Analysis
-
max time kernel
183s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 10:31
Static task
static1
Behavioral task
behavioral1
Sample
26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe
Resource
win10v2004-20221111-en
General
-
Target
26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe
-
Size
602KB
-
MD5
762816f13bf33e8b4a36ab8b650c8a6a
-
SHA1
e1c58d6c922add149ee0525fd066074a6a77209f
-
SHA256
26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306
-
SHA512
0d1b60b0a33fbb469c156e8592f4e8a3bc41a8738540a643c4fa7ad2befc3015bd0636ad55740ccaae72f17827a01216e434cb01ac673ea1abb29dc7d55b38eb
-
SSDEEP
12288:cIny5DYTgrFdN0GwvRfxgm83sYgNyWqiJvwH5U:6UTghXgRfh8jiRwZ
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exedescription ioc process File created C:\Windows\system32\drivers\nethfdrv.sys 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe -
Executes dropped EXE 5 IoCs
Processes:
installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exepid process 4448 installd.exe 4680 nethtsrv.exe 1700 netupdsrv.exe 2752 nethtsrv.exe 3052 netupdsrv.exe -
Loads dropped DLL 14 IoCs
Processes:
26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exeinstalld.exenethtsrv.exenethtsrv.exepid process 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe 4448 installd.exe 4680 nethtsrv.exe 4680 nethtsrv.exe 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe 2752 nethtsrv.exe 2752 nethtsrv.exe 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
Processes:
26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exedescription ioc process File created C:\Windows\SysWOW64\hfpapi.dll 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe File created C:\Windows\SysWOW64\installd.exe 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe File created C:\Windows\SysWOW64\nethtsrv.exe 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe File created C:\Windows\SysWOW64\netupdsrv.exe 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe File created C:\Windows\SysWOW64\hfnapi.dll 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe -
Drops file in Program Files directory 3 IoCs
Processes:
26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exedescription ioc process File created C:\Program Files (x86)\Common Files\Config\data.xml 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe File created C:\Program Files (x86)\Common Files\Config\ver.xml 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe File created C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 1 IoCs
Processes:
nethtsrv.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections nethtsrv.exe -
Runs net.exe
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 664 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
nethtsrv.exedescription pid process Token: SeDebugPrivilege 2752 nethtsrv.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2372 wrote to memory of 4352 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe net.exe PID 2372 wrote to memory of 4352 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe net.exe PID 2372 wrote to memory of 4352 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe net.exe PID 4352 wrote to memory of 4176 4352 net.exe net1.exe PID 4352 wrote to memory of 4176 4352 net.exe net1.exe PID 4352 wrote to memory of 4176 4352 net.exe net1.exe PID 2372 wrote to memory of 4604 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe net.exe PID 2372 wrote to memory of 4604 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe net.exe PID 2372 wrote to memory of 4604 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe net.exe PID 4604 wrote to memory of 3448 4604 net.exe net1.exe PID 4604 wrote to memory of 3448 4604 net.exe net1.exe PID 4604 wrote to memory of 3448 4604 net.exe net1.exe PID 2372 wrote to memory of 4448 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe installd.exe PID 2372 wrote to memory of 4448 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe installd.exe PID 2372 wrote to memory of 4448 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe installd.exe PID 2372 wrote to memory of 4680 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe nethtsrv.exe PID 2372 wrote to memory of 4680 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe nethtsrv.exe PID 2372 wrote to memory of 4680 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe nethtsrv.exe PID 2372 wrote to memory of 1700 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe netupdsrv.exe PID 2372 wrote to memory of 1700 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe netupdsrv.exe PID 2372 wrote to memory of 1700 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe netupdsrv.exe PID 2372 wrote to memory of 1656 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe net.exe PID 2372 wrote to memory of 1656 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe net.exe PID 2372 wrote to memory of 1656 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe net.exe PID 1656 wrote to memory of 4584 1656 net.exe net1.exe PID 1656 wrote to memory of 4584 1656 net.exe net1.exe PID 1656 wrote to memory of 4584 1656 net.exe net1.exe PID 2372 wrote to memory of 4272 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe net.exe PID 2372 wrote to memory of 4272 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe net.exe PID 2372 wrote to memory of 4272 2372 26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe net.exe PID 4272 wrote to memory of 696 4272 net.exe net1.exe PID 4272 wrote to memory of 696 4272 net.exe net1.exe PID 4272 wrote to memory of 696 4272 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe"C:\Users\Admin\AppData\Local\Temp\26bdd9f7de671ed157eb020d9359b1be741503322f442dae3868946a0f368306.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\net.exenet stop nethttpservice2⤵
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop nethttpservice3⤵PID:4176
-
C:\Windows\SysWOW64\net.exenet stop serviceupdater2⤵
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop serviceupdater3⤵PID:3448
-
C:\Windows\SysWOW64\installd.exe"C:\Windows\system32\installd.exe" nethfdrv2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4448 -
C:\Windows\SysWOW64\nethtsrv.exe"C:\Windows\system32\nethtsrv.exe" -nfdi2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4680 -
C:\Windows\SysWOW64\netupdsrv.exe"C:\Windows\system32\netupdsrv.exe" -nfdi2⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\net.exenet start nethttpservice2⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start nethttpservice3⤵PID:4584
-
C:\Windows\SysWOW64\net.exenet start serviceupdater2⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start serviceupdater3⤵PID:696
-
C:\Windows\SysWOW64\nethtsrv.exeC:\Windows\SysWOW64\nethtsrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
C:\Windows\SysWOW64\netupdsrv.exeC:\Windows\SysWOW64\netupdsrv.exe1⤵
- Executes dropped EXE
PID:3052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
106KB
MD532bcbb88206de605bf22ea460ded225a
SHA1c46630e5bc1b46b19d4431e294e3e19988328a63
SHA256cdb081bba5358a79e960ea56799a8797b7c9991f39f271367751c45e6344313c
SHA5124754c09233f7b2d6087fb6322dde72fc2f6ef71756521ff0c34098d2e95848cdda804a0632d9a750930ff94866e2672a2e470efd12ec314b2bdd538bd5687070
-
Filesize
106KB
MD532bcbb88206de605bf22ea460ded225a
SHA1c46630e5bc1b46b19d4431e294e3e19988328a63
SHA256cdb081bba5358a79e960ea56799a8797b7c9991f39f271367751c45e6344313c
SHA5124754c09233f7b2d6087fb6322dde72fc2f6ef71756521ff0c34098d2e95848cdda804a0632d9a750930ff94866e2672a2e470efd12ec314b2bdd538bd5687070
-
Filesize
106KB
MD532bcbb88206de605bf22ea460ded225a
SHA1c46630e5bc1b46b19d4431e294e3e19988328a63
SHA256cdb081bba5358a79e960ea56799a8797b7c9991f39f271367751c45e6344313c
SHA5124754c09233f7b2d6087fb6322dde72fc2f6ef71756521ff0c34098d2e95848cdda804a0632d9a750930ff94866e2672a2e470efd12ec314b2bdd538bd5687070
-
Filesize
106KB
MD532bcbb88206de605bf22ea460ded225a
SHA1c46630e5bc1b46b19d4431e294e3e19988328a63
SHA256cdb081bba5358a79e960ea56799a8797b7c9991f39f271367751c45e6344313c
SHA5124754c09233f7b2d6087fb6322dde72fc2f6ef71756521ff0c34098d2e95848cdda804a0632d9a750930ff94866e2672a2e470efd12ec314b2bdd538bd5687070
-
Filesize
241KB
MD573fd2d9cc685a4d20d4aa37f1d68c3d3
SHA131256cc6141d33fb2ccaf7733462330d1d6f13a7
SHA2562f2f09e8425b1ecf120f5142dfbea7284de1cd37cebe2e383181d7c742c8d64e
SHA5124a2899c079bb76683498fe27b93dbb28ea96069e2e110bdb14be408942831fb83448ef8c10b856da87650a43081208ca9868951e428caf2cfc9a7096cff84ca2
-
Filesize
241KB
MD573fd2d9cc685a4d20d4aa37f1d68c3d3
SHA131256cc6141d33fb2ccaf7733462330d1d6f13a7
SHA2562f2f09e8425b1ecf120f5142dfbea7284de1cd37cebe2e383181d7c742c8d64e
SHA5124a2899c079bb76683498fe27b93dbb28ea96069e2e110bdb14be408942831fb83448ef8c10b856da87650a43081208ca9868951e428caf2cfc9a7096cff84ca2
-
Filesize
241KB
MD573fd2d9cc685a4d20d4aa37f1d68c3d3
SHA131256cc6141d33fb2ccaf7733462330d1d6f13a7
SHA2562f2f09e8425b1ecf120f5142dfbea7284de1cd37cebe2e383181d7c742c8d64e
SHA5124a2899c079bb76683498fe27b93dbb28ea96069e2e110bdb14be408942831fb83448ef8c10b856da87650a43081208ca9868951e428caf2cfc9a7096cff84ca2
-
Filesize
108KB
MD56eb73d001db44f83fa6c127c1509485c
SHA1d9944475620845b071cedc545b17211b5352b9f1
SHA256f2a07addf0b168698069ec90f07e604d4282b9e668dfa048bf08c5d594387af1
SHA512d7421eb2947d103148117c6675424df91b57fa22289f95388fbb59ff443ff3c615a045fa4c7f48c21ad2e4192746549cc9cbd8e333cf9fa465905e45f1c99a76
-
Filesize
108KB
MD56eb73d001db44f83fa6c127c1509485c
SHA1d9944475620845b071cedc545b17211b5352b9f1
SHA256f2a07addf0b168698069ec90f07e604d4282b9e668dfa048bf08c5d594387af1
SHA512d7421eb2947d103148117c6675424df91b57fa22289f95388fbb59ff443ff3c615a045fa4c7f48c21ad2e4192746549cc9cbd8e333cf9fa465905e45f1c99a76
-
Filesize
176KB
MD565729d9e79e53140eec38b8c16753149
SHA1d427b31a5b9d7179a9e449e041e51d0bc43ef7fc
SHA2560aa2135266ba754dd0cf519a78230a7dca800916f40604bd8a40232b0fc4720b
SHA512a5df083bbb0f6abe7446f39d454b4e22742eac469f31a446513a69d2806a83e797e7964a98f33c0df2f79d8b363cd718e192ad0c135b42bdec504bd442cc662d
-
Filesize
176KB
MD565729d9e79e53140eec38b8c16753149
SHA1d427b31a5b9d7179a9e449e041e51d0bc43ef7fc
SHA2560aa2135266ba754dd0cf519a78230a7dca800916f40604bd8a40232b0fc4720b
SHA512a5df083bbb0f6abe7446f39d454b4e22742eac469f31a446513a69d2806a83e797e7964a98f33c0df2f79d8b363cd718e192ad0c135b42bdec504bd442cc662d
-
Filesize
176KB
MD565729d9e79e53140eec38b8c16753149
SHA1d427b31a5b9d7179a9e449e041e51d0bc43ef7fc
SHA2560aa2135266ba754dd0cf519a78230a7dca800916f40604bd8a40232b0fc4720b
SHA512a5df083bbb0f6abe7446f39d454b4e22742eac469f31a446513a69d2806a83e797e7964a98f33c0df2f79d8b363cd718e192ad0c135b42bdec504bd442cc662d
-
Filesize
158KB
MD54a30720f2431f3956fa02760b74470a0
SHA12b92803df0f6b26aa5bb0e09b3eb749a49a2c136
SHA256e17beb416487101e6d6ceed6f712f8481d415417397a91a9a25eb521ffab0c93
SHA5120ad96d5f72442044cca930a79d48b627e12f5230096f2e8cac471cfbd1ab8d7f187afdfe6fe0f29c2b620e96a6efb04f26b8d68b7132b8fc45d0389677b3559a
-
Filesize
158KB
MD54a30720f2431f3956fa02760b74470a0
SHA12b92803df0f6b26aa5bb0e09b3eb749a49a2c136
SHA256e17beb416487101e6d6ceed6f712f8481d415417397a91a9a25eb521ffab0c93
SHA5120ad96d5f72442044cca930a79d48b627e12f5230096f2e8cac471cfbd1ab8d7f187afdfe6fe0f29c2b620e96a6efb04f26b8d68b7132b8fc45d0389677b3559a
-
Filesize
158KB
MD54a30720f2431f3956fa02760b74470a0
SHA12b92803df0f6b26aa5bb0e09b3eb749a49a2c136
SHA256e17beb416487101e6d6ceed6f712f8481d415417397a91a9a25eb521ffab0c93
SHA5120ad96d5f72442044cca930a79d48b627e12f5230096f2e8cac471cfbd1ab8d7f187afdfe6fe0f29c2b620e96a6efb04f26b8d68b7132b8fc45d0389677b3559a