4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f

Analysis

max time kernel
218s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe
Size

602KB
MD5

db59f43b20a1c4c1328c1e9a06e968a2
SHA1

040235be412f8e5c397b35ccf318e6364739ea48
SHA256

4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f
SHA512

08a96a0cac10a27b7c1c89b933ced2412271f5094a616c21b3f10dbea90c770aed6dc35328360a705ca40a0e9a397524579341d6a9d302d34581ef7d87342e56
SSDEEP

12288:MIny5DYTW96p2d18Q1fvS9yjXQ2/u8ET6ig/Y95jXh:KUTW22o4fvSQTQ2/um/YT7

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe
Executes dropped EXE 3 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exe

pid process

700 installd.exe
1656 nethtsrv.exe
1156 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe

pid	process
700	installd.exe
1656	nethtsrv.exe
1156	netupdsrv.exe

Loads dropped DLL 9 IoCs

Processes:

4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exeinstalld.exenethtsrv.exe

pid	process
1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe
1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe
1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe
1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe
700	installd.exe
1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe
1656	nethtsrv.exe
1656	nethtsrv.exe
1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe
File created	C:\Windows\SysWOW64\installd.exe	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe

Drops file in Program Files directory 3 IoCs

Processes:

4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exenet.exenet.exe

description	pid	process	target process
PID 1260 wrote to memory of 692	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	net.exe
PID 1260 wrote to memory of 692	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	net.exe
PID 1260 wrote to memory of 692	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	net.exe
PID 1260 wrote to memory of 692	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	net.exe
PID 692 wrote to memory of 2036	692	net.exe	net1.exe
PID 692 wrote to memory of 2036	692	net.exe	net1.exe
PID 692 wrote to memory of 2036	692	net.exe	net1.exe
PID 692 wrote to memory of 2036	692	net.exe	net1.exe
PID 1260 wrote to memory of 268	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	net.exe
PID 1260 wrote to memory of 268	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	net.exe
PID 1260 wrote to memory of 268	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	net.exe
PID 1260 wrote to memory of 268	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	net.exe
PID 268 wrote to memory of 1328	268	net.exe	net1.exe
PID 268 wrote to memory of 1328	268	net.exe	net1.exe
PID 268 wrote to memory of 1328	268	net.exe	net1.exe
PID 268 wrote to memory of 1328	268	net.exe	net1.exe
PID 1260 wrote to memory of 700	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	installd.exe
PID 1260 wrote to memory of 700	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	installd.exe
PID 1260 wrote to memory of 700	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	installd.exe
PID 1260 wrote to memory of 700	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	installd.exe
PID 1260 wrote to memory of 700	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	installd.exe
PID 1260 wrote to memory of 700	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	installd.exe
PID 1260 wrote to memory of 700	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	installd.exe
PID 1260 wrote to memory of 1656	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	nethtsrv.exe
PID 1260 wrote to memory of 1656	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	nethtsrv.exe
PID 1260 wrote to memory of 1656	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	nethtsrv.exe
PID 1260 wrote to memory of 1656	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	nethtsrv.exe
PID 1260 wrote to memory of 1156	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	netupdsrv.exe
PID 1260 wrote to memory of 1156	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	netupdsrv.exe
PID 1260 wrote to memory of 1156	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	netupdsrv.exe
PID 1260 wrote to memory of 1156	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	netupdsrv.exe
PID 1260 wrote to memory of 1156	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	netupdsrv.exe
PID 1260 wrote to memory of 1156	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	netupdsrv.exe
PID 1260 wrote to memory of 1156	1260	4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe	netupdsrv.exe

C:\Users\Admin\AppData\Local\Temp\4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe
"C:\Users\Admin\AppData\Local\Temp\4c0a71e2caca9075c02b5f16921ecdb589b85cdf0c41a4d9e879f13e60b7ce5f.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:2036

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1328

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:700

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
a6941b53ef6a75c6e2d57aa5a964147d

SHA1
28bf563203bb4a0b7c8ae0f31147cb585e500960

SHA256
e30cbb931978c2b9a80361810c25a3a1b621de33d8d5cf44cee579edfb9f6383

SHA512
3e3fbc3a16ed5541426136eae9d183ee79f68fc1841ae884fbea44f10921c22cf9e885dfe68329955a29d31af94a5aeddf55b2bb8f0f009e1df2a7c194d33aba

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
c801f816db254d78b0ea7a437d1459da

SHA1
6c2ab18fee9bde07055b0df50c23be8372bab0f6

SHA256
a3f8e104517cc6fed625a633c6c6ee3844d1331c56191a7f472aca8cfcbfcff6

SHA512
5d4c384236e7062cb103a55136cb6e71796358a44879a2d65a622242554504299c85a03e7b5e11c0d9a671348d87efe96484de954bb63c155163b1a257213e13

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
fb9dd3fe43db91b5c9de82551ec1557e

SHA1
081d1391c3b1fac70d5c91bdbb44da041b58cb8b

SHA256
0a69d1c04433c231a12e04902c4dee0f06975efdc4a314d1e897bcd3927b076e

SHA512
30d86016e7a84f1111ee5c48df05bd940e8383477094b08d064e1b64d7ea6fe5b1016c97d905a12a4d4198e4134444555a343872f673a9d20757e77d13665fda

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
cd4fb60b245429f2e8c397d5f6fdc734

SHA1
d0f6ca8962f3825fec7d9ed138ee4e17cdedf999

SHA256
eec75988930fde694a616b31479014fda14ea0d0588420a8505bb5e23f47e191

SHA512
5aedd2fcb290963f530d9f749f03464b97fe891b0a80b69379ee330d8724b3e2f275eda03581f15a1601d04088439909b05357d5ce9864e801b2a763414b86a8

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
49209f1d3ccfe87e57c9a0937df9f2f3

SHA1
23503a39fa3c3efc13ac5a865e5121398b1516ac

SHA256
3f059015c59f617f2bf780812b0dd6b00c01f3c99621abf4c9c1d01111f87688

SHA512
bca502d79328913f9c4a17f50e438a2eff095180f852272a1ce7163e61f23b4b2e776aaed4da06947bebb8dc1ea8de921f353b02aaf0b370cdf149fd7c73f907

Download Submit
\Users\Admin\AppData\Local\Temp\nsu5A82.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsu5A82.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsu5A82.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
a6941b53ef6a75c6e2d57aa5a964147d

SHA1
28bf563203bb4a0b7c8ae0f31147cb585e500960

SHA256
e30cbb931978c2b9a80361810c25a3a1b621de33d8d5cf44cee579edfb9f6383

SHA512
3e3fbc3a16ed5541426136eae9d183ee79f68fc1841ae884fbea44f10921c22cf9e885dfe68329955a29d31af94a5aeddf55b2bb8f0f009e1df2a7c194d33aba

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
a6941b53ef6a75c6e2d57aa5a964147d

SHA1
28bf563203bb4a0b7c8ae0f31147cb585e500960

SHA256
e30cbb931978c2b9a80361810c25a3a1b621de33d8d5cf44cee579edfb9f6383

SHA512
3e3fbc3a16ed5541426136eae9d183ee79f68fc1841ae884fbea44f10921c22cf9e885dfe68329955a29d31af94a5aeddf55b2bb8f0f009e1df2a7c194d33aba

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
c801f816db254d78b0ea7a437d1459da

SHA1
6c2ab18fee9bde07055b0df50c23be8372bab0f6

SHA256
a3f8e104517cc6fed625a633c6c6ee3844d1331c56191a7f472aca8cfcbfcff6

SHA512
5d4c384236e7062cb103a55136cb6e71796358a44879a2d65a622242554504299c85a03e7b5e11c0d9a671348d87efe96484de954bb63c155163b1a257213e13

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
fb9dd3fe43db91b5c9de82551ec1557e

SHA1
081d1391c3b1fac70d5c91bdbb44da041b58cb8b

SHA256
0a69d1c04433c231a12e04902c4dee0f06975efdc4a314d1e897bcd3927b076e

SHA512
30d86016e7a84f1111ee5c48df05bd940e8383477094b08d064e1b64d7ea6fe5b1016c97d905a12a4d4198e4134444555a343872f673a9d20757e77d13665fda

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
cd4fb60b245429f2e8c397d5f6fdc734

SHA1
d0f6ca8962f3825fec7d9ed138ee4e17cdedf999

SHA256
eec75988930fde694a616b31479014fda14ea0d0588420a8505bb5e23f47e191

SHA512
5aedd2fcb290963f530d9f749f03464b97fe891b0a80b69379ee330d8724b3e2f275eda03581f15a1601d04088439909b05357d5ce9864e801b2a763414b86a8

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
49209f1d3ccfe87e57c9a0937df9f2f3

SHA1
23503a39fa3c3efc13ac5a865e5121398b1516ac

SHA256
3f059015c59f617f2bf780812b0dd6b00c01f3c99621abf4c9c1d01111f87688

SHA512
bca502d79328913f9c4a17f50e438a2eff095180f852272a1ce7163e61f23b4b2e776aaed4da06947bebb8dc1ea8de921f353b02aaf0b370cdf149fd7c73f907

Download Submit
memory/268-61-0x0000000000000000-mapping.dmp

Download
memory/692-58-0x0000000000000000-mapping.dmp

Download
memory/700-64-0x0000000000000000-mapping.dmp

Download
memory/1156-77-0x0000000000000000-mapping.dmp

Download
memory/1260-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1260-69-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1260-55-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1328-62-0x0000000000000000-mapping.dmp

Download
memory/1656-71-0x0000000000000000-mapping.dmp

Download
memory/2036-59-0x0000000000000000-mapping.dmp

Download