1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5

Analysis

max time kernel
238s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe
Size

601KB
MD5

f5883d4c0ff98d1a3ea6bdf26fbdb184
SHA1

5bf8ced2e7d0ba710d0dbc56f136755894619f92
SHA256

1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5
SHA512

b4ad4b5d33f461521e29cabb44641cc94bd51ddf0e9767bee5739dc5ae3bc875eb710a7ea189cb4ecc0feae5c611a492649e5c88e84d2dfba70a11771b940499
SSDEEP

12288:eIny5DYTqo/54rUI7EtiNmiewExiHuEI4d3nrT//vYw:AUTqo/2B7EtkbewEx+uF4d3rTHv

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe
Executes dropped EXE 3 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exe

pid process

1108 installd.exe
1320 nethtsrv.exe
604 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe

pid	process
1108	installd.exe
1320	nethtsrv.exe
604	netupdsrv.exe

Loads dropped DLL 9 IoCs

Processes:

1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exeinstalld.exenethtsrv.exe

pid	process
1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe
1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe
1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe
1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe
1108	installd.exe
1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe
1320	nethtsrv.exe
1320	nethtsrv.exe
1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe

description	ioc	process
File created	C:\Windows\SysWOW64\nethtsrv.exe	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe
File created	C:\Windows\SysWOW64\installd.exe	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe

Drops file in Program Files directory 3 IoCs

Processes:

1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exenet.exenet.exe

description	pid	process	target process
PID 1260 wrote to memory of 668	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	net.exe
PID 1260 wrote to memory of 668	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	net.exe
PID 1260 wrote to memory of 668	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	net.exe
PID 1260 wrote to memory of 668	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	net.exe
PID 668 wrote to memory of 2032	668	net.exe	net1.exe
PID 668 wrote to memory of 2032	668	net.exe	net1.exe
PID 668 wrote to memory of 2032	668	net.exe	net1.exe
PID 668 wrote to memory of 2032	668	net.exe	net1.exe
PID 1260 wrote to memory of 1760	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	net.exe
PID 1260 wrote to memory of 1760	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	net.exe
PID 1260 wrote to memory of 1760	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	net.exe
PID 1260 wrote to memory of 1760	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	net.exe
PID 1760 wrote to memory of 1668	1760	net.exe	net1.exe
PID 1760 wrote to memory of 1668	1760	net.exe	net1.exe
PID 1760 wrote to memory of 1668	1760	net.exe	net1.exe
PID 1760 wrote to memory of 1668	1760	net.exe	net1.exe
PID 1260 wrote to memory of 1108	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	installd.exe
PID 1260 wrote to memory of 1108	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	installd.exe
PID 1260 wrote to memory of 1108	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	installd.exe
PID 1260 wrote to memory of 1108	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	installd.exe
PID 1260 wrote to memory of 1108	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	installd.exe
PID 1260 wrote to memory of 1108	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	installd.exe
PID 1260 wrote to memory of 1108	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	installd.exe
PID 1260 wrote to memory of 1320	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	nethtsrv.exe
PID 1260 wrote to memory of 1320	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	nethtsrv.exe
PID 1260 wrote to memory of 1320	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	nethtsrv.exe
PID 1260 wrote to memory of 1320	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	nethtsrv.exe
PID 1260 wrote to memory of 604	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	netupdsrv.exe
PID 1260 wrote to memory of 604	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	netupdsrv.exe
PID 1260 wrote to memory of 604	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	netupdsrv.exe
PID 1260 wrote to memory of 604	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	netupdsrv.exe
PID 1260 wrote to memory of 604	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	netupdsrv.exe
PID 1260 wrote to memory of 604	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	netupdsrv.exe
PID 1260 wrote to memory of 604	1260	1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe	netupdsrv.exe

C:\Users\Admin\AppData\Local\Temp\1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe
"C:\Users\Admin\AppData\Local\Temp\1790f5a3888e72cf101ab352d80e31825b0984fc49e473182347f41712ca6fb5.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:2032

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1668

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
81d84d9604dce7fba3b756de6d5f745a

SHA1
30a6ad8b8ebae10e7d917eb4cddc91a2691e6fcb

SHA256
b61d3e4f34be66338d29e20b1a846b0f142092ce20306043bbb7e3a9b85c2113

SHA512
87731393536125d8e57e3b3c1fb31356fa842cc7ffadb87e2e4d465efe7a4e5402bcaceab7d7bc9a02ff4582a4d4d7ba66ddc62e425bfe3b5a2db3ceff7cd942

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
67d8a8917ba13440c32dc8e85c537e7d

SHA1
bd07b4478bc31a6408bf3139846dfc9647ef2f28

SHA256
442bcf3bf73339a3fd2021c159e868c3e65a4554ebe2157ac7c9232319b9706a

SHA512
7d91cba484e3fd51c99e79366709e70948a7eb504297d562d5797939fd04da8d4f2e11ca37d6bb0488103301dfa37967ac6ed7449ee0df3515f3b04fd5d11864

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
285cb86968957f26d78edd2cdda19dc7

SHA1
9f6b4a818009c8f3882dc7d42a9aceeeba66910e

SHA256
6301d2bf436a70548254945ec0ac8473fe9274241a39aae506a93c096fca5c1b

SHA512
b0c382bd466fb045aadbcc22e41912a6a86717fb03fe1be96be6b54a4ca4f5948ac213f67cbb0df6ea9ab432fd5f219b441201e75caa8ba5e0f74f00ab4d6f1b

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
769d2c148e692c81a096366c3b1f02ad

SHA1
10dab9e92c445f904d54df6f8c4ee61cb5d2249a

SHA256
8abb2136fcfc1ad6a7160f624836ecaf2542559407508577c22d919e7df01e73

SHA512
3726962cc11fae7751e4709a81167d5f5be9bbf4f40fd49663657d89d1cec1275282e3d048929c4b4413cf2e413e9712aa8bd66d28389d3625d5113ae02f2b88

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
d13824fb42a8ed2e83ee7b9fc694ab25

SHA1
a2a2fb97a9020c203691bf90bdad595947b0721d

SHA256
ac443196802f2b83bfd2d5e563c08f132fc2004b0df1fc9aa3334be0d0b018a4

SHA512
6ba1ef3d27ae9835828459443f0f65184d057caa4b966093a32dda3177848b1a953768b824186032fa6e895491031abb1bc9beac74e7e78ddb40dd71c9e32340

Download Submit
\Users\Admin\AppData\Local\Temp\nsz908F.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsz908F.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsz908F.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
81d84d9604dce7fba3b756de6d5f745a

SHA1
30a6ad8b8ebae10e7d917eb4cddc91a2691e6fcb

SHA256
b61d3e4f34be66338d29e20b1a846b0f142092ce20306043bbb7e3a9b85c2113

SHA512
87731393536125d8e57e3b3c1fb31356fa842cc7ffadb87e2e4d465efe7a4e5402bcaceab7d7bc9a02ff4582a4d4d7ba66ddc62e425bfe3b5a2db3ceff7cd942

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
81d84d9604dce7fba3b756de6d5f745a

SHA1
30a6ad8b8ebae10e7d917eb4cddc91a2691e6fcb

SHA256
b61d3e4f34be66338d29e20b1a846b0f142092ce20306043bbb7e3a9b85c2113

SHA512
87731393536125d8e57e3b3c1fb31356fa842cc7ffadb87e2e4d465efe7a4e5402bcaceab7d7bc9a02ff4582a4d4d7ba66ddc62e425bfe3b5a2db3ceff7cd942

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
67d8a8917ba13440c32dc8e85c537e7d

SHA1
bd07b4478bc31a6408bf3139846dfc9647ef2f28

SHA256
442bcf3bf73339a3fd2021c159e868c3e65a4554ebe2157ac7c9232319b9706a

SHA512
7d91cba484e3fd51c99e79366709e70948a7eb504297d562d5797939fd04da8d4f2e11ca37d6bb0488103301dfa37967ac6ed7449ee0df3515f3b04fd5d11864

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
285cb86968957f26d78edd2cdda19dc7

SHA1
9f6b4a818009c8f3882dc7d42a9aceeeba66910e

SHA256
6301d2bf436a70548254945ec0ac8473fe9274241a39aae506a93c096fca5c1b

SHA512
b0c382bd466fb045aadbcc22e41912a6a86717fb03fe1be96be6b54a4ca4f5948ac213f67cbb0df6ea9ab432fd5f219b441201e75caa8ba5e0f74f00ab4d6f1b

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
769d2c148e692c81a096366c3b1f02ad

SHA1
10dab9e92c445f904d54df6f8c4ee61cb5d2249a

SHA256
8abb2136fcfc1ad6a7160f624836ecaf2542559407508577c22d919e7df01e73

SHA512
3726962cc11fae7751e4709a81167d5f5be9bbf4f40fd49663657d89d1cec1275282e3d048929c4b4413cf2e413e9712aa8bd66d28389d3625d5113ae02f2b88

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
d13824fb42a8ed2e83ee7b9fc694ab25

SHA1
a2a2fb97a9020c203691bf90bdad595947b0721d

SHA256
ac443196802f2b83bfd2d5e563c08f132fc2004b0df1fc9aa3334be0d0b018a4

SHA512
6ba1ef3d27ae9835828459443f0f65184d057caa4b966093a32dda3177848b1a953768b824186032fa6e895491031abb1bc9beac74e7e78ddb40dd71c9e32340

Download Submit
memory/604-77-0x0000000000000000-mapping.dmp

Download
memory/668-59-0x0000000000000000-mapping.dmp

Download
memory/1108-65-0x0000000000000000-mapping.dmp

Download
memory/1260-58-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1260-56-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1260-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1320-71-0x0000000000000000-mapping.dmp

Download
memory/1668-63-0x0000000000000000-mapping.dmp

Download
memory/1760-62-0x0000000000000000-mapping.dmp

Download
memory/2032-60-0x0000000000000000-mapping.dmp

Download