureElementDataSrv binpath= "C:\Program Files\ExMultimediaStorage\min_id_resolver.exe delected"
      2⤵
      • Launches sc.exe
      PID:632
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" start SecureElementDataSrv
      2⤵
      • Launches sc.exe
      PID:780
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" stop SecureElementDataSrv
      2⤵
      • Launches sc.exe
      PID:1392
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" start SecureElementDataSrv
      2⤵
      • Launches sc.exe
      PID:1992
  • C:\Program Files\ExMultimediaStorage\min_id_resolver.exe
    "C:\Program Files\ExMultimediaStorage\min_id_resolver.exe" delected
    1⤵
    • Executes dropped EXE
    PID:584
  • C:\Program Files\ExMultimediaStorage\min_id_resolver.exe
    "C:\Program Files\ExMultimediaStorage\min_id_resolver.exe" delected
    1⤵
    • Executes dropped EXE
    PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Privilege Escalation

New Service

1
T1050

Defense Evasion

Impair Defenses

1
T1562

Discovery

Security Software Discovery

1
T1063

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Impact

Service Stop

1
T1489

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\ExMultimediaStorage\min_id_resolver.exe
    Filesize

    36KB

    MD5

    a00a73cdc75178a115112a584c5a4dbf

    SHA1

    0a862f5f6b8dd211e966e74a3de3e4f1224bae6d

    SHA256

    8ed34bfc102f8217dcd6e6bdae2b9d4ee0f3ab951d44255e1e300dc2a38b219e

    SHA512

    91e30c84c03e46a9c232b7d628d280b841c5391be7e871b8b1b117422e41dd732a23ec8fe71126e1a38ac69ee1b7f190c666f637cf5cae358cac374c6d114cff

  • C:\Program Files\ExMultimediaStorage\min_id_resolver.exe
    Filesize

    36KB

    MD5

    a00a73cdc75178a115112a584c5a4dbf

    SHA1

    0a862f5f6b8dd211e966e74a3de3e4f1224bae6d

    SHA256

    8ed34bfc102f8217dcd6e6bdae2b9d4ee0f3ab951d44255e1e300dc2a38b219e

    SHA512

    91e30c84c03e46a9c232b7d628d280b841c5391be7e871b8b1b117422e41dd732a23ec8fe71126e1a38ac69ee1b7f190c666f637cf5cae358cac374c6d114cff

  • C:\Program Files\ExMultimediaStorage\min_id_resolver.exe
    Filesize

    36KB

    MD5

    a00a73cdc75178a115112a584c5a4dbf

    SHA1

    0a862f5f6b8dd211e966e74a3de3e4f1224bae6d

    SHA256

    8ed34bfc102f8217dcd6e6bdae2b9d4ee0f3ab951d44255e1e300dc2a38b219e

    SHA512

    91e30c84c03e46a9c232b7d628d280b841c5391be7e871b8b1b117422e41dd732a23ec8fe71126e1a38ac69ee1b7f190c666f637cf5cae358cac374c6d114cff

  • memory/584-62-0x000007FEF3350000-0x000007FEF3D73000-memory.dmp
    Filesize

    10.1MB

  • memory/632-58-0x0000000000000000-mapping.dmp
  • memory/780-59-0x0000000000000000-mapping.dmp
  • memory/856-57-0x0000000000000000-mapping.dmp
  • memory/1180-66-0x000007FEF3350000-0x000007FEF3D73000-memory.dmp
    Filesize

    10.1MB

  • memory/1280-56-0x0000000000000000-mapping.dmp
  • memory/1392-63-0x0000000000000000-mapping.dmp
  • memory/1708-54-0x000007FEF3350000-0x000007FEF3D73000-memory.dmp
    Filesize

    10.1MB

  • memory/1708-55-0x000007FEFB871000-0x000007FEFB873000-memory.dmp
    Filesize

    8KB

  • memory/1992-64-0x0000000000000000-mapping.dmp