dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054

Analysis

max time kernel
327s
max time network
342s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
Size

603KB
MD5

9636e30156bd8efa96dc8f535ffdcd04
SHA1

2f62693f5d42d808e170b802b6d9e92fe488cd4b
SHA256

dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054
SHA512

086af4eb065fcaf4dfb1eeaaea4ac5e7ceb18b9d60bb084e7dda66b672e1ee92c00a277d56a8ed6b74a7174b14ef0df06002c56fc787f0798681bd6c2db033e5
SSDEEP

12288:GIny5DYTmIfcKDQVZ4m1aIuBqGpyPq6B2sbQvlWF/qUqJ:oUTmIzCZ4mpukGpQqA8wE

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
Executes dropped EXE 2 IoCs

Processes:

installd.exenethtsrv.exe

pid process

1792 installd.exe
4628 nethtsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe

pid	process
1792	installd.exe
4628	nethtsrv.exe

Loads dropped DLL 7 IoCs

Processes:

dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exeinstalld.exenethtsrv.exe

pid	process
1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
1792	installd.exe
4628	nethtsrv.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
File created	C:\Windows\SysWOW64\installd.exe	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe

Drops file in Program Files directory 3 IoCs

Processes:

dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

648

pid	process
648

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exenet.exenet.exe

description	pid	process	target process
PID 1296 wrote to memory of 3876	1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	net.exe
PID 1296 wrote to memory of 3876	1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	net.exe
PID 1296 wrote to memory of 3876	1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	net.exe
PID 3876 wrote to memory of 4252	3876	net.exe	net1.exe
PID 3876 wrote to memory of 4252	3876	net.exe	net1.exe
PID 3876 wrote to memory of 4252	3876	net.exe	net1.exe
PID 1296 wrote to memory of 1696	1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	net.exe
PID 1296 wrote to memory of 1696	1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	net.exe
PID 1296 wrote to memory of 1696	1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	net.exe
PID 1696 wrote to memory of 3404	1696	net.exe	net1.exe
PID 1696 wrote to memory of 3404	1696	net.exe	net1.exe
PID 1696 wrote to memory of 3404	1696	net.exe	net1.exe
PID 1296 wrote to memory of 1792	1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	installd.exe
PID 1296 wrote to memory of 1792	1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	installd.exe
PID 1296 wrote to memory of 1792	1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	installd.exe
PID 1296 wrote to memory of 4628	1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	nethtsrv.exe
PID 1296 wrote to memory of 4628	1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	nethtsrv.exe
PID 1296 wrote to memory of 4628	1296	dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe	nethtsrv.exe

C:\Users\Admin\AppData\Local\Temp\dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe
"C:\Users\Admin\AppData\Local\Temp\dad01494032631caa9467ba5ab0f81ddbcb74e3e7468b9b6fcb8ab56cd501054.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:4252

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:3404

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsvC3C5.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvC3C5.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvC3C5.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvC3C5.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvC3C5.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
eba8b375a3787e45e150bf1412dccbc0

SHA1
cee093da5eb62a569f97bed99650565776ed6fd5

SHA256
90cc6016a67b49a43b0192040ef0f09807aaf8f6f4a00e9836162d498d25b6d7

SHA512
739dea1de27deb1372f52438b1c1082e0ca9aade9c476e3e989b231bcd847337224c0c25331c354a0676a99d0cdc3b9e7eeef5fd83eb3217c5855da08de2ae43

Download Submit
C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
eba8b375a3787e45e150bf1412dccbc0

SHA1
cee093da5eb62a569f97bed99650565776ed6fd5

SHA256
90cc6016a67b49a43b0192040ef0f09807aaf8f6f4a00e9836162d498d25b6d7

SHA512
739dea1de27deb1372f52438b1c1082e0ca9aade9c476e3e989b231bcd847337224c0c25331c354a0676a99d0cdc3b9e7eeef5fd83eb3217c5855da08de2ae43

Download Submit
C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
eba8b375a3787e45e150bf1412dccbc0

SHA1
cee093da5eb62a569f97bed99650565776ed6fd5

SHA256
90cc6016a67b49a43b0192040ef0f09807aaf8f6f4a00e9836162d498d25b6d7

SHA512
739dea1de27deb1372f52438b1c1082e0ca9aade9c476e3e989b231bcd847337224c0c25331c354a0676a99d0cdc3b9e7eeef5fd83eb3217c5855da08de2ae43

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
8c4668e391002776b0e65ce8aed85f3f

SHA1
e4fdca61713422b3834d28f78290b8f899e42a55

SHA256
f575eb42fcf3d9031107e928729162bf3488a8f1641d20d71bb6a95f139c682d

SHA512
e0eb3e2335b1822ed81e9e68e90a09e27b64e9e7a28b47e3f76408e7eef9d751e140be52c0dbfc74ba0320ce2744d58e3f51a5a621e86357904e29541b0d0c38

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
074bb84e6f56e60fae7fc9558e44563e

SHA1
5ff50216ca65bc76eca4b8ffd2a2d8ff80626e63

SHA256
ff6b7de0943affa336d6276c800e89848fdcde886079d7ea811a61aa07866ca0

SHA512
51899423654d46ae2173f7cc7e7dad98dc44cbffbb15ec0f17760b24f345e7d3f419b11c2c9688abf15db788cdc5d0f048c3705875369a3490fc8a77a3395018

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
074bb84e6f56e60fae7fc9558e44563e

SHA1
5ff50216ca65bc76eca4b8ffd2a2d8ff80626e63

SHA256
ff6b7de0943affa336d6276c800e89848fdcde886079d7ea811a61aa07866ca0

SHA512
51899423654d46ae2173f7cc7e7dad98dc44cbffbb15ec0f17760b24f345e7d3f419b11c2c9688abf15db788cdc5d0f048c3705875369a3490fc8a77a3395018

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
f4748642c5770656306c4de43233738c

SHA1
84029d7673444aa4d7d2d36e5fb9280560c11df5

SHA256
4a4765bc649f8e65b1c4ea80a73df7f69916ba621eb3ebf11dbb7b6687dd618d

SHA512
03a7315e27f221738a0590c93855e6ac73a551b491024a191d56eb776c6225d796cfba2e28e647426c775d3493052bda5986bfb6282a79d05db03f690cf6aa41

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
f4748642c5770656306c4de43233738c

SHA1
84029d7673444aa4d7d2d36e5fb9280560c11df5

SHA256
4a4765bc649f8e65b1c4ea80a73df7f69916ba621eb3ebf11dbb7b6687dd618d

SHA512
03a7315e27f221738a0590c93855e6ac73a551b491024a191d56eb776c6225d796cfba2e28e647426c775d3493052bda5986bfb6282a79d05db03f690cf6aa41

Download Submit
memory/1296-134-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1296-132-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1696-141-0x0000000000000000-mapping.dmp

Download
memory/1792-143-0x0000000000000000-mapping.dmp

Download
memory/3404-142-0x0000000000000000-mapping.dmp

Download
memory/3876-137-0x0000000000000000-mapping.dmp

Download
memory/4252-138-0x0000000000000000-mapping.dmp

Download
memory/4628-148-0x0000000000000000-mapping.dmp

Download