netdooka | 531f6cb76127ead379d0315a7ef1a3fc61d8fff1582aa6e4f77cc73259b3e1f2

Analysis

max time kernel
98s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

531F6CB76127EAD379D0315A7EF1A3FC61D8FFF1582AA6E4F77CC73259B3E1F2.exe
Size

44KB
MD5

6760dd5d71565ac0cd4cbafcfcea5ff1
SHA1

384d6268d8c62bb1273493dc5a57185680b55739
SHA256

531f6cb76127ead379d0315a7ef1a3fc61d8fff1582aa6e4f77cc73259b3e1f2
SHA512

4779383cb099bc1ae96461b6b07001dc3efd198695f15eaa87705c1c6c94baf89b00b29f892164d2db77d3185c11ef4378a09aca36b4c4f504e6b82f3a017c8f
SSDEEP

768:ySuMLCCb8qs0z3NbVR1ZWTO1Wi+Ys46Aj4z9N9G8Iug3r0PggzQp7j5ALyspH:sMlbXzdz2TahTs4a9Nw8acgGKj5NsJ

Score

10^/10

netdooka discovery loader rat

Malware Config

Extracted

Family

netdooka

http://93.115.21.45/gtaddress

Signatures

NetDooka
NetDooka is a malware framework distributed by way of a pay-per-install and written in C#.
loader rat netdooka
Netdooka family
netdooka

Executes dropped EXE 1 IoCs

pid	Process
2628	interlock_storage_8_57.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2704	2628	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	interlock_storage_8_57.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3524	ping.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3524	ping.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 3524	4856	531F6CB76127EAD379D0315A7EF1A3FC61D8FFF1582AA6E4F77CC73259B3E1F2.exe	82
PID 4856 wrote to memory of 3524	4856	531F6CB76127EAD379D0315A7EF1A3FC61D8FFF1582AA6E4F77CC73259B3E1F2.exe	82
PID 4856 wrote to memory of 2628	4856	531F6CB76127EAD379D0315A7EF1A3FC61D8FFF1582AA6E4F77CC73259B3E1F2.exe	92
PID 4856 wrote to memory of 2628	4856	531F6CB76127EAD379D0315A7EF1A3FC61D8FFF1582AA6E4F77CC73259B3E1F2.exe	92
PID 4856 wrote to memory of 2628	4856	531F6CB76127EAD379D0315A7EF1A3FC61D8FFF1582AA6E4F77CC73259B3E1F2.exe	92

C:\Users\Admin\AppData\Local\Temp\531F6CB76127EAD379D0315A7EF1A3FC61D8FFF1582AA6E4F77CC73259B3E1F2.exe
"C:\Users\Admin\AppData\Local\Temp\531F6CB76127EAD379D0315A7EF1A3FC61D8FFF1582AA6E4F77CC73259B3E1F2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\SYSTEM32\ping.exe
  "ping.exe" 5.4.3.1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3524
- C:\Users\Admin\AppData\Local\Temp\interlock_storage_8_57.exe
  "C:\Users\Admin\AppData\Local\Temp\\interlock_storage_8_57.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 832
    3⤵
    - Program crash
    PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2628 -ip 2628
1⤵
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\interlock_storage_8_57.exe

Filesize
36KB

MD5
4f6d5d0ba1aa54880f1bcce5ed4858a4

SHA1
06d7f2150ebe20a6c3a0e65a46459b5fe2e9ceb2

SHA256
1cc21e3bbfc910ff2ceb8e63641582bdcca3e479029aa425c55aa346830c6c72

SHA512
fa78f6a16ded41d10bf5a09bfc849452b21e9f0b9d9fe29e9162811aae5912264bf117f30cf2dfd443fa073b925e999ba484ecb6f38b7d8a0f05d839ee40792f

Download Submit
memory/2628-11-0x000000007514E000-0x000000007514F000-memory.dmp

Filesize
4KB

Download
memory/2628-12-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download
memory/2628-13-0x00000000056C0000-0x00000000056E2000-memory.dmp

Filesize
136KB

Download
memory/4856-0-0x00007FFA742D5000-0x00007FFA742D6000-memory.dmp

Filesize
4KB

Download
memory/4856-1-0x00007FFA74020000-0x00007FFA749C1000-memory.dmp

Filesize
9.6MB

Download
memory/4856-2-0x00007FFA74020000-0x00007FFA749C1000-memory.dmp

Filesize
9.6MB

Download
memory/4856-3-0x00007FFA742D5000-0x00007FFA742D6000-memory.dmp

Filesize
4KB

Download
memory/4856-4-0x00007FFA74020000-0x00007FFA749C1000-memory.dmp

Filesize
9.6MB

Download
memory/4856-10-0x00007FFA74020000-0x00007FFA749C1000-memory.dmp

Filesize
9.6MB

Download