83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770

Analysis

max time kernel
232s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe
Size

603KB
MD5

be5813d26e47895764fbe5a954ddddbd
SHA1

955d5b73683eddc2e7bab0290fcb40237091848b
SHA256

83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770
SHA512

199c15ceedc96edf121059ded6fda9e416f9f2611b75b9bfe2a8ed1825a32728d906f2509e34f48997055a060df87c572f55d8644421c772681d12df64f92286
SSDEEP

12288:OIny5DYTmItP60D+v2ePNXhUh+b6+KXLynLW5olum6WLt+:QUTmwPszxUx+KXLyq5q+

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe
Executes dropped EXE 3 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exe

pid process

1548 installd.exe
280 nethtsrv.exe
1080 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe

pid	process
1548	installd.exe
280	nethtsrv.exe
1080	netupdsrv.exe

Loads dropped DLL 9 IoCs

Processes:

83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exeinstalld.exenethtsrv.exe

pid	process
472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe
472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe
472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe
472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe
1548	installd.exe
472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe
280	nethtsrv.exe
280	nethtsrv.exe
472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe
File created	C:\Windows\SysWOW64\installd.exe	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe

Drops file in Program Files directory 3 IoCs

Processes:

83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exenet.exenet.exe

description	pid	process	target process
PID 472 wrote to memory of 1704	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	net.exe
PID 472 wrote to memory of 1704	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	net.exe
PID 472 wrote to memory of 1704	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	net.exe
PID 472 wrote to memory of 1704	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	net.exe
PID 1704 wrote to memory of 1824	1704	net.exe	net1.exe
PID 1704 wrote to memory of 1824	1704	net.exe	net1.exe
PID 1704 wrote to memory of 1824	1704	net.exe	net1.exe
PID 1704 wrote to memory of 1824	1704	net.exe	net1.exe
PID 472 wrote to memory of 1724	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	net.exe
PID 472 wrote to memory of 1724	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	net.exe
PID 472 wrote to memory of 1724	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	net.exe
PID 472 wrote to memory of 1724	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	net.exe
PID 1724 wrote to memory of 1588	1724	net.exe	net1.exe
PID 1724 wrote to memory of 1588	1724	net.exe	net1.exe
PID 1724 wrote to memory of 1588	1724	net.exe	net1.exe
PID 1724 wrote to memory of 1588	1724	net.exe	net1.exe
PID 472 wrote to memory of 1548	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	installd.exe
PID 472 wrote to memory of 1548	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	installd.exe
PID 472 wrote to memory of 1548	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	installd.exe
PID 472 wrote to memory of 1548	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	installd.exe
PID 472 wrote to memory of 1548	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	installd.exe
PID 472 wrote to memory of 1548	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	installd.exe
PID 472 wrote to memory of 1548	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	installd.exe
PID 472 wrote to memory of 280	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	nethtsrv.exe
PID 472 wrote to memory of 280	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	nethtsrv.exe
PID 472 wrote to memory of 280	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	nethtsrv.exe
PID 472 wrote to memory of 280	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	nethtsrv.exe
PID 472 wrote to memory of 1080	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	netupdsrv.exe
PID 472 wrote to memory of 1080	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	netupdsrv.exe
PID 472 wrote to memory of 1080	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	netupdsrv.exe
PID 472 wrote to memory of 1080	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	netupdsrv.exe
PID 472 wrote to memory of 1080	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	netupdsrv.exe
PID 472 wrote to memory of 1080	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	netupdsrv.exe
PID 472 wrote to memory of 1080	472	83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe	netupdsrv.exe

C:\Users\Admin\AppData\Local\Temp\83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe
"C:\Users\Admin\AppData\Local\Temp\83f80eaddfa59514296c40147ab834d3aece280db02e6a7c5f276de8b7bff770.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1824

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1588

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:280

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
573debdcf8e5a3480af56fbabcdb3f08

SHA1
69d3b25c56027aa966a9665c4ad65b57cbf53f5f

SHA256
87cbfa813786dbc939e7bf108c844390b12fcd6df230225184728ad13ffc9866

SHA512
30494b0832312966572ed06970bacdb5abbfe84ce5872fde876be069a9ecf02c904fa704d015ee73fb3b251aa1dc3d4d20f7dfcc8256de7071cc7397666f38d0

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
243KB

MD5
f407419f0c9e51a25b4e7cacf3fe1b76

SHA1
4dc5147ea12fd7b8625204726975ab36c2f3a52d

SHA256
24692c95fc2f391419c800cbe5fdaec3c25054bf0f3f3ebe064868e3e7c116ca

SHA512
074ac475b20e489f0f101c019ef2538f88d9ef413757a3ecd23d9613a0c022469d01bfbdf0aa6615be63b970384ceeb73d3ccf77b380b3625f5abc86e64f9cad

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
ea19c0ed1420671d74886fa2de98a578

SHA1
e5c1fe066aa62148ae7e8d6e64eb3db52834e97c

SHA256
7a717e699a788df8e2d7ea5f4b58cc6575f8f5768207e5899796d799696b02ed

SHA512
23d5f63e0bbb7c642cafafa12aac5f33ff8be1ad762f80ba18381b122ac4952d5ad3c53b112cde8eb4bab0271aa93cf3c071acb0a5f9b2d4a95c402bf771a327

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
2c15131d615e547e9eddd61e69e29f2d

SHA1
60cabf4f68fd511c431814ddd258b73dd4e2f33d

SHA256
b00bb0e752be1ab45c114686d6d2670f51c70ed6c78fb68c4a69e1d6d36d50f1

SHA512
875bcd82a133eabf4888c10ffbfcf762db66870aaef478856b43eeb3dea57f22c4b799e07896722acf10665f39f312b3212bb815fef42b37ac727ffebcfdd4ed

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
c53d7b297e5eef2afb2d131eadc15cd6

SHA1
a925f51c2ad827619db300fa59162646e3cbcfb3

SHA256
41498aeaa24404cbc71a77441dda631b5e8925a11252e6ab03dbd3e5d1055058

SHA512
5eeaaa681ee3dbd2d4d7544da084a72cf124455bae5975d2af12b8c10f2e78d724db7b19d682cc6e706e8212ef075f7dd3ab5b7350b10ac21f9a8f632bf6a3ae

Download Submit
\Users\Admin\AppData\Local\Temp\nsf5A15.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsf5A15.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsf5A15.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
573debdcf8e5a3480af56fbabcdb3f08

SHA1
69d3b25c56027aa966a9665c4ad65b57cbf53f5f

SHA256
87cbfa813786dbc939e7bf108c844390b12fcd6df230225184728ad13ffc9866

SHA512
30494b0832312966572ed06970bacdb5abbfe84ce5872fde876be069a9ecf02c904fa704d015ee73fb3b251aa1dc3d4d20f7dfcc8256de7071cc7397666f38d0

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
573debdcf8e5a3480af56fbabcdb3f08

SHA1
69d3b25c56027aa966a9665c4ad65b57cbf53f5f

SHA256
87cbfa813786dbc939e7bf108c844390b12fcd6df230225184728ad13ffc9866

SHA512
30494b0832312966572ed06970bacdb5abbfe84ce5872fde876be069a9ecf02c904fa704d015ee73fb3b251aa1dc3d4d20f7dfcc8256de7071cc7397666f38d0

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
243KB

MD5
f407419f0c9e51a25b4e7cacf3fe1b76

SHA1
4dc5147ea12fd7b8625204726975ab36c2f3a52d

SHA256
24692c95fc2f391419c800cbe5fdaec3c25054bf0f3f3ebe064868e3e7c116ca

SHA512
074ac475b20e489f0f101c019ef2538f88d9ef413757a3ecd23d9613a0c022469d01bfbdf0aa6615be63b970384ceeb73d3ccf77b380b3625f5abc86e64f9cad

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
ea19c0ed1420671d74886fa2de98a578

SHA1
e5c1fe066aa62148ae7e8d6e64eb3db52834e97c

SHA256
7a717e699a788df8e2d7ea5f4b58cc6575f8f5768207e5899796d799696b02ed

SHA512
23d5f63e0bbb7c642cafafa12aac5f33ff8be1ad762f80ba18381b122ac4952d5ad3c53b112cde8eb4bab0271aa93cf3c071acb0a5f9b2d4a95c402bf771a327

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
2c15131d615e547e9eddd61e69e29f2d

SHA1
60cabf4f68fd511c431814ddd258b73dd4e2f33d

SHA256
b00bb0e752be1ab45c114686d6d2670f51c70ed6c78fb68c4a69e1d6d36d50f1

SHA512
875bcd82a133eabf4888c10ffbfcf762db66870aaef478856b43eeb3dea57f22c4b799e07896722acf10665f39f312b3212bb815fef42b37ac727ffebcfdd4ed

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
c53d7b297e5eef2afb2d131eadc15cd6

SHA1
a925f51c2ad827619db300fa59162646e3cbcfb3

SHA256
41498aeaa24404cbc71a77441dda631b5e8925a11252e6ab03dbd3e5d1055058

SHA512
5eeaaa681ee3dbd2d4d7544da084a72cf124455bae5975d2af12b8c10f2e78d724db7b19d682cc6e706e8212ef075f7dd3ab5b7350b10ac21f9a8f632bf6a3ae

Download Submit
memory/280-71-0x0000000000000000-mapping.dmp

Download
memory/472-69-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/472-54-0x0000000074FA1000-0x0000000074FA3000-memory.dmp

Filesize
8KB

Download
memory/472-55-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1080-77-0x0000000000000000-mapping.dmp

Download
memory/1548-64-0x0000000000000000-mapping.dmp

Download
memory/1588-62-0x0000000000000000-mapping.dmp

Download
memory/1704-58-0x0000000000000000-mapping.dmp

Download
memory/1724-61-0x0000000000000000-mapping.dmp

Download
memory/1824-59-0x0000000000000000-mapping.dmp

Download