Analysis

  • max time kernel
    60s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    10-06-2022 15:37

General

  • Target

    76ed2ef41db9ec357168cd38daeff1079458af868a037251d3fec36de1b72086.exe

  • Size

    218KB

  • MD5

    7804c8a590250469feed31c85da8acf3

  • SHA1

    bdc5e81cf0cdb4b09f8e05826110b42b78e1bd16

  • SHA256

    76ed2ef41db9ec357168cd38daeff1079458af868a037251d3fec36de1b72086

  • SHA512

    17743414c5e80686dd0124661570533791df27f14c75452e89e0de5030b2535f2edac4bad349168e2564aee0058f539eec4dc1899b29713d9d90f5b0f8e450a5

Score
10/10

Malware Config

Extracted

Family

netdooka

C2

http://93.115.21.45/gtaddress

Signatures

  • NetDooka

    NetDooka is a malware framework distributed by way of a pay-per-install and written in C#.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76ed2ef41db9ec357168cd38daeff1079458af868a037251d3fec36de1b72086.exe
    "C:\Users\Admin\AppData\Local\Temp\76ed2ef41db9ec357168cd38daeff1079458af868a037251d3fec36de1b72086.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" 23.18.9.8 -n 3
      2⤵
      • Runs ping.exe
      PID:1956
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 848 -s 1244
      2⤵
      • Program crash
      PID:1740

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/848-54-0x0000000000AD0000-0x0000000000B0C000-memory.dmp

    Filesize

    240KB

  • memory/848-55-0x000007FEFC081000-0x000007FEFC083000-memory.dmp

    Filesize

    8KB