Analysis
-
max time kernel
45s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 10:20
Static task
static1
Behavioral task
behavioral1
Sample
87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe
Resource
win10v2004-20220812-en
General
-
Target
87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe
-
Size
601KB
-
MD5
1d2b5ae27f7561f9dacb02a6780323d6
-
SHA1
c2a00ea0de8042b11cd1cc3e572998ffe1af323c
-
SHA256
87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117
-
SHA512
b4a7cc1f822ac33b000fa669fdeb06e7b84d65f743a33b3b3d8c4c813a5e484a8253d12e80a50ed5a8bdb1d2191637dba968b124c12baf355166bd1a5e495181
-
SSDEEP
12288:UIny5DYTtuGYEDGsUfFH/4ZhQNS8ZOwYZg8:SUTtuGUHyQNfZug8
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exedescription ioc process File created C:\Windows\system32\drivers\nethfdrv.sys 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe -
Executes dropped EXE 5 IoCs
Processes:
installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exepid process 1988 installd.exe 1160 nethtsrv.exe 1560 netupdsrv.exe 2012 nethtsrv.exe 964 netupdsrv.exe -
Loads dropped DLL 13 IoCs
Processes:
87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exeinstalld.exenethtsrv.exenethtsrv.exepid process 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe 1988 installd.exe 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe 1160 nethtsrv.exe 1160 nethtsrv.exe 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe 2012 nethtsrv.exe 2012 nethtsrv.exe 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
Processes:
87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exedescription ioc process File created C:\Windows\SysWOW64\hfnapi.dll 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe File created C:\Windows\SysWOW64\hfpapi.dll 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe File created C:\Windows\SysWOW64\installd.exe 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe File created C:\Windows\SysWOW64\nethtsrv.exe 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe File created C:\Windows\SysWOW64\netupdsrv.exe 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe -
Drops file in Program Files directory 3 IoCs
Processes:
87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exedescription ioc process File created C:\Program Files (x86)\Common Files\Config\data.xml 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe File created C:\Program Files (x86)\Common Files\Config\ver.xml 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe File created C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 464 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
nethtsrv.exedescription pid process Token: SeDebugPrivilege 2012 nethtsrv.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exenet.exenet.exenet.exenet.exedescription pid process target process PID 684 wrote to memory of 1108 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe net.exe PID 684 wrote to memory of 1108 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe net.exe PID 684 wrote to memory of 1108 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe net.exe PID 684 wrote to memory of 1108 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe net.exe PID 1108 wrote to memory of 2020 1108 net.exe net1.exe PID 1108 wrote to memory of 2020 1108 net.exe net1.exe PID 1108 wrote to memory of 2020 1108 net.exe net1.exe PID 1108 wrote to memory of 2020 1108 net.exe net1.exe PID 684 wrote to memory of 2040 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe net.exe PID 684 wrote to memory of 2040 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe net.exe PID 684 wrote to memory of 2040 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe net.exe PID 684 wrote to memory of 2040 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe net.exe PID 2040 wrote to memory of 1972 2040 net.exe net1.exe PID 2040 wrote to memory of 1972 2040 net.exe net1.exe PID 2040 wrote to memory of 1972 2040 net.exe net1.exe PID 2040 wrote to memory of 1972 2040 net.exe net1.exe PID 684 wrote to memory of 1988 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe installd.exe PID 684 wrote to memory of 1988 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe installd.exe PID 684 wrote to memory of 1988 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe installd.exe PID 684 wrote to memory of 1988 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe installd.exe PID 684 wrote to memory of 1988 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe installd.exe PID 684 wrote to memory of 1988 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe installd.exe PID 684 wrote to memory of 1988 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe installd.exe PID 684 wrote to memory of 1160 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe nethtsrv.exe PID 684 wrote to memory of 1160 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe nethtsrv.exe PID 684 wrote to memory of 1160 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe nethtsrv.exe PID 684 wrote to memory of 1160 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe nethtsrv.exe PID 684 wrote to memory of 1560 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe netupdsrv.exe PID 684 wrote to memory of 1560 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe netupdsrv.exe PID 684 wrote to memory of 1560 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe netupdsrv.exe PID 684 wrote to memory of 1560 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe netupdsrv.exe PID 684 wrote to memory of 1560 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe netupdsrv.exe PID 684 wrote to memory of 1560 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe netupdsrv.exe PID 684 wrote to memory of 1560 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe netupdsrv.exe PID 684 wrote to memory of 308 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe net.exe PID 684 wrote to memory of 308 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe net.exe PID 684 wrote to memory of 308 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe net.exe PID 684 wrote to memory of 308 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe net.exe PID 308 wrote to memory of 1556 308 net.exe net1.exe PID 308 wrote to memory of 1556 308 net.exe net1.exe PID 308 wrote to memory of 1556 308 net.exe net1.exe PID 308 wrote to memory of 1556 308 net.exe net1.exe PID 684 wrote to memory of 1048 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe net.exe PID 684 wrote to memory of 1048 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe net.exe PID 684 wrote to memory of 1048 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe net.exe PID 684 wrote to memory of 1048 684 87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe net.exe PID 1048 wrote to memory of 1636 1048 net.exe net1.exe PID 1048 wrote to memory of 1636 1048 net.exe net1.exe PID 1048 wrote to memory of 1636 1048 net.exe net1.exe PID 1048 wrote to memory of 1636 1048 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe"C:\Users\Admin\AppData\Local\Temp\87028f1eb2f405b5cf6d5c9545d85fae9c1922e9034f170848490d6401c20117.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\net.exenet stop nethttpservice2⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop nethttpservice3⤵PID:2020
-
C:\Windows\SysWOW64\net.exenet stop serviceupdater2⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop serviceupdater3⤵PID:1972
-
C:\Windows\SysWOW64\installd.exe"C:\Windows\system32\installd.exe" nethfdrv2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\nethtsrv.exe"C:\Windows\system32\nethtsrv.exe" -nfdi2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1160 -
C:\Windows\SysWOW64\netupdsrv.exe"C:\Windows\system32\netupdsrv.exe" -nfdi2⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\net.exenet start nethttpservice2⤵
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start nethttpservice3⤵PID:1556
-
C:\Windows\SysWOW64\net.exenet start serviceupdater2⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start serviceupdater3⤵PID:1636
-
C:\Windows\SysWOW64\nethtsrv.exeC:\Windows\SysWOW64\nethtsrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
C:\Windows\SysWOW64\netupdsrv.exeC:\Windows\SysWOW64\netupdsrv.exe1⤵
- Executes dropped EXE
PID:964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106KB
MD5d52f63e93f4872fba2889396b4084e60
SHA1b698b387b28d1c33a04db7c7f5f9a784cb03151f
SHA256af7837913273e02bd3844820491a715901a03d30dc81b55660e921cffd573ab3
SHA512347983c5831b03e86c4193da3e1a36d60e710e0f506d3df0726fc29b518380757dc37355fc7822d93cd8e2deda5d03ed75e13a024292b9571137585ead68d249
-
Filesize
241KB
MD5fc55758829f2150e77f190c7b7881b97
SHA1b17d7a67dc5e7a6121b06e3cd7575d4521a8e1ba
SHA256f28afe1ce9c4301915c2f22f263a39c8d27a90d90c52cf2461c344e081f06ab7
SHA512f7e27fad889858dfeac97d5401cc0eb9b1d56005381f4c4df216d8f605cf18f550b2338d40f664f05205199fb85fabbdb65dc36f43d64291b76a6a89442ecc1c
-
Filesize
108KB
MD5c1b413b0c224b359b35c38a5e35febb9
SHA1439736847e8d19da841e643cb1ba2ddc94530bc8
SHA2569434094d6b33f89ce169488415637676858967b22370f2c464b735353a5bb2c8
SHA512e10c3be51057888ef6102831e1e3b71133e33855506bb3b18c65b1d2f101c5e80cae6234a76c08dfa64f393a9192eea38616a12901ad60e343dee9aa55dd2b0d
-
Filesize
176KB
MD5807ce748a80b59d0b63f139d6a536a4a
SHA1e85b1f8029002331d2c6936314beb18dab85fc17
SHA25680623f40795798dc5c1548bf09ff17de2520decf02fe6e14ed768c8b44a369ea
SHA512a341081e618710cee284ef59861beceaf5740d221886265345e0bf92d061a0d65066e1b2ea6fafeda355bd9fa082867174524a4abbd95d469f72db386d78ee4d
-
Filesize
176KB
MD5807ce748a80b59d0b63f139d6a536a4a
SHA1e85b1f8029002331d2c6936314beb18dab85fc17
SHA25680623f40795798dc5c1548bf09ff17de2520decf02fe6e14ed768c8b44a369ea
SHA512a341081e618710cee284ef59861beceaf5740d221886265345e0bf92d061a0d65066e1b2ea6fafeda355bd9fa082867174524a4abbd95d469f72db386d78ee4d
-
Filesize
158KB
MD584855d09d4f7132dabfa667812e022b7
SHA13f032eaf682d0712ddb83357a5c8305ce55b2aeb
SHA256c92b9fb9a69e0ff308fa0908c968639f25411d6825eace67c475a9fb248640c7
SHA512a49f2fe8090d56dd97f3e86d553c791b80d8ccac7b6fc64d4f87683ad09c40531b269e96c6f43f763cc9c4a76f0efc9b16c03199e82251d1abca700f849355b9
-
Filesize
158KB
MD584855d09d4f7132dabfa667812e022b7
SHA13f032eaf682d0712ddb83357a5c8305ce55b2aeb
SHA256c92b9fb9a69e0ff308fa0908c968639f25411d6825eace67c475a9fb248640c7
SHA512a49f2fe8090d56dd97f3e86d553c791b80d8ccac7b6fc64d4f87683ad09c40531b269e96c6f43f763cc9c4a76f0efc9b16c03199e82251d1abca700f849355b9
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
106KB
MD5d52f63e93f4872fba2889396b4084e60
SHA1b698b387b28d1c33a04db7c7f5f9a784cb03151f
SHA256af7837913273e02bd3844820491a715901a03d30dc81b55660e921cffd573ab3
SHA512347983c5831b03e86c4193da3e1a36d60e710e0f506d3df0726fc29b518380757dc37355fc7822d93cd8e2deda5d03ed75e13a024292b9571137585ead68d249
-
Filesize
106KB
MD5d52f63e93f4872fba2889396b4084e60
SHA1b698b387b28d1c33a04db7c7f5f9a784cb03151f
SHA256af7837913273e02bd3844820491a715901a03d30dc81b55660e921cffd573ab3
SHA512347983c5831b03e86c4193da3e1a36d60e710e0f506d3df0726fc29b518380757dc37355fc7822d93cd8e2deda5d03ed75e13a024292b9571137585ead68d249
-
Filesize
106KB
MD5d52f63e93f4872fba2889396b4084e60
SHA1b698b387b28d1c33a04db7c7f5f9a784cb03151f
SHA256af7837913273e02bd3844820491a715901a03d30dc81b55660e921cffd573ab3
SHA512347983c5831b03e86c4193da3e1a36d60e710e0f506d3df0726fc29b518380757dc37355fc7822d93cd8e2deda5d03ed75e13a024292b9571137585ead68d249
-
Filesize
241KB
MD5fc55758829f2150e77f190c7b7881b97
SHA1b17d7a67dc5e7a6121b06e3cd7575d4521a8e1ba
SHA256f28afe1ce9c4301915c2f22f263a39c8d27a90d90c52cf2461c344e081f06ab7
SHA512f7e27fad889858dfeac97d5401cc0eb9b1d56005381f4c4df216d8f605cf18f550b2338d40f664f05205199fb85fabbdb65dc36f43d64291b76a6a89442ecc1c
-
Filesize
241KB
MD5fc55758829f2150e77f190c7b7881b97
SHA1b17d7a67dc5e7a6121b06e3cd7575d4521a8e1ba
SHA256f28afe1ce9c4301915c2f22f263a39c8d27a90d90c52cf2461c344e081f06ab7
SHA512f7e27fad889858dfeac97d5401cc0eb9b1d56005381f4c4df216d8f605cf18f550b2338d40f664f05205199fb85fabbdb65dc36f43d64291b76a6a89442ecc1c
-
Filesize
108KB
MD5c1b413b0c224b359b35c38a5e35febb9
SHA1439736847e8d19da841e643cb1ba2ddc94530bc8
SHA2569434094d6b33f89ce169488415637676858967b22370f2c464b735353a5bb2c8
SHA512e10c3be51057888ef6102831e1e3b71133e33855506bb3b18c65b1d2f101c5e80cae6234a76c08dfa64f393a9192eea38616a12901ad60e343dee9aa55dd2b0d
-
Filesize
176KB
MD5807ce748a80b59d0b63f139d6a536a4a
SHA1e85b1f8029002331d2c6936314beb18dab85fc17
SHA25680623f40795798dc5c1548bf09ff17de2520decf02fe6e14ed768c8b44a369ea
SHA512a341081e618710cee284ef59861beceaf5740d221886265345e0bf92d061a0d65066e1b2ea6fafeda355bd9fa082867174524a4abbd95d469f72db386d78ee4d
-
Filesize
158KB
MD584855d09d4f7132dabfa667812e022b7
SHA13f032eaf682d0712ddb83357a5c8305ce55b2aeb
SHA256c92b9fb9a69e0ff308fa0908c968639f25411d6825eace67c475a9fb248640c7
SHA512a49f2fe8090d56dd97f3e86d553c791b80d8ccac7b6fc64d4f87683ad09c40531b269e96c6f43f763cc9c4a76f0efc9b16c03199e82251d1abca700f849355b9