netdooka | bd59e50bd956f6ef82d05a2a9f945543cc3c4868a6916f772b6f53d51f804903

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
Size

660KB
MD5

54a315b26c66694821fb2091ef865f7f
SHA1

9f79ec5e7845bd33a58124fd3d10637a20630bb5
SHA256

4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef
SHA512

625e851ddedd83103d1b27c25bdb8428e8aab9321436d48668112dd887f9ede5655b4f5b13d69e656bae522951c50cedd53426de725788ba5697089e81156814
SSDEEP

12288:nBxT3SKVIC9HdFEtttJl3Mob+60MCV94D0cIegdu1oeK/lGRgOUqmq9kR6lhKXhh:BxT3ZVB9HdFQPl3M06MCV9k0DegduieE

Score

10^/10

netdooka loader rat

Malware Config

Extracted

Family

netdooka

Signatures

NetDooka
NetDooka is a malware framework distributed by way of a pay-per-install and written in C#.
loader rat netdooka

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3540 set thread context of 3808	3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe	88

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 3808	3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe	88
PID 3540 wrote to memory of 3808	3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe	88
PID 3540 wrote to memory of 3808	3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe	88
PID 3540 wrote to memory of 3808	3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe	88
PID 3540 wrote to memory of 3808	3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe	88

C:\Users\Admin\AppData\Local\Temp\4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
"C:\Users\Admin\AppData\Local\Temp\4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
  "C:\Users\Admin\AppData\Local\Temp\4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe"
  2⤵
  PID:3808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3540-0-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3540-1-0x00000000022F0000-0x0000000002350000-memory.dmp

Filesize
384KB

Download
memory/3540-2-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3540-3-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3540-4-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/3540-5-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/3540-6-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/3540-7-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3540-8-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/3540-9-0x0000000003450000-0x0000000003452000-memory.dmp

Filesize
8KB

Download
memory/3540-10-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/3540-11-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/3540-12-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3540-13-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/3540-15-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3540-16-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/3540-14-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3540-17-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/3540-18-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/3540-19-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/3540-20-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/3540-21-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/3540-22-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3540-23-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/3540-24-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/3540-25-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3540-26-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/3540-27-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3540-28-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/3540-30-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/3540-29-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/3540-31-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/3540-32-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/3540-33-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/3540-34-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3540-35-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/3540-36-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/3540-52-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3540-53-0x00000000022F0000-0x0000000002350000-memory.dmp

Filesize
384KB

Download
memory/3808-37-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3808-39-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3808-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3808-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3808-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3808-43-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/3808-44-0x0000000073310000-0x0000000073AC0000-memory.dmp

Filesize
7.7MB

Download
memory/3808-45-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/3808-46-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/3808-47-0x00000000024B0000-0x00000000024D2000-memory.dmp

Filesize
136KB

Download
memory/3808-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3808-51-0x0000000073310000-0x0000000073AC0000-memory.dmp

Filesize
7.7MB

Download