Analysis

  • max time kernel
    391s
  • max time network
    434s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 10:22

General

  • Target

    787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe

  • Size

    601KB

  • MD5

    96cf44f446235ffd820f0e1b67216054

  • SHA1

    3fc9773f73dfc7a0b98aa631beca619934a3b1e2

  • SHA256

    787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5

  • SHA512

    f8190285d5d97cd6ce854b3d279b8f0aa294907d04497b149995d677c47e5f14485ca9dc77b0cf5a75395cdcd0ebf0cfc22258cb52ef436076be5e89d1fec291

  • SSDEEP

    12288:eIny5DYTt1c0TvQKujATgkRRQbMNy3pzu+M:AUTtRTIBMlEu2u+

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe
    "C:\Users\Admin\AppData\Local\Temp\787f7eb53f3746316f013a4dcfc5a1235c4ababbdea57b87c8d946d312ac1ad5.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Windows\SysWOW64\net.exe
      net stop nethttpservice
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop nethttpservice
        3⤵
          PID:1492
      • C:\Windows\SysWOW64\net.exe
        net stop serviceupdater
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop serviceupdater
          3⤵
            PID:3584
        • C:\Windows\SysWOW64\installd.exe
          "C:\Windows\system32\installd.exe" nethfdrv
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:4960

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nsy569A.tmp\System.dll

        Filesize

        11KB

        MD5

        c17103ae9072a06da581dec998343fc1

        SHA1

        b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

        SHA256

        dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

        SHA512

        d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

      • C:\Users\Admin\AppData\Local\Temp\nsy569A.tmp\nsExec.dll

        Filesize

        6KB

        MD5

        acc2b699edfea5bf5aae45aba3a41e96

        SHA1

        d2accf4d494e43ceb2cff69abe4dd17147d29cc2

        SHA256

        168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

        SHA512

        e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

      • C:\Users\Admin\AppData\Local\Temp\nsy569A.tmp\nsExec.dll

        Filesize

        6KB

        MD5

        acc2b699edfea5bf5aae45aba3a41e96

        SHA1

        d2accf4d494e43ceb2cff69abe4dd17147d29cc2

        SHA256

        168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

        SHA512

        e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

      • C:\Users\Admin\AppData\Local\Temp\nsy569A.tmp\nsExec.dll

        Filesize

        6KB

        MD5

        acc2b699edfea5bf5aae45aba3a41e96

        SHA1

        d2accf4d494e43ceb2cff69abe4dd17147d29cc2

        SHA256

        168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

        SHA512

        e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

      • C:\Users\Admin\AppData\Local\Temp\nsy569A.tmp\nsExec.dll

        Filesize

        6KB

        MD5

        acc2b699edfea5bf5aae45aba3a41e96

        SHA1

        d2accf4d494e43ceb2cff69abe4dd17147d29cc2

        SHA256

        168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

        SHA512

        e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

      • C:\Windows\SysWOW64\hfnapi.dll

        Filesize

        106KB

        MD5

        7e6b601fe5429da25f30ef294e91491f

        SHA1

        c7f2b5b6bba8f57334ed339df6558ffe9a45bca7

        SHA256

        0bbcba6135d5302ba7adfc2b3d7b8143e9d6089cfd3a93e7168e64ce33d909cf

        SHA512

        25b630a390a99f99ab9083cb3495516f935ca86f8003301128cfbaa7a2543725428008bbcc3c52a08fd209b45475d555908e90144658cb0470504a64d99baf41

      • C:\Windows\SysWOW64\hfnapi.dll

        Filesize

        106KB

        MD5

        7e6b601fe5429da25f30ef294e91491f

        SHA1

        c7f2b5b6bba8f57334ed339df6558ffe9a45bca7

        SHA256

        0bbcba6135d5302ba7adfc2b3d7b8143e9d6089cfd3a93e7168e64ce33d909cf

        SHA512

        25b630a390a99f99ab9083cb3495516f935ca86f8003301128cfbaa7a2543725428008bbcc3c52a08fd209b45475d555908e90144658cb0470504a64d99baf41

      • C:\Windows\SysWOW64\installd.exe

        Filesize

        108KB

        MD5

        55e7afb612d71590350fa541e5c3b995

        SHA1

        ae27e33e0325888129bb954eddb4aa0125b976e9

        SHA256

        b8e1d62728edd98f84d1780bfdaab4d32ff905c5f8d4c394f27b97382110b436

        SHA512

        9fe2cd87af5c71639819973f4a35e28025a88dc136d9dd4e890f71dd3518fd20ad7fa02e41d1416343f44e75de480a3c0f840cd42254883e87129559fe118f2e

      • C:\Windows\SysWOW64\installd.exe

        Filesize

        108KB

        MD5

        55e7afb612d71590350fa541e5c3b995

        SHA1

        ae27e33e0325888129bb954eddb4aa0125b976e9

        SHA256

        b8e1d62728edd98f84d1780bfdaab4d32ff905c5f8d4c394f27b97382110b436

        SHA512

        9fe2cd87af5c71639819973f4a35e28025a88dc136d9dd4e890f71dd3518fd20ad7fa02e41d1416343f44e75de480a3c0f840cd42254883e87129559fe118f2e

      • memory/1492-138-0x0000000000000000-mapping.dmp

      • memory/2348-137-0x0000000000000000-mapping.dmp

      • memory/2772-141-0x0000000000000000-mapping.dmp

      • memory/3584-142-0x0000000000000000-mapping.dmp

      • memory/4324-133-0x0000000000360000-0x00000000007BE000-memory.dmp

        Filesize

        4.4MB

      • memory/4324-132-0x0000000000360000-0x00000000007BE000-memory.dmp

        Filesize

        4.4MB

      • memory/4960-143-0x0000000000000000-mapping.dmp