614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe

Analysis

max time kernel
193s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe
Size

602KB
MD5

28b1f733c2f7f13beae9ddd6f05a317b
SHA1

0151b392c459bc7880cf619b2e13fe6460fc6648
SHA256

614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe
SHA512

9dfc2a64ef4781c46638bf06d74c8f5958b98695d01d0fcada06e98a833daf7ad3a11ffd537f8aa918ccd5eca06e188e726814e89d95cf84ff67ea7a22e169aa
SSDEEP

12288:lIny5DYT0B9Nl9NSGMkNUAa+eLjtN4NZrFx:RUTk9N3MALe3toZ3

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe
Executes dropped EXE 3 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exe

pid process

1408 installd.exe
1068 nethtsrv.exe
916 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe

pid	process
1408	installd.exe
1068	nethtsrv.exe
916	netupdsrv.exe

Loads dropped DLL 9 IoCs

Processes:

614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exeinstalld.exenethtsrv.exe

pid	process
1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe
1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe
1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe
1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe
1408	installd.exe
1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe
1068	nethtsrv.exe
1068	nethtsrv.exe
1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfpapi.dll	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe
File created	C:\Windows\SysWOW64\installd.exe	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe

Drops file in Program Files directory 3 IoCs

Processes:

614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exenet.exenet.exe

description	pid	process	target process
PID 1324 wrote to memory of 332	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	net.exe
PID 1324 wrote to memory of 332	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	net.exe
PID 1324 wrote to memory of 332	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	net.exe
PID 1324 wrote to memory of 332	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	net.exe
PID 332 wrote to memory of 1788	332	net.exe	net1.exe
PID 332 wrote to memory of 1788	332	net.exe	net1.exe
PID 332 wrote to memory of 1788	332	net.exe	net1.exe
PID 332 wrote to memory of 1788	332	net.exe	net1.exe
PID 1324 wrote to memory of 1812	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	net.exe
PID 1324 wrote to memory of 1812	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	net.exe
PID 1324 wrote to memory of 1812	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	net.exe
PID 1324 wrote to memory of 1812	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	net.exe
PID 1812 wrote to memory of 896	1812	net.exe	net1.exe
PID 1812 wrote to memory of 896	1812	net.exe	net1.exe
PID 1812 wrote to memory of 896	1812	net.exe	net1.exe
PID 1812 wrote to memory of 896	1812	net.exe	net1.exe
PID 1324 wrote to memory of 1408	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	installd.exe
PID 1324 wrote to memory of 1408	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	installd.exe
PID 1324 wrote to memory of 1408	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	installd.exe
PID 1324 wrote to memory of 1408	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	installd.exe
PID 1324 wrote to memory of 1408	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	installd.exe
PID 1324 wrote to memory of 1408	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	installd.exe
PID 1324 wrote to memory of 1408	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	installd.exe
PID 1324 wrote to memory of 1068	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	nethtsrv.exe
PID 1324 wrote to memory of 1068	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	nethtsrv.exe
PID 1324 wrote to memory of 1068	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	nethtsrv.exe
PID 1324 wrote to memory of 1068	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	nethtsrv.exe
PID 1324 wrote to memory of 916	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	netupdsrv.exe
PID 1324 wrote to memory of 916	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	netupdsrv.exe
PID 1324 wrote to memory of 916	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	netupdsrv.exe
PID 1324 wrote to memory of 916	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	netupdsrv.exe
PID 1324 wrote to memory of 916	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	netupdsrv.exe
PID 1324 wrote to memory of 916	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	netupdsrv.exe
PID 1324 wrote to memory of 916	1324	614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe	netupdsrv.exe

C:\Users\Admin\AppData\Local\Temp\614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe
"C:\Users\Admin\AppData\Local\Temp\614baeb35184ef52bc52bcf78bd14572319eba272ebcabcf6087677760541dfe.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1788

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:896

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
d6d46fcc72cd0a240fe9fee3a19237a9

SHA1
5c5648a2b6eef2452d7a975842f18749941dc944

SHA256
f1538c16aea8af01fc818cf417e5bf1fb1f981f76e5c0ce752bf269adb6815c9

SHA512
fc5a7f4b02ffb03af63f26cf6d0f097e7e8efab6b1098a5f81cff25a5e80bc7c2c010ce33cf414f0875ab9f12b75fe65bf9cfcc972813ff8c6b29600c3bd02c1

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
67a7340b0853690aada4057a6c13111c

SHA1
ae8dd87b40f262eeba97cf7cd142c390dd0b1273

SHA256
b08ab15c118f317c4c1222ccebd64206b94c3c756e6e4172a5725c4f64dfabb3

SHA512
2bb8bb6b98dacf836335c0e211836ad85e812ba140663743395861df5491790d1e869bcf74867b22b95d37265d58cde8b7f1afce7fc3c1a62749bed826ac1820

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
0a0cd8d97e4581d96166a98069844076

SHA1
e8701eaa2662a0f7eefd0905e021bb5ee79e4f4a

SHA256
f4167e3bb8af911925811fd8d4a3b3c58341ea511dcbdcfb5cf78eeb13fdf52a

SHA512
7bf9fa2367711f4208a7ea4d996960703731b20d3a099f0783690d33099efe65dd5e10e56d38311c633c28a826ba2db8ec9b1cf5c0bee1bc91a0fd56ada0828e

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
a6a91021e3bcf763aeab3ba3aea8318c

SHA1
c3bddb7d50f6b75971ed6000e0e98757da0d02c5

SHA256
1ae1ca97589d4d2b705517eba90da4daf9bbd71586c26edfd7e7bd404a43c265

SHA512
1197798481dfc8bf455de4445851cf93d4e46a2f103b963c5541654c26bb8eba2f3d40ecf90e215f0c7b7d37d00f246890fa26a1c95a235a609c2080ce56468e

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
af4cfdd3880135e4491ef3b9cc3b458e

SHA1
f32c7490bd112fac9003c352b3143cd6f47852f4

SHA256
2b457b3ab9bf0d424648d68e3d8c69e313537930b9616e592af196dba0308261

SHA512
1b0e3ab3d23bd1be9beb55ccfec68dcf0ece48de2a65463513b1d659460bf3b2977db382942b608c0d66e90589c3ab12fb3f288e64a0bcea446a934c5ec68181

Download Submit
\Users\Admin\AppData\Local\Temp\nsp930F.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsp930F.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsp930F.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
d6d46fcc72cd0a240fe9fee3a19237a9

SHA1
5c5648a2b6eef2452d7a975842f18749941dc944

SHA256
f1538c16aea8af01fc818cf417e5bf1fb1f981f76e5c0ce752bf269adb6815c9

SHA512
fc5a7f4b02ffb03af63f26cf6d0f097e7e8efab6b1098a5f81cff25a5e80bc7c2c010ce33cf414f0875ab9f12b75fe65bf9cfcc972813ff8c6b29600c3bd02c1

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
d6d46fcc72cd0a240fe9fee3a19237a9

SHA1
5c5648a2b6eef2452d7a975842f18749941dc944

SHA256
f1538c16aea8af01fc818cf417e5bf1fb1f981f76e5c0ce752bf269adb6815c9

SHA512
fc5a7f4b02ffb03af63f26cf6d0f097e7e8efab6b1098a5f81cff25a5e80bc7c2c010ce33cf414f0875ab9f12b75fe65bf9cfcc972813ff8c6b29600c3bd02c1

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
67a7340b0853690aada4057a6c13111c

SHA1
ae8dd87b40f262eeba97cf7cd142c390dd0b1273

SHA256
b08ab15c118f317c4c1222ccebd64206b94c3c756e6e4172a5725c4f64dfabb3

SHA512
2bb8bb6b98dacf836335c0e211836ad85e812ba140663743395861df5491790d1e869bcf74867b22b95d37265d58cde8b7f1afce7fc3c1a62749bed826ac1820

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
0a0cd8d97e4581d96166a98069844076

SHA1
e8701eaa2662a0f7eefd0905e021bb5ee79e4f4a

SHA256
f4167e3bb8af911925811fd8d4a3b3c58341ea511dcbdcfb5cf78eeb13fdf52a

SHA512
7bf9fa2367711f4208a7ea4d996960703731b20d3a099f0783690d33099efe65dd5e10e56d38311c633c28a826ba2db8ec9b1cf5c0bee1bc91a0fd56ada0828e

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
a6a91021e3bcf763aeab3ba3aea8318c

SHA1
c3bddb7d50f6b75971ed6000e0e98757da0d02c5

SHA256
1ae1ca97589d4d2b705517eba90da4daf9bbd71586c26edfd7e7bd404a43c265

SHA512
1197798481dfc8bf455de4445851cf93d4e46a2f103b963c5541654c26bb8eba2f3d40ecf90e215f0c7b7d37d00f246890fa26a1c95a235a609c2080ce56468e

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
af4cfdd3880135e4491ef3b9cc3b458e

SHA1
f32c7490bd112fac9003c352b3143cd6f47852f4

SHA256
2b457b3ab9bf0d424648d68e3d8c69e313537930b9616e592af196dba0308261

SHA512
1b0e3ab3d23bd1be9beb55ccfec68dcf0ece48de2a65463513b1d659460bf3b2977db382942b608c0d66e90589c3ab12fb3f288e64a0bcea446a934c5ec68181

Download Submit
memory/332-58-0x0000000000000000-mapping.dmp

Download
memory/896-63-0x0000000000000000-mapping.dmp

Download
memory/916-77-0x0000000000000000-mapping.dmp

Download
memory/1068-71-0x0000000000000000-mapping.dmp

Download
memory/1324-54-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download
memory/1324-59-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1324-56-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1408-65-0x0000000000000000-mapping.dmp

Download
memory/1788-60-0x0000000000000000-mapping.dmp

Download
memory/1812-62-0x0000000000000000-mapping.dmp

Download