5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83

Analysis

max time kernel
204s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe
Size

601KB
MD5

ee32f3d36eb6b1520fddebfca70132f7
SHA1

8006e4df9b5c025e69115d935457fa402ecf66a7
SHA256

5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83
SHA512

dd2ea81ed774a4fa8bcde8e927e697fbf0959e48721ebfae406af55973217898b029741160c888e1d5d78313e6e124690ddbef48d0aa61ef9eea6b0dc6b8418a
SSDEEP

12288:fIny5DYTDePpQG1IhMjhLz2V1zQKQdMd9Yy6c/sZpAiP:HUTDM+UJN2DBMc/kAi

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe
Executes dropped EXE 3 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exe

pid process

1648 installd.exe
1172 nethtsrv.exe
956 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe

pid	process
1648	installd.exe
1172	nethtsrv.exe
956	netupdsrv.exe

Loads dropped DLL 9 IoCs

Processes:

5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exeinstalld.exenethtsrv.exe

pid	process
1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe
1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe
1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe
1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe
1648	installd.exe
1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe
1172	nethtsrv.exe
1172	nethtsrv.exe
1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe
File created	C:\Windows\SysWOW64\installd.exe	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe

Drops file in Program Files directory 3 IoCs

Processes:

5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exenet.exenet.exe

description	pid	process	target process
PID 1368 wrote to memory of 1548	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	net.exe
PID 1368 wrote to memory of 1548	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	net.exe
PID 1368 wrote to memory of 1548	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	net.exe
PID 1368 wrote to memory of 1548	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	net.exe
PID 1548 wrote to memory of 1076	1548	net.exe	net1.exe
PID 1548 wrote to memory of 1076	1548	net.exe	net1.exe
PID 1548 wrote to memory of 1076	1548	net.exe	net1.exe
PID 1548 wrote to memory of 1076	1548	net.exe	net1.exe
PID 1368 wrote to memory of 1780	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	net.exe
PID 1368 wrote to memory of 1780	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	net.exe
PID 1368 wrote to memory of 1780	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	net.exe
PID 1368 wrote to memory of 1780	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	net.exe
PID 1780 wrote to memory of 392	1780	net.exe	net1.exe
PID 1780 wrote to memory of 392	1780	net.exe	net1.exe
PID 1780 wrote to memory of 392	1780	net.exe	net1.exe
PID 1780 wrote to memory of 392	1780	net.exe	net1.exe
PID 1368 wrote to memory of 1648	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	installd.exe
PID 1368 wrote to memory of 1648	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	installd.exe
PID 1368 wrote to memory of 1648	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	installd.exe
PID 1368 wrote to memory of 1648	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	installd.exe
PID 1368 wrote to memory of 1648	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	installd.exe
PID 1368 wrote to memory of 1648	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	installd.exe
PID 1368 wrote to memory of 1648	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	installd.exe
PID 1368 wrote to memory of 1172	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	nethtsrv.exe
PID 1368 wrote to memory of 1172	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	nethtsrv.exe
PID 1368 wrote to memory of 1172	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	nethtsrv.exe
PID 1368 wrote to memory of 1172	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	nethtsrv.exe
PID 1368 wrote to memory of 956	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	netupdsrv.exe
PID 1368 wrote to memory of 956	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	netupdsrv.exe
PID 1368 wrote to memory of 956	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	netupdsrv.exe
PID 1368 wrote to memory of 956	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	netupdsrv.exe
PID 1368 wrote to memory of 956	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	netupdsrv.exe
PID 1368 wrote to memory of 956	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	netupdsrv.exe
PID 1368 wrote to memory of 956	1368	5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe	netupdsrv.exe

C:\Users\Admin\AppData\Local\Temp\5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe
"C:\Users\Admin\AppData\Local\Temp\5513eaf26d3dcd8ac81d5e1f025fb46be3445eb38e6b01018dae4f5110962c83.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1076

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:392

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
a6a173b3ef17ad0515505e9d5038e54d

SHA1
63b5c35dc3bb76d4dd34d87102dc74d2278b360c

SHA256
78885b6b0f524fabf782687ce7b5a3adb609dbb9e0d6ff8546549637622c486f

SHA512
7c2dfefbcdb12145928a3173b5312f974439dec8ec2e61513d169ebe7ab4b93a9566ad73c218895065bbc5daba4e3ef42c10d6b9cce80fb737e028d5fd70c0dd

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
4b8eb32d21fc5f94b7e164f5dafa567d

SHA1
712db03e8f85b3d884eb81461e838e41a7815d9f

SHA256
d4861c2a10cc53494f6802f8ba1b32be1efd9de4f9b7f3cdc441dbca283cfa81

SHA512
2dcd7176710604f49bd260ac196069ddcfc94ff4b35903b828fba2f7d5db38c2e7748076fd2fd1ab4d94532e42d973ab7a197273c07ff2d317fba88cbf932c77

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
b74446f9881f44666e129335ec246325

SHA1
a6715aa3868b6d2544467e12d93f76c0895eb905

SHA256
b4b0ae057d12729b79ac9351363cdeb16c8fad1c6c77198824b08f8245c155ce

SHA512
4e6d398bffc6778d7924a1f884d2e8119db71a5187b5f91a2788467676dbb9f4ef445be436d5b30934286cf940071b9157c5f7246326fbb06d64780f02015600

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
d033f4fcc54cf9ee5420d81c286b08e3

SHA1
a34f675f7b887c1f168cbc74ef95383108239b60

SHA256
c8a5d173ee6f5db01dbd9a6e5e8923eb0305984c29a91c3c804d75080572d967

SHA512
9cb4e1fd675a0082a5bfaafa132db398c0daba57d2e878f96c439e9cc391ee3eee63d5140f4890091abfdd7cdbd8af776e758b8de601f80e9da49cf301fd2ceb

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
23427dcc308a7428032729d9fcacbcab

SHA1
1782e36f65b73e3338e89d85ce96acbe6be15884

SHA256
000ab25b6ffe7d3973a37574cb10516f3dd8fd206469f99f43bf8f8df4087acb

SHA512
58931acdbf76d275c3ceaaae5494e6a9f77582e1881d8d67816980361b9f486c644c7889cf4807276679b20714dcce487081321217af7a010166869d21d64ac8

Download Submit
\Users\Admin\AppData\Local\Temp\nsk9ED2.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsk9ED2.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsk9ED2.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
a6a173b3ef17ad0515505e9d5038e54d

SHA1
63b5c35dc3bb76d4dd34d87102dc74d2278b360c

SHA256
78885b6b0f524fabf782687ce7b5a3adb609dbb9e0d6ff8546549637622c486f

SHA512
7c2dfefbcdb12145928a3173b5312f974439dec8ec2e61513d169ebe7ab4b93a9566ad73c218895065bbc5daba4e3ef42c10d6b9cce80fb737e028d5fd70c0dd

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
a6a173b3ef17ad0515505e9d5038e54d

SHA1
63b5c35dc3bb76d4dd34d87102dc74d2278b360c

SHA256
78885b6b0f524fabf782687ce7b5a3adb609dbb9e0d6ff8546549637622c486f

SHA512
7c2dfefbcdb12145928a3173b5312f974439dec8ec2e61513d169ebe7ab4b93a9566ad73c218895065bbc5daba4e3ef42c10d6b9cce80fb737e028d5fd70c0dd

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
4b8eb32d21fc5f94b7e164f5dafa567d

SHA1
712db03e8f85b3d884eb81461e838e41a7815d9f

SHA256
d4861c2a10cc53494f6802f8ba1b32be1efd9de4f9b7f3cdc441dbca283cfa81

SHA512
2dcd7176710604f49bd260ac196069ddcfc94ff4b35903b828fba2f7d5db38c2e7748076fd2fd1ab4d94532e42d973ab7a197273c07ff2d317fba88cbf932c77

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
b74446f9881f44666e129335ec246325

SHA1
a6715aa3868b6d2544467e12d93f76c0895eb905

SHA256
b4b0ae057d12729b79ac9351363cdeb16c8fad1c6c77198824b08f8245c155ce

SHA512
4e6d398bffc6778d7924a1f884d2e8119db71a5187b5f91a2788467676dbb9f4ef445be436d5b30934286cf940071b9157c5f7246326fbb06d64780f02015600

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
d033f4fcc54cf9ee5420d81c286b08e3

SHA1
a34f675f7b887c1f168cbc74ef95383108239b60

SHA256
c8a5d173ee6f5db01dbd9a6e5e8923eb0305984c29a91c3c804d75080572d967

SHA512
9cb4e1fd675a0082a5bfaafa132db398c0daba57d2e878f96c439e9cc391ee3eee63d5140f4890091abfdd7cdbd8af776e758b8de601f80e9da49cf301fd2ceb

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
23427dcc308a7428032729d9fcacbcab

SHA1
1782e36f65b73e3338e89d85ce96acbe6be15884

SHA256
000ab25b6ffe7d3973a37574cb10516f3dd8fd206469f99f43bf8f8df4087acb

SHA512
58931acdbf76d275c3ceaaae5494e6a9f77582e1881d8d67816980361b9f486c644c7889cf4807276679b20714dcce487081321217af7a010166869d21d64ac8

Download Submit
memory/392-63-0x0000000000000000-mapping.dmp

Download
memory/956-77-0x0000000000000000-mapping.dmp

Download
memory/1076-60-0x0000000000000000-mapping.dmp

Download
memory/1172-71-0x0000000000000000-mapping.dmp

Download
memory/1368-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1368-58-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1368-55-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1548-59-0x0000000000000000-mapping.dmp

Download
memory/1648-65-0x0000000000000000-mapping.dmp

Download
memory/1780-62-0x0000000000000000-mapping.dmp

Download