Analysis
-
max time kernel
82s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 10:35
Static task
static1
Behavioral task
behavioral1
Sample
027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe
Resource
win10v2004-20220901-en
General
-
Target
027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe
-
Size
602KB
-
MD5
568d1b4895455a08d9e52bd0288ffbff
-
SHA1
44a4f118c5431ff7f64ed7c69e219efe7aa3c76c
-
SHA256
027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73
-
SHA512
a714d8b248ab43ab55a8d3d197cc1ecf56c0e5206fe4c9099ed454e57ea8411e97fee825f090f9426d3a85b37b0db4aa1b759a5a386b2c2b11880972842d9fff
-
SSDEEP
12288:DIny5DYTjyT9qK7uriCq0ontT6obFjKJsd+ydxUbsbT2zf8W1S+iHI:LUTjyH7uriCqdnh60U+DUbg2zf87
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exedescription ioc process File created C:\Windows\system32\drivers\nethfdrv.sys 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe -
Executes dropped EXE 5 IoCs
Processes:
installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exepid process 4068 installd.exe 3032 nethtsrv.exe 3712 netupdsrv.exe 1532 nethtsrv.exe 2872 netupdsrv.exe -
Loads dropped DLL 14 IoCs
Processes:
027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exeinstalld.exenethtsrv.exenethtsrv.exepid process 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe 4068 installd.exe 3032 nethtsrv.exe 3032 nethtsrv.exe 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe 1532 nethtsrv.exe 1532 nethtsrv.exe 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
Processes:
027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exedescription ioc process File created C:\Windows\SysWOW64\installd.exe 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe File created C:\Windows\SysWOW64\nethtsrv.exe 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe File created C:\Windows\SysWOW64\netupdsrv.exe 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe File created C:\Windows\SysWOW64\hfnapi.dll 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe File created C:\Windows\SysWOW64\hfpapi.dll 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe -
Drops file in Program Files directory 3 IoCs
Processes:
027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exedescription ioc process File created C:\Program Files (x86)\Common Files\Config\data.xml 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe File created C:\Program Files (x86)\Common Files\Config\ver.xml 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe File created C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 1 IoCs
Processes:
nethtsrv.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections nethtsrv.exe -
Runs net.exe
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 656 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
nethtsrv.exedescription pid process Token: SeDebugPrivilege 1532 nethtsrv.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3796 wrote to memory of 444 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe net.exe PID 3796 wrote to memory of 444 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe net.exe PID 3796 wrote to memory of 444 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe net.exe PID 444 wrote to memory of 3932 444 net.exe net1.exe PID 444 wrote to memory of 3932 444 net.exe net1.exe PID 444 wrote to memory of 3932 444 net.exe net1.exe PID 3796 wrote to memory of 4240 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe net.exe PID 3796 wrote to memory of 4240 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe net.exe PID 3796 wrote to memory of 4240 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe net.exe PID 4240 wrote to memory of 4992 4240 net.exe net1.exe PID 4240 wrote to memory of 4992 4240 net.exe net1.exe PID 4240 wrote to memory of 4992 4240 net.exe net1.exe PID 3796 wrote to memory of 4068 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe installd.exe PID 3796 wrote to memory of 4068 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe installd.exe PID 3796 wrote to memory of 4068 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe installd.exe PID 3796 wrote to memory of 3032 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe nethtsrv.exe PID 3796 wrote to memory of 3032 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe nethtsrv.exe PID 3796 wrote to memory of 3032 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe nethtsrv.exe PID 3796 wrote to memory of 3712 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe netupdsrv.exe PID 3796 wrote to memory of 3712 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe netupdsrv.exe PID 3796 wrote to memory of 3712 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe netupdsrv.exe PID 3796 wrote to memory of 1472 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe net.exe PID 3796 wrote to memory of 1472 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe net.exe PID 3796 wrote to memory of 1472 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe net.exe PID 1472 wrote to memory of 540 1472 net.exe net1.exe PID 1472 wrote to memory of 540 1472 net.exe net1.exe PID 1472 wrote to memory of 540 1472 net.exe net1.exe PID 3796 wrote to memory of 1948 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe net.exe PID 3796 wrote to memory of 1948 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe net.exe PID 3796 wrote to memory of 1948 3796 027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe net.exe PID 1948 wrote to memory of 4028 1948 net.exe net1.exe PID 1948 wrote to memory of 4028 1948 net.exe net1.exe PID 1948 wrote to memory of 4028 1948 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe"C:\Users\Admin\AppData\Local\Temp\027b14061de47592fa830ca44fa44db596a337b77d8b9345c7c13434aff02c73.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\net.exenet stop nethttpservice2⤵
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop nethttpservice3⤵PID:3932
-
C:\Windows\SysWOW64\net.exenet stop serviceupdater2⤵
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop serviceupdater3⤵PID:4992
-
C:\Windows\SysWOW64\installd.exe"C:\Windows\system32\installd.exe" nethfdrv2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4068 -
C:\Windows\SysWOW64\nethtsrv.exe"C:\Windows\system32\nethtsrv.exe" -nfdi2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\netupdsrv.exe"C:\Windows\system32\netupdsrv.exe" -nfdi2⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\net.exenet start nethttpservice2⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start nethttpservice3⤵PID:540
-
C:\Windows\SysWOW64\net.exenet start serviceupdater2⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start serviceupdater3⤵PID:4028
-
C:\Windows\SysWOW64\nethtsrv.exeC:\Windows\SysWOW64\nethtsrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
C:\Windows\SysWOW64\netupdsrv.exeC:\Windows\SysWOW64\netupdsrv.exe1⤵
- Executes dropped EXE
PID:2872
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
106KB
MD50ce6aa901dc0e4bcace6c0158f7653a9
SHA19ea90020d63fa8b9c184ec7540dc110ac9cddef9
SHA2561448ae24bebe4b3119cc0dd7c64669da1499f054498d87f51966f983976bb9e5
SHA512c98a76a320781c55c0bd5c001d09a20221387320c19af89652a099e2a7edb1ed5f5ab139f77e4856fdbb2b91cb06733e18de239755abc66e66c80b0c2924bda0
-
Filesize
106KB
MD50ce6aa901dc0e4bcace6c0158f7653a9
SHA19ea90020d63fa8b9c184ec7540dc110ac9cddef9
SHA2561448ae24bebe4b3119cc0dd7c64669da1499f054498d87f51966f983976bb9e5
SHA512c98a76a320781c55c0bd5c001d09a20221387320c19af89652a099e2a7edb1ed5f5ab139f77e4856fdbb2b91cb06733e18de239755abc66e66c80b0c2924bda0
-
Filesize
106KB
MD50ce6aa901dc0e4bcace6c0158f7653a9
SHA19ea90020d63fa8b9c184ec7540dc110ac9cddef9
SHA2561448ae24bebe4b3119cc0dd7c64669da1499f054498d87f51966f983976bb9e5
SHA512c98a76a320781c55c0bd5c001d09a20221387320c19af89652a099e2a7edb1ed5f5ab139f77e4856fdbb2b91cb06733e18de239755abc66e66c80b0c2924bda0
-
Filesize
106KB
MD50ce6aa901dc0e4bcace6c0158f7653a9
SHA19ea90020d63fa8b9c184ec7540dc110ac9cddef9
SHA2561448ae24bebe4b3119cc0dd7c64669da1499f054498d87f51966f983976bb9e5
SHA512c98a76a320781c55c0bd5c001d09a20221387320c19af89652a099e2a7edb1ed5f5ab139f77e4856fdbb2b91cb06733e18de239755abc66e66c80b0c2924bda0
-
Filesize
241KB
MD596eff169d20a03e77c9f56b754b3ef6f
SHA1bff59966da2c4bf38d40c95b55ffd1367e5b6b8d
SHA256bab35e90b6f30113c8a4076c36c269db0174cb74f5f66d2d9c0dd99f2741fba1
SHA512cefa7a4f92380e26b4f0471db52b8b7a9de8a40acc50a852185c9c3ff503b226eae276cf7fa26a5652d670d9b8913b23ffcd6f965dc7ac3bcb630af04ab2bd16
-
Filesize
241KB
MD596eff169d20a03e77c9f56b754b3ef6f
SHA1bff59966da2c4bf38d40c95b55ffd1367e5b6b8d
SHA256bab35e90b6f30113c8a4076c36c269db0174cb74f5f66d2d9c0dd99f2741fba1
SHA512cefa7a4f92380e26b4f0471db52b8b7a9de8a40acc50a852185c9c3ff503b226eae276cf7fa26a5652d670d9b8913b23ffcd6f965dc7ac3bcb630af04ab2bd16
-
Filesize
241KB
MD596eff169d20a03e77c9f56b754b3ef6f
SHA1bff59966da2c4bf38d40c95b55ffd1367e5b6b8d
SHA256bab35e90b6f30113c8a4076c36c269db0174cb74f5f66d2d9c0dd99f2741fba1
SHA512cefa7a4f92380e26b4f0471db52b8b7a9de8a40acc50a852185c9c3ff503b226eae276cf7fa26a5652d670d9b8913b23ffcd6f965dc7ac3bcb630af04ab2bd16
-
Filesize
108KB
MD50c17c62323abaa69572023a46faeaa14
SHA115a01473df039afa730c7724e36c40b47b532648
SHA2568755e8f540d300eb160d08cb5905f4b4d1a9b9074c654e07dbacf6125ebd2e77
SHA512026962106a487295a7cfda02dce6966af2afb2b5445a3ad4679927da8abbbdec7ab650a4027862dea21cdde87f0cb0374eac975fd269d5a62ae068bc95fce9e8
-
Filesize
108KB
MD50c17c62323abaa69572023a46faeaa14
SHA115a01473df039afa730c7724e36c40b47b532648
SHA2568755e8f540d300eb160d08cb5905f4b4d1a9b9074c654e07dbacf6125ebd2e77
SHA512026962106a487295a7cfda02dce6966af2afb2b5445a3ad4679927da8abbbdec7ab650a4027862dea21cdde87f0cb0374eac975fd269d5a62ae068bc95fce9e8
-
Filesize
176KB
MD5024bfbecace767da815df5234b941bda
SHA1157ac55d3c76712af297e34a07211f8aeffea21f
SHA2563d2724a090b749f03b1e6b172601cd871f3cea251b2c4b9daf055c1ea4dd73bd
SHA5123ea461cc5a309c58f864829b04ea21f2e0fa677a21d37a2969d48eba33e2787e893f4eda857257213c325f478097885d3855c7b7a366a1777560bdbfde42c479
-
Filesize
176KB
MD5024bfbecace767da815df5234b941bda
SHA1157ac55d3c76712af297e34a07211f8aeffea21f
SHA2563d2724a090b749f03b1e6b172601cd871f3cea251b2c4b9daf055c1ea4dd73bd
SHA5123ea461cc5a309c58f864829b04ea21f2e0fa677a21d37a2969d48eba33e2787e893f4eda857257213c325f478097885d3855c7b7a366a1777560bdbfde42c479
-
Filesize
176KB
MD5024bfbecace767da815df5234b941bda
SHA1157ac55d3c76712af297e34a07211f8aeffea21f
SHA2563d2724a090b749f03b1e6b172601cd871f3cea251b2c4b9daf055c1ea4dd73bd
SHA5123ea461cc5a309c58f864829b04ea21f2e0fa677a21d37a2969d48eba33e2787e893f4eda857257213c325f478097885d3855c7b7a366a1777560bdbfde42c479
-
Filesize
158KB
MD5e059105e223169894af545086818bd9e
SHA1f97cc17aeed63e750b24ceec36a2485eb0e58e01
SHA256c5ab2d9e345a8c3ac951d0446fc7ba3c9fc2bc39966236e8ef8a8efcad0f9958
SHA5126f7ee19d96c84f760b4aa02e0d05508976ec8571f2e176eea79e7c19478c9f69c07d0591cca9ae785174d2385b81e2f798131fad01093467ff86e65cf93a211c
-
Filesize
158KB
MD5e059105e223169894af545086818bd9e
SHA1f97cc17aeed63e750b24ceec36a2485eb0e58e01
SHA256c5ab2d9e345a8c3ac951d0446fc7ba3c9fc2bc39966236e8ef8a8efcad0f9958
SHA5126f7ee19d96c84f760b4aa02e0d05508976ec8571f2e176eea79e7c19478c9f69c07d0591cca9ae785174d2385b81e2f798131fad01093467ff86e65cf93a211c
-
Filesize
158KB
MD5e059105e223169894af545086818bd9e
SHA1f97cc17aeed63e750b24ceec36a2485eb0e58e01
SHA256c5ab2d9e345a8c3ac951d0446fc7ba3c9fc2bc39966236e8ef8a8efcad0f9958
SHA5126f7ee19d96c84f760b4aa02e0d05508976ec8571f2e176eea79e7c19478c9f69c07d0591cca9ae785174d2385b81e2f798131fad01093467ff86e65cf93a211c