787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5

Analysis

max time kernel
391s
max time network
434s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe
Size

601KB
MD5

96cf44f446235ffd820f0e1b67216054
SHA1

3fc9773f73dfc7a0b98aa631beca619934a3b1e2
SHA256

787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5
SHA512

f8190285d5d97cd6ce854b3d279b8f0aa294907d04497b149995d677c47e5f14485ca9dc77b0cf5a75395cdcd0ebf0cfc22258cb52ef436076be5e89d1fec291
SSDEEP

12288:eIny5DYTt1c0TvQKujATgkRRQbMNy3pzu+M:AUTtRTIBMlEu2u+

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe
Executes dropped EXE 1 IoCs

Processes:

installd.exe

pid process

4960 installd.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe

pid	process
4960	installd.exe

Loads dropped DLL 6 IoCs

Processes:

787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exeinstalld.exe

pid	process
4324	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe
4324	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe
4324	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe
4324	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe
4324	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe
4960	installd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfpapi.dll	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe
File created	C:\Windows\SysWOW64\installd.exe	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe

Drops file in Program Files directory 3 IoCs

Processes:

787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exenet.exenet.exe

description	pid	process	target process
PID 4324 wrote to memory of 2348	4324	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe	net.exe
PID 4324 wrote to memory of 2348	4324	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe	net.exe
PID 4324 wrote to memory of 2348	4324	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe	net.exe
PID 2348 wrote to memory of 1492	2348	net.exe	net1.exe
PID 2348 wrote to memory of 1492	2348	net.exe	net1.exe
PID 2348 wrote to memory of 1492	2348	net.exe	net1.exe
PID 4324 wrote to memory of 2772	4324	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe	net.exe
PID 4324 wrote to memory of 2772	4324	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe	net.exe
PID 4324 wrote to memory of 2772	4324	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe	net.exe
PID 2772 wrote to memory of 3584	2772	net.exe	net1.exe
PID 2772 wrote to memory of 3584	2772	net.exe	net1.exe
PID 2772 wrote to memory of 3584	2772	net.exe	net1.exe
PID 4324 wrote to memory of 4960	4324	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe	installd.exe
PID 4324 wrote to memory of 4960	4324	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe	installd.exe
PID 4324 wrote to memory of 4960	4324	787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe	installd.exe

C:\Users\Admin\AppData\Local\Temp\787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe
"C:\Users\Admin\AppData\Local\Temp\787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1492

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:3584

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy569A.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy569A.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy569A.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy569A.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy569A.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
7e6b601fe5429da25f30ef294e91491f

SHA1
c7f2b5b6bba8f57334ed339df6558ffe9a45bca7

SHA256
0bbcba6135d5302ba7adfc2b3d7b8143e9d6089cfd3a93e7168e64ce33d909cf

SHA512
25b630a390a99f99ab9083cb3495516f935ca86f8003301128cfbaa7a2543725428008bbcc3c52a08fd209b45475d555908e90144658cb0470504a64d99baf41

Download Submit
C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
7e6b601fe5429da25f30ef294e91491f

SHA1
c7f2b5b6bba8f57334ed339df6558ffe9a45bca7

SHA256
0bbcba6135d5302ba7adfc2b3d7b8143e9d6089cfd3a93e7168e64ce33d909cf

SHA512
25b630a390a99f99ab9083cb3495516f935ca86f8003301128cfbaa7a2543725428008bbcc3c52a08fd209b45475d555908e90144658cb0470504a64d99baf41

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
55e7afb612d71590350fa541e5c3b995

SHA1
ae27e33e0325888129bb954eddb4aa0125b976e9

SHA256
b8e1d62728edd98f84d1780bfdaab4d32ff905c5f8d4c394f27b97382110b436

SHA512
9fe2cd87af5c71639819973f4a35e28025a88dc136d9dd4e890f71dd3518fd20ad7fa02e41d1416343f44e75de480a3c0f840cd42254883e87129559fe118f2e

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
55e7afb612d71590350fa541e5c3b995

SHA1
ae27e33e0325888129bb954eddb4aa0125b976e9

SHA256
b8e1d62728edd98f84d1780bfdaab4d32ff905c5f8d4c394f27b97382110b436

SHA512
9fe2cd87af5c71639819973f4a35e28025a88dc136d9dd4e890f71dd3518fd20ad7fa02e41d1416343f44e75de480a3c0f840cd42254883e87129559fe118f2e

Download Submit
memory/1492-138-0x0000000000000000-mapping.dmp

Download
memory/2348-137-0x0000000000000000-mapping.dmp

Download
memory/2772-141-0x0000000000000000-mapping.dmp

Download
memory/3584-142-0x0000000000000000-mapping.dmp

Download
memory/4324-133-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/4324-132-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/4960-143-0x0000000000000000-mapping.dmp

Download