Overview

overview

10

Static

static

3

531F6CB761...F2.exe

windows7-x64

10

531F6CB761...F2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    52s
  • max time network
    62s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 13:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    531F6CB76127EAD379D0315A7EF1A3FC61D8FFF1582AA6E4F77CC73259B3E1F2.exe

  • Size

    44KB

  • MD5

    6760dd5d71565ac0cd4cbafcfcea5ff1

  • SHA1

    384d6268d8c62bb1273493dc5a57185680b55739

  • SHA256

    531f6cb76127ead379d0315a7ef1a3fc61d8fff1582aa6e4f77cc73259b3e1f2

  • SHA512

    4779383cb099bc1ae96461b6b07001dc3efd198695f15eaa87705c1c6c94baf89b00b29f892164d2db77d3185c11ef4378a09aca36b4c4f504e6b82f3a017c8f

  • SSDEEP

    768:ySuMLCCb8qs0z3NbVR1ZWTO1Wi+Ys46Aj4z9N9G8Iug3r0PggzQp7j5ALyspH:sMlbXzdz2TahTs4a9Nw8acgGKj5NsJ

Score
10/10
netdookadiscoveryexecutionloaderpersistencerat

Malware Config

Extracted

Family

netdooka

C2

http://93.115.21.45/gtaddress

Signatures

  • NetDooka

    NetDooka is a malware framework distributed by way of a pay-per-install and written in C#.

    loaderratnetdooka
  • Netdooka family
    netdooka
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Executes dropped EXE 2 IoCs
  • Checks for any installed AV software in registry 1 TTPs 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\531F6CB76127EAD379D0315A7EF1A3FC61D8FFF1582AA6E4F77CC73259B3E1F2.exe
    "C:\Users\Admin\AppData\Local\Temp\531F6CB76127EAD379D0315A7EF1A3FC61D8FFF1582AA6E4F77CC73259B3E1F2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Windows\system32\ping.exe
      "ping.exe" 5.4.3.1
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2792
    • C:\Users\Admin\AppData\Local\Temp\interlock_storage_8_57.exe
      "C:\Users\Admin\AppData\Local\Temp\\interlock_storage_8_57.exe"
      2⤵
      • Executes dropped EXE
      • Checks for any installed AV software in registry
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\System32\PING.EXE" 22.61.56.108 -n 4
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1044
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\interlock_storage_8_57.exe" "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe"
        3⤵
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        PID:2744
      • C:\Windows\SysWOW64\sc.exe
        "C:\Windows\System32\sc.exe" create SecureElementDataSrv binpath= "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe delected"
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2660
      • C:\Windows\SysWOW64\sc.exe
        "C:\Windows\System32\sc.exe" start SecureElementDataSrv
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2668
  • C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe
    "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe" delected
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\interlock_storage_8_57.exe
    Filesize

    36KB

    MD5

    4f6d5d0ba1aa54880f1bcce5ed4858a4

    SHA1

    06d7f2150ebe20a6c3a0e65a46459b5fe2e9ceb2

    SHA256

    1cc21e3bbfc910ff2ceb8e63641582bdcca3e479029aa425c55aa346830c6c72

    SHA512

    fa78f6a16ded41d10bf5a09bfc849452b21e9f0b9d9fe29e9162811aae5912264bf117f30cf2dfd443fa073b925e999ba484ecb6f38b7d8a0f05d839ee40792f

    Download Submit

  • memory/1440-19-0x0000000001150000-0x0000000001160000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1856-0-0x000007FEF66CE000-0x000007FEF66CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1856-1-0x000007FEF6410000-0x000007FEF6DAD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1856-2-0x000007FEF66CE000-0x000007FEF66CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1856-3-0x000007FEF6410000-0x000007FEF6DAD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1856-11-0x000007FEF6410000-0x000007FEF6DAD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2764-12-0x00000000749EE000-0x00000000749EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2764-13-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-14-0x00000000749EE000-0x00000000749EF000-memory.dmp

    Filesize

    4KB

    Download