Analysis
-
max time kernel
26s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 10:17
Static task
static1
Behavioral task
behavioral1
Sample
a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe
Resource
win10v2004-20220812-en
General
-
Target
a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe
-
Size
602KB
-
MD5
3936acf8a912ce41698c09a80cb579ce
-
SHA1
11320cd10b977e439eb1b13f3787abbf4286eb2e
-
SHA256
a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11
-
SHA512
1e5753fe897cbcc1a342d59911b6c3b20f7e39704a85560fc38e61eaca06e3cee06225283a6ab705911c7caf37695d0e6329c6b3cade030fae0dc59a6c10dca4
-
SSDEEP
12288:IIny5DYTcI2MvKp0QYuMRL3I1so30cRUCG6VCvIwFT:GUTcJMvKpdce30eUCbyIwV
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exedescription ioc process File created C:\Windows\system32\drivers\nethfdrv.sys a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe -
Executes dropped EXE 5 IoCs
Processes:
installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exepid process 268 installd.exe 112 nethtsrv.exe 1912 netupdsrv.exe 1640 nethtsrv.exe 1720 netupdsrv.exe -
Loads dropped DLL 13 IoCs
Processes:
a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exeinstalld.exenethtsrv.exenethtsrv.exepid process 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe 268 installd.exe 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe 112 nethtsrv.exe 112 nethtsrv.exe 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe 1640 nethtsrv.exe 1640 nethtsrv.exe 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
Processes:
a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exedescription ioc process File created C:\Windows\SysWOW64\hfnapi.dll a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe File created C:\Windows\SysWOW64\hfpapi.dll a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe File created C:\Windows\SysWOW64\installd.exe a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe File created C:\Windows\SysWOW64\nethtsrv.exe a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe File created C:\Windows\SysWOW64\netupdsrv.exe a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe -
Drops file in Program Files directory 3 IoCs
Processes:
a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exedescription ioc process File created C:\Program Files (x86)\Common Files\Config\data.xml a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe File created C:\Program Files (x86)\Common Files\Config\ver.xml a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe File created C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 460 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
nethtsrv.exedescription pid process Token: SeDebugPrivilege 1640 nethtsrv.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1768 wrote to memory of 1648 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe net.exe PID 1768 wrote to memory of 1648 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe net.exe PID 1768 wrote to memory of 1648 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe net.exe PID 1768 wrote to memory of 1648 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe net.exe PID 1648 wrote to memory of 952 1648 net.exe net1.exe PID 1648 wrote to memory of 952 1648 net.exe net1.exe PID 1648 wrote to memory of 952 1648 net.exe net1.exe PID 1648 wrote to memory of 952 1648 net.exe net1.exe PID 1768 wrote to memory of 1352 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe net.exe PID 1768 wrote to memory of 1352 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe net.exe PID 1768 wrote to memory of 1352 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe net.exe PID 1768 wrote to memory of 1352 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe net.exe PID 1352 wrote to memory of 1872 1352 net.exe net1.exe PID 1352 wrote to memory of 1872 1352 net.exe net1.exe PID 1352 wrote to memory of 1872 1352 net.exe net1.exe PID 1352 wrote to memory of 1872 1352 net.exe net1.exe PID 1768 wrote to memory of 268 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe installd.exe PID 1768 wrote to memory of 268 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe installd.exe PID 1768 wrote to memory of 268 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe installd.exe PID 1768 wrote to memory of 268 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe installd.exe PID 1768 wrote to memory of 268 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe installd.exe PID 1768 wrote to memory of 268 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe installd.exe PID 1768 wrote to memory of 268 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe installd.exe PID 1768 wrote to memory of 112 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe nethtsrv.exe PID 1768 wrote to memory of 112 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe nethtsrv.exe PID 1768 wrote to memory of 112 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe nethtsrv.exe PID 1768 wrote to memory of 112 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe nethtsrv.exe PID 1768 wrote to memory of 1912 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe netupdsrv.exe PID 1768 wrote to memory of 1912 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe netupdsrv.exe PID 1768 wrote to memory of 1912 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe netupdsrv.exe PID 1768 wrote to memory of 1912 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe netupdsrv.exe PID 1768 wrote to memory of 1912 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe netupdsrv.exe PID 1768 wrote to memory of 1912 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe netupdsrv.exe PID 1768 wrote to memory of 1912 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe netupdsrv.exe PID 1768 wrote to memory of 856 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe net.exe PID 1768 wrote to memory of 856 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe net.exe PID 1768 wrote to memory of 856 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe net.exe PID 1768 wrote to memory of 856 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe net.exe PID 856 wrote to memory of 824 856 net.exe net1.exe PID 856 wrote to memory of 824 856 net.exe net1.exe PID 856 wrote to memory of 824 856 net.exe net1.exe PID 856 wrote to memory of 824 856 net.exe net1.exe PID 1768 wrote to memory of 576 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe net.exe PID 1768 wrote to memory of 576 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe net.exe PID 1768 wrote to memory of 576 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe net.exe PID 1768 wrote to memory of 576 1768 a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe net.exe PID 576 wrote to memory of 564 576 net.exe net1.exe PID 576 wrote to memory of 564 576 net.exe net1.exe PID 576 wrote to memory of 564 576 net.exe net1.exe PID 576 wrote to memory of 564 576 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe"C:\Users\Admin\AppData\Local\Temp\a03b770fa1d34e746978d995bf887a731ff4d523b6cb0d9eff15831839593c11.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\net.exenet stop nethttpservice2⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop nethttpservice3⤵PID:952
-
C:\Windows\SysWOW64\net.exenet stop serviceupdater2⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop serviceupdater3⤵PID:1872
-
C:\Windows\SysWOW64\installd.exe"C:\Windows\system32\installd.exe" nethfdrv2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\nethtsrv.exe"C:\Windows\system32\nethtsrv.exe" -nfdi2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:112 -
C:\Windows\SysWOW64\netupdsrv.exe"C:\Windows\system32\netupdsrv.exe" -nfdi2⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\net.exenet start nethttpservice2⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start nethttpservice3⤵PID:824
-
C:\Windows\SysWOW64\net.exenet start serviceupdater2⤵
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start serviceupdater3⤵PID:564
-
C:\Windows\SysWOW64\nethtsrv.exeC:\Windows\SysWOW64\nethtsrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
C:\Windows\SysWOW64\netupdsrv.exeC:\Windows\SysWOW64\netupdsrv.exe1⤵
- Executes dropped EXE
PID:1720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106KB
MD50947099e72f06e63d88e70bea824a63a
SHA11267e43e81a873e6e826242653e3b9cf52398ea0
SHA256423a1d4381fc1d68fb7ad243ea471014259c8b7482e26508dcb8a7c34c919ca1
SHA5121b5baed1385f44c01ec828e2e322ace08fb123c19ed55087062a8e997fd296dc1cddef2431fa5d563290b51116810b095d426a48b880d3d0dcdec51940f8f0d9
-
Filesize
244KB
MD5f5b3520aabc6b83b32374efa5508e81a
SHA1db70c3fe122949384d9034aaefb232993c3fb37f
SHA256db504bcae4370bab5986d62c9fa26c14998e8977c414b61d72aa6def1ea255e0
SHA512915b0fcb8ff414b39e1ca2380f0cc440655755ffb8afc4efc9754c01fc90c6813e80db65533d2c127d81f7ad380cf07cf6cafaa188a85c0cd0855620c35c657f
-
Filesize
108KB
MD5822046f72e67a2404d765b8b0ab1f3b3
SHA16016783ae6901989b7cbd1a4ec405d41017c302a
SHA2566e1928d2427c4a9efdb657793d2c9d4069c344404a50bfb2ca9716cf3afce373
SHA512fb4225b14100c2731584f9a4698fb55bbfe41234827f03fad5f0a5691b3c3269a9e245aea25695e57029e3c9cb946f565bbb916776474de9872e61977c05d1ba
-
Filesize
176KB
MD5ef089a3bc1f6c39afed00bfce0a9c403
SHA1d4724d7667c75bd499d717c2f57af439448d1c57
SHA256274f2dda560a66241639b0bea36039b209e53bd446deabb85102b302e2693320
SHA512b23c4af49199b5626d3c00629988b9b98f473fff8fc77957fc38f220f3dcc2f8869c0f728a311182a50c2f38d813cf846d11662d70abe6f25abde2a24d4a8e01
-
Filesize
176KB
MD5ef089a3bc1f6c39afed00bfce0a9c403
SHA1d4724d7667c75bd499d717c2f57af439448d1c57
SHA256274f2dda560a66241639b0bea36039b209e53bd446deabb85102b302e2693320
SHA512b23c4af49199b5626d3c00629988b9b98f473fff8fc77957fc38f220f3dcc2f8869c0f728a311182a50c2f38d813cf846d11662d70abe6f25abde2a24d4a8e01
-
Filesize
158KB
MD54ef89c1e908911171108bb6235a5356e
SHA14f46f5f22fd5d4f147270f59ce7a1092e8a3f8da
SHA256f7642d6ffc48b6f96986b0ae532ae4cf57868fe2278fcdf23140072ed2cecad5
SHA512cee05a0e6ed463b027a9d9e26d777d5159b84aa4b76a1cbed480843ae4b4600c3137fc0a77babcead36a26867429489c34755526e6b72a01ee78059b4ec883a2
-
Filesize
158KB
MD54ef89c1e908911171108bb6235a5356e
SHA14f46f5f22fd5d4f147270f59ce7a1092e8a3f8da
SHA256f7642d6ffc48b6f96986b0ae532ae4cf57868fe2278fcdf23140072ed2cecad5
SHA512cee05a0e6ed463b027a9d9e26d777d5159b84aa4b76a1cbed480843ae4b4600c3137fc0a77babcead36a26867429489c34755526e6b72a01ee78059b4ec883a2
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
106KB
MD50947099e72f06e63d88e70bea824a63a
SHA11267e43e81a873e6e826242653e3b9cf52398ea0
SHA256423a1d4381fc1d68fb7ad243ea471014259c8b7482e26508dcb8a7c34c919ca1
SHA5121b5baed1385f44c01ec828e2e322ace08fb123c19ed55087062a8e997fd296dc1cddef2431fa5d563290b51116810b095d426a48b880d3d0dcdec51940f8f0d9
-
Filesize
106KB
MD50947099e72f06e63d88e70bea824a63a
SHA11267e43e81a873e6e826242653e3b9cf52398ea0
SHA256423a1d4381fc1d68fb7ad243ea471014259c8b7482e26508dcb8a7c34c919ca1
SHA5121b5baed1385f44c01ec828e2e322ace08fb123c19ed55087062a8e997fd296dc1cddef2431fa5d563290b51116810b095d426a48b880d3d0dcdec51940f8f0d9
-
Filesize
106KB
MD50947099e72f06e63d88e70bea824a63a
SHA11267e43e81a873e6e826242653e3b9cf52398ea0
SHA256423a1d4381fc1d68fb7ad243ea471014259c8b7482e26508dcb8a7c34c919ca1
SHA5121b5baed1385f44c01ec828e2e322ace08fb123c19ed55087062a8e997fd296dc1cddef2431fa5d563290b51116810b095d426a48b880d3d0dcdec51940f8f0d9
-
Filesize
244KB
MD5f5b3520aabc6b83b32374efa5508e81a
SHA1db70c3fe122949384d9034aaefb232993c3fb37f
SHA256db504bcae4370bab5986d62c9fa26c14998e8977c414b61d72aa6def1ea255e0
SHA512915b0fcb8ff414b39e1ca2380f0cc440655755ffb8afc4efc9754c01fc90c6813e80db65533d2c127d81f7ad380cf07cf6cafaa188a85c0cd0855620c35c657f
-
Filesize
244KB
MD5f5b3520aabc6b83b32374efa5508e81a
SHA1db70c3fe122949384d9034aaefb232993c3fb37f
SHA256db504bcae4370bab5986d62c9fa26c14998e8977c414b61d72aa6def1ea255e0
SHA512915b0fcb8ff414b39e1ca2380f0cc440655755ffb8afc4efc9754c01fc90c6813e80db65533d2c127d81f7ad380cf07cf6cafaa188a85c0cd0855620c35c657f
-
Filesize
108KB
MD5822046f72e67a2404d765b8b0ab1f3b3
SHA16016783ae6901989b7cbd1a4ec405d41017c302a
SHA2566e1928d2427c4a9efdb657793d2c9d4069c344404a50bfb2ca9716cf3afce373
SHA512fb4225b14100c2731584f9a4698fb55bbfe41234827f03fad5f0a5691b3c3269a9e245aea25695e57029e3c9cb946f565bbb916776474de9872e61977c05d1ba
-
Filesize
176KB
MD5ef089a3bc1f6c39afed00bfce0a9c403
SHA1d4724d7667c75bd499d717c2f57af439448d1c57
SHA256274f2dda560a66241639b0bea36039b209e53bd446deabb85102b302e2693320
SHA512b23c4af49199b5626d3c00629988b9b98f473fff8fc77957fc38f220f3dcc2f8869c0f728a311182a50c2f38d813cf846d11662d70abe6f25abde2a24d4a8e01
-
Filesize
158KB
MD54ef89c1e908911171108bb6235a5356e
SHA14f46f5f22fd5d4f147270f59ce7a1092e8a3f8da
SHA256f7642d6ffc48b6f96986b0ae532ae4cf57868fe2278fcdf23140072ed2cecad5
SHA512cee05a0e6ed463b027a9d9e26d777d5159b84aa4b76a1cbed480843ae4b4600c3137fc0a77babcead36a26867429489c34755526e6b72a01ee78059b4ec883a2