3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679

Analysis

max time kernel
376s
max time network
464s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe
Size

446KB
MD5

0d9205fdebdd04f4574525970579f03d
SHA1

ec4aae06c0f0460243a5a06ed572eec24975daac
SHA256

3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679
SHA512

0c8d126e403508e38ba32b5bdc2a0a746cc7f5a4da63d7c541c39123a8ff64064723b3883bb3ce035ac912ef367feb1cdff3b7127a691690104b139087811d23
SSDEEP

12288:KOZlcz8Jz7tFcsY/FnxE/jU4/r8ZmVBo3ZiQRmqDXd1:K1Y/Fl6EnKmKZ9Xd1

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe
Executes dropped EXE 2 IoCs

Processes:

installd.exenethtsrv.exe

pid process

4988 installd.exe
4368 nethtsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe

pid	process
4988	installd.exe
4368	nethtsrv.exe

Loads dropped DLL 8 IoCs

Processes:

3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exeinstalld.exenethtsrv.exe

pid	process
3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe
3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe
3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe
3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe
3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe
4988	installd.exe
4368	nethtsrv.exe
4368	nethtsrv.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe
File created	C:\Windows\SysWOW64\installd.exe	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe

Drops file in Program Files directory 3 IoCs

Processes:

3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

640

pid	process
640

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exenet.exenet.exe

description	pid	process	target process
PID 3568 wrote to memory of 2948	3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe	net.exe
PID 3568 wrote to memory of 2948	3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe	net.exe
PID 3568 wrote to memory of 2948	3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe	net.exe
PID 2948 wrote to memory of 3844	2948	net.exe	net1.exe
PID 2948 wrote to memory of 3844	2948	net.exe	net1.exe
PID 2948 wrote to memory of 3844	2948	net.exe	net1.exe
PID 3568 wrote to memory of 2252	3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe	net.exe
PID 3568 wrote to memory of 2252	3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe	net.exe
PID 3568 wrote to memory of 2252	3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe	net.exe
PID 2252 wrote to memory of 3032	2252	net.exe	net1.exe
PID 2252 wrote to memory of 3032	2252	net.exe	net1.exe
PID 2252 wrote to memory of 3032	2252	net.exe	net1.exe
PID 3568 wrote to memory of 4988	3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe	installd.exe
PID 3568 wrote to memory of 4988	3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe	installd.exe
PID 3568 wrote to memory of 4988	3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe	installd.exe
PID 3568 wrote to memory of 4368	3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe	nethtsrv.exe
PID 3568 wrote to memory of 4368	3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe	nethtsrv.exe
PID 3568 wrote to memory of 4368	3568	3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe	nethtsrv.exe

C:\Users\Admin\AppData\Local\Temp\3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe
"C:\Users\Admin\AppData\Local\Temp\3f7879442bcacc8d4634fdc1a0789132a2b4b4e5f73152d7e3123a3a76857679.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:3844

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:3032

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4988

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsr1A77.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr1A77.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr1A77.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr1A77.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr1A77.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
9cb71a388284fb25b006ed3b0529d8ef

SHA1
43fab9caa3c60a5213bca89656d623fda9d04f4a

SHA256
56adcd256086b0fedcbe71d21f0cfce4ceeaeb1577ce61907474d19a181d1175

SHA512
c784c42f7176b2bb87f67d5f8ff0b48d2dc71d830c6157fcd28f88977230d408710e00deb0ed2056f27b7881cdcceca3cd40a4695d65160811eda1d1438fc497

Download Submit
C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
9cb71a388284fb25b006ed3b0529d8ef

SHA1
43fab9caa3c60a5213bca89656d623fda9d04f4a

SHA256
56adcd256086b0fedcbe71d21f0cfce4ceeaeb1577ce61907474d19a181d1175

SHA512
c784c42f7176b2bb87f67d5f8ff0b48d2dc71d830c6157fcd28f88977230d408710e00deb0ed2056f27b7881cdcceca3cd40a4695d65160811eda1d1438fc497

Download Submit
C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
9cb71a388284fb25b006ed3b0529d8ef

SHA1
43fab9caa3c60a5213bca89656d623fda9d04f4a

SHA256
56adcd256086b0fedcbe71d21f0cfce4ceeaeb1577ce61907474d19a181d1175

SHA512
c784c42f7176b2bb87f67d5f8ff0b48d2dc71d830c6157fcd28f88977230d408710e00deb0ed2056f27b7881cdcceca3cd40a4695d65160811eda1d1438fc497

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
94e959cb92aa53143f665bf8a55c8fad

SHA1
8055b1e5612825e3f524cb64e4794c75ca4a1d84

SHA256
ff10ad3503670d146f0508aa0f12ffafb3fa84db4ee853653db6648509164afd

SHA512
7ab62d1e5d5fa0dae43800789821d6a8fa3733f6e28d5dc6b29ec7ab2d1b0adce0e7b90486d570015c0819fbda3dd54945cb07e468b50952bb53e4ec97e48c09

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
94e959cb92aa53143f665bf8a55c8fad

SHA1
8055b1e5612825e3f524cb64e4794c75ca4a1d84

SHA256
ff10ad3503670d146f0508aa0f12ffafb3fa84db4ee853653db6648509164afd

SHA512
7ab62d1e5d5fa0dae43800789821d6a8fa3733f6e28d5dc6b29ec7ab2d1b0adce0e7b90486d570015c0819fbda3dd54945cb07e468b50952bb53e4ec97e48c09

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
4c512ed6b16a8e4966f7186ad4c87120

SHA1
c394d2c73a79b809f4ed92513ab27a5654c1d4cc

SHA256
b2345789dd227bf1cb2d1f7bde6cdc7513e3c036c93b9b1d04c14aa79abe32db

SHA512
fa4cd8be7fb5e95fa29fdd574748713974c59693a1fa78e73b781b8ac2ca4e82c802e94085054734499aeda090071f5cb4970bdbef8b6a6a00ff8f0c412db40b

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
4c512ed6b16a8e4966f7186ad4c87120

SHA1
c394d2c73a79b809f4ed92513ab27a5654c1d4cc

SHA256
b2345789dd227bf1cb2d1f7bde6cdc7513e3c036c93b9b1d04c14aa79abe32db

SHA512
fa4cd8be7fb5e95fa29fdd574748713974c59693a1fa78e73b781b8ac2ca4e82c802e94085054734499aeda090071f5cb4970bdbef8b6a6a00ff8f0c412db40b

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
0bcea8299cc2135ac05dbeec91ad53a8

SHA1
5b8e238525a74b151f160d0b24c09c28d0f55c4d

SHA256
357b034ad0ca0a12b644156e36c5bc5b8c43c2d4b44dffc37235015bb5e9bd2a

SHA512
04f47306473b7b7d6d0be158dd4aea130896c2c0f0a6e1e7d7fdf3762c8917b29452da023912670e1449293c9e2bee3887ecb65f0f2e7ae99266bc274bba4e6a

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
0bcea8299cc2135ac05dbeec91ad53a8

SHA1
5b8e238525a74b151f160d0b24c09c28d0f55c4d

SHA256
357b034ad0ca0a12b644156e36c5bc5b8c43c2d4b44dffc37235015bb5e9bd2a

SHA512
04f47306473b7b7d6d0be158dd4aea130896c2c0f0a6e1e7d7fdf3762c8917b29452da023912670e1449293c9e2bee3887ecb65f0f2e7ae99266bc274bba4e6a

Download Submit
memory/2252-139-0x0000000000000000-mapping.dmp

Download
memory/2948-135-0x0000000000000000-mapping.dmp

Download
memory/3032-140-0x0000000000000000-mapping.dmp

Download
memory/3844-136-0x0000000000000000-mapping.dmp

Download
memory/4368-146-0x0000000000000000-mapping.dmp

Download
memory/4988-141-0x0000000000000000-mapping.dmp

Download