a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9

Analysis

max time kernel
245s
max time network
337s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe
Size

602KB
MD5

13371e3fc1bd34f54c4b28c6c1cf5828
SHA1

c05f4c31a576a5cbdb84aaac6a568bf976cb66a0
SHA256

a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9
SHA512

ef46a26736decdcc4dfa50b8a5f9de09520f180ec9b82a2aff8160d51f1ccd5e0b22fcac079b95d105594c39ff6963066e9614c935e073de46fa31e4d0e625b6
SSDEEP

12288:BIny5DYTkIH7/gZtc+XJVI/QBuK5nCTS0DYcp:9UTkk7/6c+XDI/4uuCTSo

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe
Executes dropped EXE 3 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exe

pid process

1036 installd.exe
1640 nethtsrv.exe
1248 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe

pid	process
1036	installd.exe
1640	nethtsrv.exe
1248	netupdsrv.exe

Loads dropped DLL 9 IoCs

Processes:

a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exeinstalld.exenethtsrv.exe

pid	process
1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe
1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe
1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe
1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe
1036	installd.exe
1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe
1640	nethtsrv.exe
1640	nethtsrv.exe
1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe

description	ioc	process
File created	C:\Windows\SysWOW64\installd.exe	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe

Drops file in Program Files directory 3 IoCs

Processes:

a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exenet.exenet.exe

description	pid	process	target process
PID 1648 wrote to memory of 592	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	net.exe
PID 1648 wrote to memory of 592	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	net.exe
PID 1648 wrote to memory of 592	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	net.exe
PID 1648 wrote to memory of 592	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	net.exe
PID 592 wrote to memory of 1560	592	net.exe	net1.exe
PID 592 wrote to memory of 1560	592	net.exe	net1.exe
PID 592 wrote to memory of 1560	592	net.exe	net1.exe
PID 592 wrote to memory of 1560	592	net.exe	net1.exe
PID 1648 wrote to memory of 1884	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	net.exe
PID 1648 wrote to memory of 1884	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	net.exe
PID 1648 wrote to memory of 1884	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	net.exe
PID 1648 wrote to memory of 1884	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	net.exe
PID 1884 wrote to memory of 1996	1884	net.exe	net1.exe
PID 1884 wrote to memory of 1996	1884	net.exe	net1.exe
PID 1884 wrote to memory of 1996	1884	net.exe	net1.exe
PID 1884 wrote to memory of 1996	1884	net.exe	net1.exe
PID 1648 wrote to memory of 1036	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	installd.exe
PID 1648 wrote to memory of 1036	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	installd.exe
PID 1648 wrote to memory of 1036	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	installd.exe
PID 1648 wrote to memory of 1036	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	installd.exe
PID 1648 wrote to memory of 1036	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	installd.exe
PID 1648 wrote to memory of 1036	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	installd.exe
PID 1648 wrote to memory of 1036	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	installd.exe
PID 1648 wrote to memory of 1640	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	nethtsrv.exe
PID 1648 wrote to memory of 1640	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	nethtsrv.exe
PID 1648 wrote to memory of 1640	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	nethtsrv.exe
PID 1648 wrote to memory of 1640	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	nethtsrv.exe
PID 1648 wrote to memory of 1248	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	netupdsrv.exe
PID 1648 wrote to memory of 1248	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	netupdsrv.exe
PID 1648 wrote to memory of 1248	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	netupdsrv.exe
PID 1648 wrote to memory of 1248	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	netupdsrv.exe
PID 1648 wrote to memory of 1248	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	netupdsrv.exe
PID 1648 wrote to memory of 1248	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	netupdsrv.exe
PID 1648 wrote to memory of 1248	1648	a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe	netupdsrv.exe

C:\Users\Admin\AppData\Local\Temp\a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe
"C:\Users\Admin\AppData\Local\Temp\a5ac3388d09a0a0252108291393e44aa1c243e6ff3408939ea2d9c35997650b9.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1560

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1996

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
94c70c7501bd2cb0c61b037b59fd5df3

SHA1
29d0dbdf0239e35397cec200c70b03bc10549e6e

SHA256
46edeef5c68d69509a752d7f3ec675e4751aced0848a1d8a3f2f40331d91ac22

SHA512
2a29bcfd9081a4b21e503bb2a4289e727502671bdc3bb11feae22f52c4acb400e6b4a46b4d72915c82755dc25d3ca17b0f0fbea97cf1d51f97a4763587f0aae3

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
5e4da452c40a76f1e2844b78e644319e

SHA1
86506f917f3d232209943eeff4635076102904ec

SHA256
491f07ead6544e1742bc2192b493cf69636e8067a826c78e0358d789cfa2acb5

SHA512
c789506bd8e0ef203acb08f0544b923f42e2a91abf8d01d55d272030b35c31c5872bb9ba935023ff4f55b1fb1c8bcd6266ece24bb606b6cfd04295611f460d13

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
f83c2d6e0d05757112a64badffd8f88f

SHA1
75082dd076ac6db35e314ff634ceca04413b704e

SHA256
f64a9113a1d4b678cb87b6358206ea395a247be4b87eee904aea2d636afb7193

SHA512
68b62b522e29c3890a507bc93ddf09180241611553ee3ad72612055ed692a7848ee8d4e06737f6ab58a9440f538030adb72a5fafce6c5a5cafa7d3e8dfa1c3b9

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
483a7dc5a25f22ea122540fbd3fa5761

SHA1
e6a99b5379e34ea1daeca56852b91c3cbf4f7c43

SHA256
a7a9516c6eae3519430176cfe4f1ed63bb4e9c3ddb5ee7aeb743aada54ebacbb

SHA512
a72245adc6474167d89c50cf2c2ebfff20e2ac3d641e5d048f0da7ba0b13f9798f996e1c56f5018accf21a7b58f82f36a2178355084dcd5c69d88b3784834f5a

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
f29dac52d19a86042800f373c09f06a0

SHA1
bc6d3cbe09e20e8460d5c6ab852d2bdfb4e21e65

SHA256
9a22f438c44eeb2dca77793c1aabbdb884c67f2561b22bd652ea372023942bd7

SHA512
ab8fc86aefaee8ce8a630bb441605e8bcbe42b151c686c760df66d33050cd5e4ace60544d0669d0b6374107e6d4f48d7b9f00646e97cbf2668e3116af0a54608

Download Submit
\Users\Admin\AppData\Local\Temp\nskF818.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nskF818.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nskF818.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
94c70c7501bd2cb0c61b037b59fd5df3

SHA1
29d0dbdf0239e35397cec200c70b03bc10549e6e

SHA256
46edeef5c68d69509a752d7f3ec675e4751aced0848a1d8a3f2f40331d91ac22

SHA512
2a29bcfd9081a4b21e503bb2a4289e727502671bdc3bb11feae22f52c4acb400e6b4a46b4d72915c82755dc25d3ca17b0f0fbea97cf1d51f97a4763587f0aae3

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
94c70c7501bd2cb0c61b037b59fd5df3

SHA1
29d0dbdf0239e35397cec200c70b03bc10549e6e

SHA256
46edeef5c68d69509a752d7f3ec675e4751aced0848a1d8a3f2f40331d91ac22

SHA512
2a29bcfd9081a4b21e503bb2a4289e727502671bdc3bb11feae22f52c4acb400e6b4a46b4d72915c82755dc25d3ca17b0f0fbea97cf1d51f97a4763587f0aae3

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
5e4da452c40a76f1e2844b78e644319e

SHA1
86506f917f3d232209943eeff4635076102904ec

SHA256
491f07ead6544e1742bc2192b493cf69636e8067a826c78e0358d789cfa2acb5

SHA512
c789506bd8e0ef203acb08f0544b923f42e2a91abf8d01d55d272030b35c31c5872bb9ba935023ff4f55b1fb1c8bcd6266ece24bb606b6cfd04295611f460d13

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
f83c2d6e0d05757112a64badffd8f88f

SHA1
75082dd076ac6db35e314ff634ceca04413b704e

SHA256
f64a9113a1d4b678cb87b6358206ea395a247be4b87eee904aea2d636afb7193

SHA512
68b62b522e29c3890a507bc93ddf09180241611553ee3ad72612055ed692a7848ee8d4e06737f6ab58a9440f538030adb72a5fafce6c5a5cafa7d3e8dfa1c3b9

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
483a7dc5a25f22ea122540fbd3fa5761

SHA1
e6a99b5379e34ea1daeca56852b91c3cbf4f7c43

SHA256
a7a9516c6eae3519430176cfe4f1ed63bb4e9c3ddb5ee7aeb743aada54ebacbb

SHA512
a72245adc6474167d89c50cf2c2ebfff20e2ac3d641e5d048f0da7ba0b13f9798f996e1c56f5018accf21a7b58f82f36a2178355084dcd5c69d88b3784834f5a

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
f29dac52d19a86042800f373c09f06a0

SHA1
bc6d3cbe09e20e8460d5c6ab852d2bdfb4e21e65

SHA256
9a22f438c44eeb2dca77793c1aabbdb884c67f2561b22bd652ea372023942bd7

SHA512
ab8fc86aefaee8ce8a630bb441605e8bcbe42b151c686c760df66d33050cd5e4ace60544d0669d0b6374107e6d4f48d7b9f00646e97cbf2668e3116af0a54608

Download Submit
memory/592-59-0x0000000000000000-mapping.dmp

Download
memory/1036-65-0x0000000000000000-mapping.dmp

Download
memory/1248-77-0x0000000000000000-mapping.dmp

Download
memory/1560-60-0x0000000000000000-mapping.dmp

Download
memory/1640-71-0x0000000000000000-mapping.dmp

Download
memory/1648-54-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download
memory/1648-58-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1648-56-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1884-62-0x0000000000000000-mapping.dmp

Download
memory/1996-63-0x0000000000000000-mapping.dmp

Download