a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa

Analysis

max time kernel
284s
max time network
334s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe
Size

601KB
MD5

f044ed5138949471b2a9209eb2a0f1cd
SHA1

249fba81c5893409a7dc6070071e08f80991c4fd
SHA256

a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa
SHA512

114e3ef31595933a1dc9915b2fffc3326052ccf8f56bb776a1720b1a60f6f5853f9ab87a2fe6544e216a8e2ff4733d3c5294f31821ec43ad8eb1d0d85c57ae77
SSDEEP

12288:PIny5DYT5I4MamRWZAmFn3Q1tB0PijGGkMugLyAoGCozh12LDu:XUT5Waoy3QtB0P8GGVugLYlozh10

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe
Executes dropped EXE 3 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exe

pid process

592 installd.exe
1936 nethtsrv.exe
1784 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe

pid	process
592	installd.exe
1936	nethtsrv.exe
1784	netupdsrv.exe

Loads dropped DLL 9 IoCs

Processes:

a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exeinstalld.exenethtsrv.exe

pid	process
544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe
544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe
544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe
544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe
592	installd.exe
544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe
1936	nethtsrv.exe
1936	nethtsrv.exe
544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe

description	ioc	process
File created	C:\Windows\SysWOW64\nethtsrv.exe	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe
File created	C:\Windows\SysWOW64\installd.exe	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe

Drops file in Program Files directory 3 IoCs

Processes:

a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exenet.exenet.exe

description	pid	process	target process
PID 544 wrote to memory of 680	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	net.exe
PID 544 wrote to memory of 680	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	net.exe
PID 544 wrote to memory of 680	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	net.exe
PID 544 wrote to memory of 680	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	net.exe
PID 680 wrote to memory of 1864	680	net.exe	net1.exe
PID 680 wrote to memory of 1864	680	net.exe	net1.exe
PID 680 wrote to memory of 1864	680	net.exe	net1.exe
PID 680 wrote to memory of 1864	680	net.exe	net1.exe
PID 544 wrote to memory of 1664	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	net.exe
PID 544 wrote to memory of 1664	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	net.exe
PID 544 wrote to memory of 1664	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	net.exe
PID 544 wrote to memory of 1664	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	net.exe
PID 1664 wrote to memory of 1636	1664	net.exe	net1.exe
PID 1664 wrote to memory of 1636	1664	net.exe	net1.exe
PID 1664 wrote to memory of 1636	1664	net.exe	net1.exe
PID 1664 wrote to memory of 1636	1664	net.exe	net1.exe
PID 544 wrote to memory of 592	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	installd.exe
PID 544 wrote to memory of 592	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	installd.exe
PID 544 wrote to memory of 592	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	installd.exe
PID 544 wrote to memory of 592	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	installd.exe
PID 544 wrote to memory of 592	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	installd.exe
PID 544 wrote to memory of 592	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	installd.exe
PID 544 wrote to memory of 592	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	installd.exe
PID 544 wrote to memory of 1936	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	nethtsrv.exe
PID 544 wrote to memory of 1936	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	nethtsrv.exe
PID 544 wrote to memory of 1936	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	nethtsrv.exe
PID 544 wrote to memory of 1936	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	nethtsrv.exe
PID 544 wrote to memory of 1784	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	netupdsrv.exe
PID 544 wrote to memory of 1784	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	netupdsrv.exe
PID 544 wrote to memory of 1784	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	netupdsrv.exe
PID 544 wrote to memory of 1784	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	netupdsrv.exe
PID 544 wrote to memory of 1784	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	netupdsrv.exe
PID 544 wrote to memory of 1784	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	netupdsrv.exe
PID 544 wrote to memory of 1784	544	a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe	netupdsrv.exe

C:\Users\Admin\AppData\Local\Temp\a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe
"C:\Users\Admin\AppData\Local\Temp\a9603e4a7b58adc74a5ed91d892d24f9b095ad3a91b928b3cb35baa9dad244aa.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1864

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1636

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:592

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
14b6839dda2c465e43a066ad8992beda

SHA1
2c93fe3e0d40cf9ada17edce1f012db9ca00d9c5

SHA256
4c0f819bb9bda59edafae3aeb8cdcb40d223beec2741863ab4ea135103b5cc62

SHA512
d9d1d9e514b61b2b69aabad62dbea54512c8c1821e0b48cf6b9cb2903dd916babde3be01f916f73602a073e67830e331d54ebc090e7bc010a74886a631578985

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
caea0b5db8709e1a69e8c6e7131fc181

SHA1
eb1361b5a22bb134bdcbfe68d24f3ae17a489499

SHA256
f09d8dc39550ac3dbd0db6386519c09cf476009b9859f523ddc6e48bec4bb4c8

SHA512
62c4fa8b678625db51cca7e9a4083caa5c3585b611556137fa854f05dc5ebfcd00ae5f1854bb321755887e488520cc5bc3ebef3143d7426115e79822aff8857e

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
737815e337f8f63ef0d6271d6bf2c347

SHA1
d01c0b26dade8fb9e17e4b694bdf1994aa43593f

SHA256
320a6a442aa42869a3d157287cd3d932bb2a7e7774e623d4b3b166fbef25e1e2

SHA512
daf86f98355fcb25417fabd86a763cb2108c9e15281921938e31b9efd2e455d9f89b0fd6b99bbaf978b1dfe947cf2badfb7a40e1bda97ce20a5488b911a0cbc7

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
474f78aabe94bf40e9533284292ccf8d

SHA1
caefe263c92f8b4884aec533cc5ebfe8e5da8ca0

SHA256
122feed8479892d0f88179269257a7f66269c86e43c5eeb4a5a841bc68d16090

SHA512
6b74d805f2548b8e944d222e565b6e87a3fbb7bba0285ee85e14498a08f314bc6cc29fcb31b66b68084e2ad064b36182ab9b2e4efc40403fbe3a6af36b2c2ca8

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
17e427c034053f8cdd4bb213a9c73295

SHA1
48692a43ee8eda610129ee5ee6d896409ecf3b33

SHA256
bdcdbf42ab1793fa07d5ccf7a3e90b0dd5c64b9acdffb06f67b478df2dc86444

SHA512
43f148ada295aa4bcf586edb4631a932cf597b14650fa1bf75285f0b3c53ea4c389b1adad06c859320af567bfa3f8891dd22eec5754fce1ef17fe6efe32f5122

Download Submit
\Users\Admin\AppData\Local\Temp\nsuA518.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsuA518.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsuA518.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
14b6839dda2c465e43a066ad8992beda

SHA1
2c93fe3e0d40cf9ada17edce1f012db9ca00d9c5

SHA256
4c0f819bb9bda59edafae3aeb8cdcb40d223beec2741863ab4ea135103b5cc62

SHA512
d9d1d9e514b61b2b69aabad62dbea54512c8c1821e0b48cf6b9cb2903dd916babde3be01f916f73602a073e67830e331d54ebc090e7bc010a74886a631578985

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
14b6839dda2c465e43a066ad8992beda

SHA1
2c93fe3e0d40cf9ada17edce1f012db9ca00d9c5

SHA256
4c0f819bb9bda59edafae3aeb8cdcb40d223beec2741863ab4ea135103b5cc62

SHA512
d9d1d9e514b61b2b69aabad62dbea54512c8c1821e0b48cf6b9cb2903dd916babde3be01f916f73602a073e67830e331d54ebc090e7bc010a74886a631578985

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
caea0b5db8709e1a69e8c6e7131fc181

SHA1
eb1361b5a22bb134bdcbfe68d24f3ae17a489499

SHA256
f09d8dc39550ac3dbd0db6386519c09cf476009b9859f523ddc6e48bec4bb4c8

SHA512
62c4fa8b678625db51cca7e9a4083caa5c3585b611556137fa854f05dc5ebfcd00ae5f1854bb321755887e488520cc5bc3ebef3143d7426115e79822aff8857e

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
737815e337f8f63ef0d6271d6bf2c347

SHA1
d01c0b26dade8fb9e17e4b694bdf1994aa43593f

SHA256
320a6a442aa42869a3d157287cd3d932bb2a7e7774e623d4b3b166fbef25e1e2

SHA512
daf86f98355fcb25417fabd86a763cb2108c9e15281921938e31b9efd2e455d9f89b0fd6b99bbaf978b1dfe947cf2badfb7a40e1bda97ce20a5488b911a0cbc7

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
474f78aabe94bf40e9533284292ccf8d

SHA1
caefe263c92f8b4884aec533cc5ebfe8e5da8ca0

SHA256
122feed8479892d0f88179269257a7f66269c86e43c5eeb4a5a841bc68d16090

SHA512
6b74d805f2548b8e944d222e565b6e87a3fbb7bba0285ee85e14498a08f314bc6cc29fcb31b66b68084e2ad064b36182ab9b2e4efc40403fbe3a6af36b2c2ca8

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
17e427c034053f8cdd4bb213a9c73295

SHA1
48692a43ee8eda610129ee5ee6d896409ecf3b33

SHA256
bdcdbf42ab1793fa07d5ccf7a3e90b0dd5c64b9acdffb06f67b478df2dc86444

SHA512
43f148ada295aa4bcf586edb4631a932cf597b14650fa1bf75285f0b3c53ea4c389b1adad06c859320af567bfa3f8891dd22eec5754fce1ef17fe6efe32f5122

Download Submit
memory/544-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/544-69-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/544-55-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/592-64-0x0000000000000000-mapping.dmp

Download
memory/680-58-0x0000000000000000-mapping.dmp

Download
memory/1636-62-0x0000000000000000-mapping.dmp

Download
memory/1664-61-0x0000000000000000-mapping.dmp

Download
memory/1784-77-0x0000000000000000-mapping.dmp

Download
memory/1864-59-0x0000000000000000-mapping.dmp

Download
memory/1936-71-0x0000000000000000-mapping.dmp

Download