Analysis

  • max time kernel
    241s
  • max time network
    336s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 10:13

General

  • Target

    c2b50036898d28dfc8c35756e91601cec290347deb558c6a8a561bc04570d377.exe

  • Size

    603KB

  • MD5

    5cad6d376768c13f6319d58183bc4d26

  • SHA1

    1524fd7376f92eb3543d99625510e0ad46ce9e7f

  • SHA256

    c2b50036898d28dfc8c35756e91601cec290347deb558c6a8a561bc04570d377

  • SHA512

    8597ec7282e129d29d2ace10f12ec2317bd3c5e2b5264ec3e02b66f908b60b095f9e5ed4f07527014c21ddd6c1e13a2635b558a0b2021890a9d3f7cc19cf3bfb

  • SSDEEP

    12288:HIny5DYTmIag8wSaJgb/decI4XPflAKQq2SxW6K9E:PUTmR7aB4qKQXS0y

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2b50036898d28dfc8c35756e91601cec290347deb558c6a8a561bc04570d377.exe
    "C:\Users\Admin\AppData\Local\Temp\c2b50036898d28dfc8c35756e91601cec290347deb558c6a8a561bc04570d377.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\SysWOW64\net.exe
      net stop nethttpservice
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop nethttpservice
        3⤵
          PID:1576
      • C:\Windows\SysWOW64\net.exe
        net stop serviceupdater
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop serviceupdater
          3⤵
            PID:916
        • C:\Windows\SysWOW64\installd.exe
          "C:\Windows\system32\installd.exe" nethfdrv
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1512
        • C:\Windows\SysWOW64\nethtsrv.exe
          "C:\Windows\system32\nethtsrv.exe" -nfdi
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:808
        • C:\Windows\SysWOW64\netupdsrv.exe
          "C:\Windows\system32\netupdsrv.exe" -nfdi
          2⤵
          • Executes dropped EXE
          PID:1712

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\hfnapi.dll

        Filesize

        106KB

        MD5

        a37ec4df64f9c0958092127204776214

        SHA1

        fd9b74861c670fdd7e459a806148b15377e403a8

        SHA256

        702489cca898fc1dca843ddee0826639159165e4a65a1e833ab28e41038d8650

        SHA512

        8cb626ae8941f915451a120fdf971e0daa4c5a0ad95903dcf451a9b4108f8593a55cf41c4810c46e8b7b14404d05b6fc52b066969986f0af9395db54eae0b834

      • C:\Windows\SysWOW64\hfpapi.dll

        Filesize

        244KB

        MD5

        2cbaf3794ae2ae8e3a2aafdff9fdfa4e

        SHA1

        00a7e4029d29243a7f4f282d9a1ad366f213a23b

        SHA256

        ac43da456672840c2ad5b6d1c98723413dfd9be231a2c4afc4e6c70a4269b0ee

        SHA512

        7382ee3e318287d568ca1fce66afba8ff6e7ebe3f4d779212b8f2f6085133c905da1b2454e5e080af995500351415b12bb7d6bbf07af0ddf30a822175a354a1e

      • C:\Windows\SysWOW64\installd.exe

        Filesize

        108KB

        MD5

        10b2ffcc43ebfccc3982ba69a474167e

        SHA1

        007015974280d76feb3cef81f96da22e29ee8a46

        SHA256

        4bc5bd684271afbd2091b51fad30bbe4241e90f6c9555c8a62ebfbdd7c30076c

        SHA512

        dc7bfcba82be51b29696294a192754dc79ee6ecb6a636be2f519d511eeacf81e0700c4ea90a161ea89be7b2ffc34f9982e6329ac501d11eae153016cf4de1b64

      • C:\Windows\SysWOW64\nethtsrv.exe

        Filesize

        176KB

        MD5

        9b37410e07cd10d92cc4da8b496a1932

        SHA1

        ede8d83d503f5a7de80fdc6c01ba09dee1cbf2fa

        SHA256

        13ca93f679ba8fa359f883e37777d60583df8c2ff06e33ac65587579d73daa34

        SHA512

        bfa0f2b3ac9bc93c5cdde58e085990ce54d3c0f03b5eceffc7190be3099634558272a01ee9afc06e0304233492f9b6b0851001bcf07b8be1e1ce681479681db8

      • C:\Windows\SysWOW64\netupdsrv.exe

        Filesize

        158KB

        MD5

        693f6b9d48a52d80d4b5b13c0968eed1

        SHA1

        9912458737cc6af38967df48ad20c58e1b2334f5

        SHA256

        85f487f91e89677663a5411b02180d7026f5ba3a96ec4742456c4d28dfc7a907

        SHA512

        0321437beea6f10a7fde5d9051d7c36b20f7b3b7bd9fa15858071c25b20c3de8519f4a04110fcfb7546923b7e977fdcad4cde3fef949854242b5d9f026588e34

      • \Users\Admin\AppData\Local\Temp\nsp23.tmp\System.dll

        Filesize

        11KB

        MD5

        c17103ae9072a06da581dec998343fc1

        SHA1

        b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

        SHA256

        dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

        SHA512

        d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

      • \Users\Admin\AppData\Local\Temp\nsp23.tmp\nsExec.dll

        Filesize

        6KB

        MD5

        acc2b699edfea5bf5aae45aba3a41e96

        SHA1

        d2accf4d494e43ceb2cff69abe4dd17147d29cc2

        SHA256

        168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

        SHA512

        e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

      • \Users\Admin\AppData\Local\Temp\nsp23.tmp\nsExec.dll

        Filesize

        6KB

        MD5

        acc2b699edfea5bf5aae45aba3a41e96

        SHA1

        d2accf4d494e43ceb2cff69abe4dd17147d29cc2

        SHA256

        168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

        SHA512

        e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

      • \Windows\SysWOW64\hfnapi.dll

        Filesize

        106KB

        MD5

        a37ec4df64f9c0958092127204776214

        SHA1

        fd9b74861c670fdd7e459a806148b15377e403a8

        SHA256

        702489cca898fc1dca843ddee0826639159165e4a65a1e833ab28e41038d8650

        SHA512

        8cb626ae8941f915451a120fdf971e0daa4c5a0ad95903dcf451a9b4108f8593a55cf41c4810c46e8b7b14404d05b6fc52b066969986f0af9395db54eae0b834

      • \Windows\SysWOW64\hfnapi.dll

        Filesize

        106KB

        MD5

        a37ec4df64f9c0958092127204776214

        SHA1

        fd9b74861c670fdd7e459a806148b15377e403a8

        SHA256

        702489cca898fc1dca843ddee0826639159165e4a65a1e833ab28e41038d8650

        SHA512

        8cb626ae8941f915451a120fdf971e0daa4c5a0ad95903dcf451a9b4108f8593a55cf41c4810c46e8b7b14404d05b6fc52b066969986f0af9395db54eae0b834

      • \Windows\SysWOW64\hfpapi.dll

        Filesize

        244KB

        MD5

        2cbaf3794ae2ae8e3a2aafdff9fdfa4e

        SHA1

        00a7e4029d29243a7f4f282d9a1ad366f213a23b

        SHA256

        ac43da456672840c2ad5b6d1c98723413dfd9be231a2c4afc4e6c70a4269b0ee

        SHA512

        7382ee3e318287d568ca1fce66afba8ff6e7ebe3f4d779212b8f2f6085133c905da1b2454e5e080af995500351415b12bb7d6bbf07af0ddf30a822175a354a1e

      • \Windows\SysWOW64\installd.exe

        Filesize

        108KB

        MD5

        10b2ffcc43ebfccc3982ba69a474167e

        SHA1

        007015974280d76feb3cef81f96da22e29ee8a46

        SHA256

        4bc5bd684271afbd2091b51fad30bbe4241e90f6c9555c8a62ebfbdd7c30076c

        SHA512

        dc7bfcba82be51b29696294a192754dc79ee6ecb6a636be2f519d511eeacf81e0700c4ea90a161ea89be7b2ffc34f9982e6329ac501d11eae153016cf4de1b64

      • \Windows\SysWOW64\nethtsrv.exe

        Filesize

        176KB

        MD5

        9b37410e07cd10d92cc4da8b496a1932

        SHA1

        ede8d83d503f5a7de80fdc6c01ba09dee1cbf2fa

        SHA256

        13ca93f679ba8fa359f883e37777d60583df8c2ff06e33ac65587579d73daa34

        SHA512

        bfa0f2b3ac9bc93c5cdde58e085990ce54d3c0f03b5eceffc7190be3099634558272a01ee9afc06e0304233492f9b6b0851001bcf07b8be1e1ce681479681db8

      • \Windows\SysWOW64\netupdsrv.exe

        Filesize

        158KB

        MD5

        693f6b9d48a52d80d4b5b13c0968eed1

        SHA1

        9912458737cc6af38967df48ad20c58e1b2334f5

        SHA256

        85f487f91e89677663a5411b02180d7026f5ba3a96ec4742456c4d28dfc7a907

        SHA512

        0321437beea6f10a7fde5d9051d7c36b20f7b3b7bd9fa15858071c25b20c3de8519f4a04110fcfb7546923b7e977fdcad4cde3fef949854242b5d9f026588e34

      • memory/808-71-0x0000000000000000-mapping.dmp

      • memory/916-62-0x0000000000000000-mapping.dmp

      • memory/1512-64-0x0000000000000000-mapping.dmp

      • memory/1532-61-0x0000000000000000-mapping.dmp

      • memory/1576-59-0x0000000000000000-mapping.dmp

      • memory/1584-58-0x0000000000000000-mapping.dmp

      • memory/1712-77-0x0000000000000000-mapping.dmp

      • memory/2012-69-0x0000000000360000-0x00000000007BE000-memory.dmp

        Filesize

        4.4MB

      • memory/2012-54-0x0000000075E01000-0x0000000075E03000-memory.dmp

        Filesize

        8KB

      • memory/2012-55-0x0000000000360000-0x00000000007BE000-memory.dmp

        Filesize

        4.4MB