1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846

Analysis

max time kernel
220s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe
Size

601KB
MD5

461bb904393f3443a5fcb2c43a85409a
SHA1

55cae7f126dc743252e7ca1d9cebba9d0e387a41
SHA256

1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846
SHA512

5ba1758449d3dd997f9ff7a6bd1aaebd42aed77c0406b71f97c71722c915bcd1a12a1f305fa5184379355670d54eec6781c8423ac08bf3683c9294285578ccb4
SSDEEP

12288:vIny5DYTtEt8UINTpTZUpU+McCrPhnXex65UfCSuB0KZGCW:3UTtE+UgTzMU+q05fzuB0RC

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe
Executes dropped EXE 3 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exe

pid process

900 installd.exe
1224 nethtsrv.exe
932 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe

pid	process
900	installd.exe
1224	nethtsrv.exe
932	netupdsrv.exe

Loads dropped DLL 9 IoCs

Processes:

1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exeinstalld.exenethtsrv.exe

pid	process
472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe
472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe
472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe
472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe
900	installd.exe
472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe
1224	nethtsrv.exe
1224	nethtsrv.exe
472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe
File created	C:\Windows\SysWOW64\installd.exe	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe

Drops file in Program Files directory 3 IoCs

Processes:

1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exenet.exenet.exe

description	pid	process	target process
PID 472 wrote to memory of 436	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	net.exe
PID 472 wrote to memory of 436	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	net.exe
PID 472 wrote to memory of 436	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	net.exe
PID 472 wrote to memory of 436	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	net.exe
PID 436 wrote to memory of 1844	436	net.exe	net1.exe
PID 436 wrote to memory of 1844	436	net.exe	net1.exe
PID 436 wrote to memory of 1844	436	net.exe	net1.exe
PID 436 wrote to memory of 1844	436	net.exe	net1.exe
PID 472 wrote to memory of 832	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	net.exe
PID 472 wrote to memory of 832	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	net.exe
PID 472 wrote to memory of 832	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	net.exe
PID 472 wrote to memory of 832	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	net.exe
PID 832 wrote to memory of 1788	832	net.exe	net1.exe
PID 832 wrote to memory of 1788	832	net.exe	net1.exe
PID 832 wrote to memory of 1788	832	net.exe	net1.exe
PID 832 wrote to memory of 1788	832	net.exe	net1.exe
PID 472 wrote to memory of 900	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	installd.exe
PID 472 wrote to memory of 900	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	installd.exe
PID 472 wrote to memory of 900	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	installd.exe
PID 472 wrote to memory of 900	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	installd.exe
PID 472 wrote to memory of 900	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	installd.exe
PID 472 wrote to memory of 900	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	installd.exe
PID 472 wrote to memory of 900	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	installd.exe
PID 472 wrote to memory of 1224	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	nethtsrv.exe
PID 472 wrote to memory of 1224	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	nethtsrv.exe
PID 472 wrote to memory of 1224	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	nethtsrv.exe
PID 472 wrote to memory of 1224	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	nethtsrv.exe
PID 472 wrote to memory of 932	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	netupdsrv.exe
PID 472 wrote to memory of 932	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	netupdsrv.exe
PID 472 wrote to memory of 932	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	netupdsrv.exe
PID 472 wrote to memory of 932	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	netupdsrv.exe
PID 472 wrote to memory of 932	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	netupdsrv.exe
PID 472 wrote to memory of 932	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	netupdsrv.exe
PID 472 wrote to memory of 932	472	1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe	netupdsrv.exe

C:\Users\Admin\AppData\Local\Temp\1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe
"C:\Users\Admin\AppData\Local\Temp\1f93b6ac48af0680767be4635faf335d46556d3a3cb3e7b2cdf452bd49793846.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1844

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1788

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1224

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
0cad97764e0d3d7780f76375543daf04

SHA1
532b3c7b7109ee445fac4fac8753e5628abe9506

SHA256
c4244c36a0e6310c3061a8fd0588f353ba5110a854d0d4bf831b81f20ff42ec9

SHA512
8ef771ed8b70d2b7d1c276261a6e1489d2d04e41ba3d3903c049626af9fe365dd1adca77485b34a469f288cd9ea8b841ea3cd0d74a9fca57db7f5eab8afcad75

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
dcbcd9d472f34f1816897d7a0b24f38f

SHA1
4116fba5356df3b35b25a683267de3d067ac5ee9

SHA256
92b159fd2312d55d5f4cf1d414fbce179a9a971b38ca292012fdb4ee7e94d882

SHA512
36136f961359b6e362f75f45c35e2add00f6b767cc9db293772b83492eee307969917873df75dc3e976e39a472906697fb0e1a5f1494e0550bd546d833827e23

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
fd5b9934773bfe005539d09f9e7ec997

SHA1
69a9fe766ac232f46b505309ad32dfa6a7d07dba

SHA256
be4e661412dc075247cc41c8756009b85028ed1cf5124624078bf38675f56486

SHA512
53d1271a819e43ff57322d0d1acfd463b3878f66ddf0fa8726f08589d91755ee53bfabc8de0595a2936bcf4e884e47902cfb9c9c1218ca3166cd0dccc3307e89

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
47959d43ae6c14fc0fb49b1931c03cf2

SHA1
93e0942efc61d79f5c30febc0ddf419e86bc4291

SHA256
39cd573fa6a9e1705705bcccafffb521d1b0ae83341fb2680fbee95882b8ab93

SHA512
c42565659b2056aaab19a8076da82e4f960f1bf8eb90f7efef53192678ffa47ff3be956cfea13369c95ee8d2a529569f86835722232ac350c17fd3119e29c9c5

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
6d92662470fa2d2eb844422f2fc09bd0

SHA1
daf0c84199be15c3d82dcf50ad52b1fa1cf35561

SHA256
967f065642443edd3b4cb9b4334d309895167372d9159d9df72b9427dabea8f5

SHA512
192f124e795c48a2d82819e5f368c9dad6ab708b70cb83266b403b0f449bc9356ece75f91e1a98b02add6a1a93e42997878303e857ce4cf6856e52142842c1c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsp74E5.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsp74E5.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsp74E5.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
0cad97764e0d3d7780f76375543daf04

SHA1
532b3c7b7109ee445fac4fac8753e5628abe9506

SHA256
c4244c36a0e6310c3061a8fd0588f353ba5110a854d0d4bf831b81f20ff42ec9

SHA512
8ef771ed8b70d2b7d1c276261a6e1489d2d04e41ba3d3903c049626af9fe365dd1adca77485b34a469f288cd9ea8b841ea3cd0d74a9fca57db7f5eab8afcad75

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
0cad97764e0d3d7780f76375543daf04

SHA1
532b3c7b7109ee445fac4fac8753e5628abe9506

SHA256
c4244c36a0e6310c3061a8fd0588f353ba5110a854d0d4bf831b81f20ff42ec9

SHA512
8ef771ed8b70d2b7d1c276261a6e1489d2d04e41ba3d3903c049626af9fe365dd1adca77485b34a469f288cd9ea8b841ea3cd0d74a9fca57db7f5eab8afcad75

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
dcbcd9d472f34f1816897d7a0b24f38f

SHA1
4116fba5356df3b35b25a683267de3d067ac5ee9

SHA256
92b159fd2312d55d5f4cf1d414fbce179a9a971b38ca292012fdb4ee7e94d882

SHA512
36136f961359b6e362f75f45c35e2add00f6b767cc9db293772b83492eee307969917873df75dc3e976e39a472906697fb0e1a5f1494e0550bd546d833827e23

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
fd5b9934773bfe005539d09f9e7ec997

SHA1
69a9fe766ac232f46b505309ad32dfa6a7d07dba

SHA256
be4e661412dc075247cc41c8756009b85028ed1cf5124624078bf38675f56486

SHA512
53d1271a819e43ff57322d0d1acfd463b3878f66ddf0fa8726f08589d91755ee53bfabc8de0595a2936bcf4e884e47902cfb9c9c1218ca3166cd0dccc3307e89

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
47959d43ae6c14fc0fb49b1931c03cf2

SHA1
93e0942efc61d79f5c30febc0ddf419e86bc4291

SHA256
39cd573fa6a9e1705705bcccafffb521d1b0ae83341fb2680fbee95882b8ab93

SHA512
c42565659b2056aaab19a8076da82e4f960f1bf8eb90f7efef53192678ffa47ff3be956cfea13369c95ee8d2a529569f86835722232ac350c17fd3119e29c9c5

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
6d92662470fa2d2eb844422f2fc09bd0

SHA1
daf0c84199be15c3d82dcf50ad52b1fa1cf35561

SHA256
967f065642443edd3b4cb9b4334d309895167372d9159d9df72b9427dabea8f5

SHA512
192f124e795c48a2d82819e5f368c9dad6ab708b70cb83266b403b0f449bc9356ece75f91e1a98b02add6a1a93e42997878303e857ce4cf6856e52142842c1c4

Download Submit
memory/436-59-0x0000000000000000-mapping.dmp

Download
memory/472-58-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/472-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/472-56-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/832-62-0x0000000000000000-mapping.dmp

Download
memory/900-65-0x0000000000000000-mapping.dmp

Download
memory/932-77-0x0000000000000000-mapping.dmp

Download
memory/1224-71-0x0000000000000000-mapping.dmp

Download
memory/1788-63-0x0000000000000000-mapping.dmp

Download
memory/1844-60-0x0000000000000000-mapping.dmp

Download