6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708

Analysis

max time kernel
235s
max time network
335s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe
Size

445KB
MD5

7172f1baa0f4a7d34819c4a30d80f36f
SHA1

4099756afbb90a830bf2103db7d2010b76d1017e
SHA256

6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708
SHA512

ecece48fe904f930e9a6d520ec064209db2a856d83865c7d313d6a4664484eee9b7c49cbff5b67d0259a777b4d5758abc960aafbe5e86b274974212a70f17936
SSDEEP

6144:XzfrgQ6T4bLHlHjIqzph+Lc8zJugWTbu6crNMhm1qeGY21kSnPxaKUcknZUSojyy:fpBkqzgJybuR9f7SnZaXa9+H7CVl

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe
Executes dropped EXE 2 IoCs

Processes:

installd.exenethtsrv.exe

pid process

680 installd.exe
1584 nethtsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe

pid	process
680	installd.exe
1584	nethtsrv.exe

Loads dropped DLL 8 IoCs

Processes:

6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exeinstalld.exenethtsrv.exe

pid	process
520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe
520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe
520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe
520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe
680	installd.exe
520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe
1584	nethtsrv.exe
1584	nethtsrv.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe

description	ioc	process
File created	C:\Windows\SysWOW64\installd.exe	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe

Drops file in Program Files directory 3 IoCs

Processes:

6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exenet.exenet.exe

description	pid	process	target process
PID 520 wrote to memory of 1872	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	net.exe
PID 520 wrote to memory of 1872	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	net.exe
PID 520 wrote to memory of 1872	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	net.exe
PID 520 wrote to memory of 1872	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	net.exe
PID 1872 wrote to memory of 1000	1872	net.exe	net1.exe
PID 1872 wrote to memory of 1000	1872	net.exe	net1.exe
PID 1872 wrote to memory of 1000	1872	net.exe	net1.exe
PID 1872 wrote to memory of 1000	1872	net.exe	net1.exe
PID 520 wrote to memory of 816	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	net.exe
PID 520 wrote to memory of 816	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	net.exe
PID 520 wrote to memory of 816	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	net.exe
PID 520 wrote to memory of 816	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	net.exe
PID 816 wrote to memory of 768	816	net.exe	net1.exe
PID 816 wrote to memory of 768	816	net.exe	net1.exe
PID 816 wrote to memory of 768	816	net.exe	net1.exe
PID 816 wrote to memory of 768	816	net.exe	net1.exe
PID 520 wrote to memory of 680	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	installd.exe
PID 520 wrote to memory of 680	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	installd.exe
PID 520 wrote to memory of 680	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	installd.exe
PID 520 wrote to memory of 680	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	installd.exe
PID 520 wrote to memory of 680	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	installd.exe
PID 520 wrote to memory of 680	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	installd.exe
PID 520 wrote to memory of 680	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	installd.exe
PID 520 wrote to memory of 1584	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	nethtsrv.exe
PID 520 wrote to memory of 1584	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	nethtsrv.exe
PID 520 wrote to memory of 1584	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	nethtsrv.exe
PID 520 wrote to memory of 1584	520	6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe	nethtsrv.exe

C:\Users\Admin\AppData\Local\Temp\6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe
"C:\Users\Admin\AppData\Local\Temp\6623c204a181a6bf68a39da58412691fb92fac0cc3d7c1f05e9c66ffd0f3d708.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1000

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:768

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
dccdbc13a5391831586af981df41161f

SHA1
5c76dd4d27a468cbefb884fa03138efea88c40dd

SHA256
31f183b69018cc175262400c72b0695600049ee316f8363ba6de6ed3ecc4ff17

SHA512
5e169af2d7312f9a9b91564aba2d946816364d8c6cd1f0a62590835bdae60740bf79818b1c806e32bbcd54c529d679b1e8bd2b82808890950c19f05ba564f5d6

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
44f7303c235f51ca168689868c00cbe3

SHA1
45a3f30b5cf0610bdde513d7d5d10c96fcabfdb1

SHA256
d09d3432ea50a68b0ad978fa317172f2a9858e759278c100801d57e33230408a

SHA512
ab8decd676c553074d12c39b69537fb219d26b714e1a8456e7b595ea1118b8d30e77761c2deebfd425b84bfaf760c1338a84ac2454ad9ac65e2c9ff567178f86

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
6be871082638968bf7c7a2658983feb1

SHA1
8bf844954f2c2bdfe7f5743a167eda14fb6a6b92

SHA256
6b570846f047292f64b26b1b7a020d3bf56b12c47740285945d3c18ebad0823b

SHA512
8f8cc443c09ec48f36a634686d60ffd9f6f6d36805f692a70203cb2bd228792d175069f0cc8c61c085aed28ddbe6bd4a842ace7a29e3988e7931fc77ccbca781

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
412bd8b63ac8948ecc2bb8b3b36f0074

SHA1
97ac698f80edf7396beb53588f4ac581531daf73

SHA256
8321f5d429fc5d229120f940124b3320f72782612f113bc298f3b71d4a837ac1

SHA512
9e8d1559d5ce24215f53c6a5165c1e00d34f9e754361cb3ecec0ecbdf1664fb30d26b3b23097f9219eaefc5149ea47e38c3079b070bcf18800fa85adc6af9f10

Download Submit
\Users\Admin\AppData\Local\Temp\nseE42A.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nseE42A.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nseE42A.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
dccdbc13a5391831586af981df41161f

SHA1
5c76dd4d27a468cbefb884fa03138efea88c40dd

SHA256
31f183b69018cc175262400c72b0695600049ee316f8363ba6de6ed3ecc4ff17

SHA512
5e169af2d7312f9a9b91564aba2d946816364d8c6cd1f0a62590835bdae60740bf79818b1c806e32bbcd54c529d679b1e8bd2b82808890950c19f05ba564f5d6

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
dccdbc13a5391831586af981df41161f

SHA1
5c76dd4d27a468cbefb884fa03138efea88c40dd

SHA256
31f183b69018cc175262400c72b0695600049ee316f8363ba6de6ed3ecc4ff17

SHA512
5e169af2d7312f9a9b91564aba2d946816364d8c6cd1f0a62590835bdae60740bf79818b1c806e32bbcd54c529d679b1e8bd2b82808890950c19f05ba564f5d6

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
44f7303c235f51ca168689868c00cbe3

SHA1
45a3f30b5cf0610bdde513d7d5d10c96fcabfdb1

SHA256
d09d3432ea50a68b0ad978fa317172f2a9858e759278c100801d57e33230408a

SHA512
ab8decd676c553074d12c39b69537fb219d26b714e1a8456e7b595ea1118b8d30e77761c2deebfd425b84bfaf760c1338a84ac2454ad9ac65e2c9ff567178f86

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
6be871082638968bf7c7a2658983feb1

SHA1
8bf844954f2c2bdfe7f5743a167eda14fb6a6b92

SHA256
6b570846f047292f64b26b1b7a020d3bf56b12c47740285945d3c18ebad0823b

SHA512
8f8cc443c09ec48f36a634686d60ffd9f6f6d36805f692a70203cb2bd228792d175069f0cc8c61c085aed28ddbe6bd4a842ace7a29e3988e7931fc77ccbca781

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
412bd8b63ac8948ecc2bb8b3b36f0074

SHA1
97ac698f80edf7396beb53588f4ac581531daf73

SHA256
8321f5d429fc5d229120f940124b3320f72782612f113bc298f3b71d4a837ac1

SHA512
9e8d1559d5ce24215f53c6a5165c1e00d34f9e754361cb3ecec0ecbdf1664fb30d26b3b23097f9219eaefc5149ea47e38c3079b070bcf18800fa85adc6af9f10

Download Submit
memory/520-54-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/680-63-0x0000000000000000-mapping.dmp

Download
memory/768-61-0x0000000000000000-mapping.dmp

Download
memory/816-60-0x0000000000000000-mapping.dmp

Download
memory/1000-58-0x0000000000000000-mapping.dmp

Download
memory/1584-69-0x0000000000000000-mapping.dmp

Download
memory/1872-57-0x0000000000000000-mapping.dmp

Download