dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054

Analysis

max time kernel
254s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
Size

603KB
MD5

9636e30156bd8efa96dc8f535ffdcd04
SHA1

2f62693f5d42d808e170b802b6d9e92fe488cd4b
SHA256

dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054
SHA512

086af4eb065fcaf4dfb1eeaaea4ac5e7ceb18b9d60bb084e7dda66b672e1ee92c00a277d56a8ed6b74a7174b14ef0df06002c56fc787f0798681bd6c2db033e5
SSDEEP

12288:GIny5DYTmIfcKDQVZ4m1aIuBqGpyPq6B2sbQvlWF/qUqJ:oUTmIzCZ4mpukGpQqA8wE

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
Executes dropped EXE 3 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exe

pid process

752 installd.exe
1952 nethtsrv.exe
1764 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe

pid	process
752	installd.exe
1952	nethtsrv.exe
1764	netupdsrv.exe

Loads dropped DLL 9 IoCs

Processes:

dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exeinstalld.exenethtsrv.exe

pid	process
772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
752	installd.exe
772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
1952	nethtsrv.exe
1952	nethtsrv.exe
772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
File created	C:\Windows\SysWOW64\installd.exe	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe

Drops file in Program Files directory 3 IoCs

Processes:

dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exenet.exenet.exe

description	pid	process	target process
PID 772 wrote to memory of 704	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	net.exe
PID 772 wrote to memory of 704	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	net.exe
PID 772 wrote to memory of 704	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	net.exe
PID 772 wrote to memory of 704	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	net.exe
PID 704 wrote to memory of 1436	704	net.exe	net1.exe
PID 704 wrote to memory of 1436	704	net.exe	net1.exe
PID 704 wrote to memory of 1436	704	net.exe	net1.exe
PID 704 wrote to memory of 1436	704	net.exe	net1.exe
PID 772 wrote to memory of 536	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	net.exe
PID 772 wrote to memory of 536	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	net.exe
PID 772 wrote to memory of 536	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	net.exe
PID 772 wrote to memory of 536	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	net.exe
PID 536 wrote to memory of 1744	536	net.exe	net1.exe
PID 536 wrote to memory of 1744	536	net.exe	net1.exe
PID 536 wrote to memory of 1744	536	net.exe	net1.exe
PID 536 wrote to memory of 1744	536	net.exe	net1.exe
PID 772 wrote to memory of 752	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	installd.exe
PID 772 wrote to memory of 752	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	installd.exe
PID 772 wrote to memory of 752	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	installd.exe
PID 772 wrote to memory of 752	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	installd.exe
PID 772 wrote to memory of 752	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	installd.exe
PID 772 wrote to memory of 752	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	installd.exe
PID 772 wrote to memory of 752	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	installd.exe
PID 772 wrote to memory of 1952	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	nethtsrv.exe
PID 772 wrote to memory of 1952	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	nethtsrv.exe
PID 772 wrote to memory of 1952	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	nethtsrv.exe
PID 772 wrote to memory of 1952	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	nethtsrv.exe
PID 772 wrote to memory of 1764	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	netupdsrv.exe
PID 772 wrote to memory of 1764	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	netupdsrv.exe
PID 772 wrote to memory of 1764	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	netupdsrv.exe
PID 772 wrote to memory of 1764	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	netupdsrv.exe
PID 772 wrote to memory of 1764	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	netupdsrv.exe
PID 772 wrote to memory of 1764	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	netupdsrv.exe
PID 772 wrote to memory of 1764	772	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	netupdsrv.exe

C:\Users\Admin\AppData\Local\Temp\dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
"C:\Users\Admin\AppData\Local\Temp\dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1436

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1744

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
eba8b375a3787e45e150bf1412dccbc0

SHA1
cee093da5eb62a569f97bed99650565776ed6fd5

SHA256
90cc6016a67b49a43b0192040ef0f09807aaf8f6f4a00e9836162d498d25b6d7

SHA512
739dea1de27deb1372f52438b1c1082e0ca9aade9c476e3e989b231bcd847337224c0c25331c354a0676a99d0cdc3b9e7eeef5fd83eb3217c5855da08de2ae43

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
8c4668e391002776b0e65ce8aed85f3f

SHA1
e4fdca61713422b3834d28f78290b8f899e42a55

SHA256
f575eb42fcf3d9031107e928729162bf3488a8f1641d20d71bb6a95f139c682d

SHA512
e0eb3e2335b1822ed81e9e68e90a09e27b64e9e7a28b47e3f76408e7eef9d751e140be52c0dbfc74ba0320ce2744d58e3f51a5a621e86357904e29541b0d0c38

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
074bb84e6f56e60fae7fc9558e44563e

SHA1
5ff50216ca65bc76eca4b8ffd2a2d8ff80626e63

SHA256
ff6b7de0943affa336d6276c800e89848fdcde886079d7ea811a61aa07866ca0

SHA512
51899423654d46ae2173f7cc7e7dad98dc44cbffbb15ec0f17760b24f345e7d3f419b11c2c9688abf15db788cdc5d0f048c3705875369a3490fc8a77a3395018

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
f4748642c5770656306c4de43233738c

SHA1
84029d7673444aa4d7d2d36e5fb9280560c11df5

SHA256
4a4765bc649f8e65b1c4ea80a73df7f69916ba621eb3ebf11dbb7b6687dd618d

SHA512
03a7315e27f221738a0590c93855e6ac73a551b491024a191d56eb776c6225d796cfba2e28e647426c775d3493052bda5986bfb6282a79d05db03f690cf6aa41

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
159KB

MD5
dc0b87dc9a35bfbcbe1f0e0a47a828f4

SHA1
31c588db9df594bae8c4d7511390000f83863457

SHA256
b6121353e8c9aac93e981df747cb23519f291c222137e4409b5fc46e1da93d56

SHA512
e7e7899c3256ef1d9d4abd4a5f3a9b12e731ebd9fac2b476d6f6d6db63c88e3b2c6dc0c38b9f9701054c4f0439cae47fe5a5e655900d2e60eb7f3f663ba61f75

Download Submit
\Users\Admin\AppData\Local\Temp\nsp40BB.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsp40BB.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsp40BB.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
eba8b375a3787e45e150bf1412dccbc0

SHA1
cee093da5eb62a569f97bed99650565776ed6fd5

SHA256
90cc6016a67b49a43b0192040ef0f09807aaf8f6f4a00e9836162d498d25b6d7

SHA512
739dea1de27deb1372f52438b1c1082e0ca9aade9c476e3e989b231bcd847337224c0c25331c354a0676a99d0cdc3b9e7eeef5fd83eb3217c5855da08de2ae43

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
eba8b375a3787e45e150bf1412dccbc0

SHA1
cee093da5eb62a569f97bed99650565776ed6fd5

SHA256
90cc6016a67b49a43b0192040ef0f09807aaf8f6f4a00e9836162d498d25b6d7

SHA512
739dea1de27deb1372f52438b1c1082e0ca9aade9c476e3e989b231bcd847337224c0c25331c354a0676a99d0cdc3b9e7eeef5fd83eb3217c5855da08de2ae43

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
8c4668e391002776b0e65ce8aed85f3f

SHA1
e4fdca61713422b3834d28f78290b8f899e42a55

SHA256
f575eb42fcf3d9031107e928729162bf3488a8f1641d20d71bb6a95f139c682d

SHA512
e0eb3e2335b1822ed81e9e68e90a09e27b64e9e7a28b47e3f76408e7eef9d751e140be52c0dbfc74ba0320ce2744d58e3f51a5a621e86357904e29541b0d0c38

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
074bb84e6f56e60fae7fc9558e44563e

SHA1
5ff50216ca65bc76eca4b8ffd2a2d8ff80626e63

SHA256
ff6b7de0943affa336d6276c800e89848fdcde886079d7ea811a61aa07866ca0

SHA512
51899423654d46ae2173f7cc7e7dad98dc44cbffbb15ec0f17760b24f345e7d3f419b11c2c9688abf15db788cdc5d0f048c3705875369a3490fc8a77a3395018

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
f4748642c5770656306c4de43233738c

SHA1
84029d7673444aa4d7d2d36e5fb9280560c11df5

SHA256
4a4765bc649f8e65b1c4ea80a73df7f69916ba621eb3ebf11dbb7b6687dd618d

SHA512
03a7315e27f221738a0590c93855e6ac73a551b491024a191d56eb776c6225d796cfba2e28e647426c775d3493052bda5986bfb6282a79d05db03f690cf6aa41

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
159KB

MD5
dc0b87dc9a35bfbcbe1f0e0a47a828f4

SHA1
31c588db9df594bae8c4d7511390000f83863457

SHA256
b6121353e8c9aac93e981df747cb23519f291c222137e4409b5fc46e1da93d56

SHA512
e7e7899c3256ef1d9d4abd4a5f3a9b12e731ebd9fac2b476d6f6d6db63c88e3b2c6dc0c38b9f9701054c4f0439cae47fe5a5e655900d2e60eb7f3f663ba61f75

Download Submit
memory/536-61-0x0000000000000000-mapping.dmp

Download
memory/704-58-0x0000000000000000-mapping.dmp

Download
memory/752-64-0x0000000000000000-mapping.dmp

Download
memory/772-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/772-69-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/772-55-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1436-59-0x0000000000000000-mapping.dmp

Download
memory/1744-62-0x0000000000000000-mapping.dmp

Download
memory/1764-77-0x0000000000000000-mapping.dmp

Download
memory/1952-71-0x0000000000000000-mapping.dmp

Download