Analysis

  • max time kernel
    254s
  • max time network
    336s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 10:10

General

  • Target

    dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe

  • Size

    603KB

  • MD5

    9636e30156bd8efa96dc8f535ffdcd04

  • SHA1

    2f62693f5d42d808e170b802b6d9e92fe488cd4b

  • SHA256

    dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054

  • SHA512

    086af4eb065fcaf4dfb1eeaaea4ac5e7ceb18b9d60bb084e7dda66b672e1ee92c00a277d56a8ed6b74a7174b14ef0df06002c56fc787f0798681bd6c2db033e5

  • SSDEEP

    12288:GIny5DYTmIfcKDQVZ4m1aIuBqGpyPq6B2sbQvlWF/qUqJ:oUTmIzCZ4mpukGpQqA8wE

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
    "C:\Users\Admin\AppData\Local\Temp\dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Windows\SysWOW64\net.exe
      net stop nethttpservice
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:704
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop nethttpservice
        3⤵
          PID:1436
      • C:\Windows\SysWOW64\net.exe
        net stop serviceupdater
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:536
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop serviceupdater
          3⤵
            PID:1744
        • C:\Windows\SysWOW64\installd.exe
          "C:\Windows\system32\installd.exe" nethfdrv
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:752
        • C:\Windows\SysWOW64\nethtsrv.exe
          "C:\Windows\system32\nethtsrv.exe" -nfdi
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1952
        • C:\Windows\SysWOW64\netupdsrv.exe
          "C:\Windows\system32\netupdsrv.exe" -nfdi
          2⤵
          • Executes dropped EXE
          PID:1764

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\hfnapi.dll

        Filesize

        106KB

        MD5

        eba8b375a3787e45e150bf1412dccbc0

        SHA1

        cee093da5eb62a569f97bed99650565776ed6fd5

        SHA256

        90cc6016a67b49a43b0192040ef0f09807aaf8f6f4a00e9836162d498d25b6d7

        SHA512

        739dea1de27deb1372f52438b1c1082e0ca9aade9c476e3e989b231bcd847337224c0c25331c354a0676a99d0cdc3b9e7eeef5fd83eb3217c5855da08de2ae43

      • C:\Windows\SysWOW64\hfpapi.dll

        Filesize

        244KB

        MD5

        8c4668e391002776b0e65ce8aed85f3f

        SHA1

        e4fdca61713422b3834d28f78290b8f899e42a55

        SHA256

        f575eb42fcf3d9031107e928729162bf3488a8f1641d20d71bb6a95f139c682d

        SHA512

        e0eb3e2335b1822ed81e9e68e90a09e27b64e9e7a28b47e3f76408e7eef9d751e140be52c0dbfc74ba0320ce2744d58e3f51a5a621e86357904e29541b0d0c38

      • C:\Windows\SysWOW64\installd.exe

        Filesize

        108KB

        MD5

        074bb84e6f56e60fae7fc9558e44563e

        SHA1

        5ff50216ca65bc76eca4b8ffd2a2d8ff80626e63

        SHA256

        ff6b7de0943affa336d6276c800e89848fdcde886079d7ea811a61aa07866ca0

        SHA512

        51899423654d46ae2173f7cc7e7dad98dc44cbffbb15ec0f17760b24f345e7d3f419b11c2c9688abf15db788cdc5d0f048c3705875369a3490fc8a77a3395018

      • C:\Windows\SysWOW64\nethtsrv.exe

        Filesize

        176KB

        MD5

        f4748642c5770656306c4de43233738c

        SHA1

        84029d7673444aa4d7d2d36e5fb9280560c11df5

        SHA256

        4a4765bc649f8e65b1c4ea80a73df7f69916ba621eb3ebf11dbb7b6687dd618d

        SHA512

        03a7315e27f221738a0590c93855e6ac73a551b491024a191d56eb776c6225d796cfba2e28e647426c775d3493052bda5986bfb6282a79d05db03f690cf6aa41

      • C:\Windows\SysWOW64\netupdsrv.exe

        Filesize

        159KB

        MD5

        dc0b87dc9a35bfbcbe1f0e0a47a828f4

        SHA1

        31c588db9df594bae8c4d7511390000f83863457

        SHA256

        b6121353e8c9aac93e981df747cb23519f291c222137e4409b5fc46e1da93d56

        SHA512

        e7e7899c3256ef1d9d4abd4a5f3a9b12e731ebd9fac2b476d6f6d6db63c88e3b2c6dc0c38b9f9701054c4f0439cae47fe5a5e655900d2e60eb7f3f663ba61f75

      • \Users\Admin\AppData\Local\Temp\nsp40BB.tmp\System.dll

        Filesize

        11KB

        MD5

        c17103ae9072a06da581dec998343fc1

        SHA1

        b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

        SHA256

        dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

        SHA512

        d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

      • \Users\Admin\AppData\Local\Temp\nsp40BB.tmp\nsExec.dll

        Filesize

        6KB

        MD5

        acc2b699edfea5bf5aae45aba3a41e96

        SHA1

        d2accf4d494e43ceb2cff69abe4dd17147d29cc2

        SHA256

        168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

        SHA512

        e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

      • \Users\Admin\AppData\Local\Temp\nsp40BB.tmp\nsExec.dll

        Filesize

        6KB

        MD5

        acc2b699edfea5bf5aae45aba3a41e96

        SHA1

        d2accf4d494e43ceb2cff69abe4dd17147d29cc2

        SHA256

        168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

        SHA512

        e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

      • \Windows\SysWOW64\hfnapi.dll

        Filesize

        106KB

        MD5

        eba8b375a3787e45e150bf1412dccbc0

        SHA1

        cee093da5eb62a569f97bed99650565776ed6fd5

        SHA256

        90cc6016a67b49a43b0192040ef0f09807aaf8f6f4a00e9836162d498d25b6d7

        SHA512

        739dea1de27deb1372f52438b1c1082e0ca9aade9c476e3e989b231bcd847337224c0c25331c354a0676a99d0cdc3b9e7eeef5fd83eb3217c5855da08de2ae43

      • \Windows\SysWOW64\hfnapi.dll

        Filesize

        106KB

        MD5

        eba8b375a3787e45e150bf1412dccbc0

        SHA1

        cee093da5eb62a569f97bed99650565776ed6fd5

        SHA256

        90cc6016a67b49a43b0192040ef0f09807aaf8f6f4a00e9836162d498d25b6d7

        SHA512

        739dea1de27deb1372f52438b1c1082e0ca9aade9c476e3e989b231bcd847337224c0c25331c354a0676a99d0cdc3b9e7eeef5fd83eb3217c5855da08de2ae43

      • \Windows\SysWOW64\hfpapi.dll

        Filesize

        244KB

        MD5

        8c4668e391002776b0e65ce8aed85f3f

        SHA1

        e4fdca61713422b3834d28f78290b8f899e42a55

        SHA256

        f575eb42fcf3d9031107e928729162bf3488a8f1641d20d71bb6a95f139c682d

        SHA512

        e0eb3e2335b1822ed81e9e68e90a09e27b64e9e7a28b47e3f76408e7eef9d751e140be52c0dbfc74ba0320ce2744d58e3f51a5a621e86357904e29541b0d0c38

      • \Windows\SysWOW64\installd.exe

        Filesize

        108KB

        MD5

        074bb84e6f56e60fae7fc9558e44563e

        SHA1

        5ff50216ca65bc76eca4b8ffd2a2d8ff80626e63

        SHA256

        ff6b7de0943affa336d6276c800e89848fdcde886079d7ea811a61aa07866ca0

        SHA512

        51899423654d46ae2173f7cc7e7dad98dc44cbffbb15ec0f17760b24f345e7d3f419b11c2c9688abf15db788cdc5d0f048c3705875369a3490fc8a77a3395018

      • \Windows\SysWOW64\nethtsrv.exe

        Filesize

        176KB

        MD5

        f4748642c5770656306c4de43233738c

        SHA1

        84029d7673444aa4d7d2d36e5fb9280560c11df5

        SHA256

        4a4765bc649f8e65b1c4ea80a73df7f69916ba621eb3ebf11dbb7b6687dd618d

        SHA512

        03a7315e27f221738a0590c93855e6ac73a551b491024a191d56eb776c6225d796cfba2e28e647426c775d3493052bda5986bfb6282a79d05db03f690cf6aa41

      • \Windows\SysWOW64\netupdsrv.exe

        Filesize

        159KB

        MD5

        dc0b87dc9a35bfbcbe1f0e0a47a828f4

        SHA1

        31c588db9df594bae8c4d7511390000f83863457

        SHA256

        b6121353e8c9aac93e981df747cb23519f291c222137e4409b5fc46e1da93d56

        SHA512

        e7e7899c3256ef1d9d4abd4a5f3a9b12e731ebd9fac2b476d6f6d6db63c88e3b2c6dc0c38b9f9701054c4f0439cae47fe5a5e655900d2e60eb7f3f663ba61f75

      • memory/536-61-0x0000000000000000-mapping.dmp

      • memory/704-58-0x0000000000000000-mapping.dmp

      • memory/752-64-0x0000000000000000-mapping.dmp

      • memory/772-54-0x0000000076201000-0x0000000076203000-memory.dmp

        Filesize

        8KB

      • memory/772-69-0x0000000000360000-0x00000000007BE000-memory.dmp

        Filesize

        4.4MB

      • memory/772-55-0x0000000000360000-0x00000000007BE000-memory.dmp

        Filesize

        4.4MB

      • memory/1436-59-0x0000000000000000-mapping.dmp

      • memory/1744-62-0x0000000000000000-mapping.dmp

      • memory/1764-77-0x0000000000000000-mapping.dmp

      • memory/1952-71-0x0000000000000000-mapping.dmp