f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb

Analysis

max time kernel
173s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe
Size

447KB
MD5

12ece7bcc20a84b8ec76fa38956fc83d
SHA1

d792aa2f94f6f0894f36e6fb3c44df92075c45d0
SHA256

f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb
SHA512

b39ab2891a90eb38430852f7d541f762c2b7ca653022dea69923bee3db0c3035f7473142b01c0eff85b688c48153de951f7a6ac113735d00293f5cf524b2ceb0
SSDEEP

6144:XzfvgjEDTALTY/I//CHeXdMldC5QP6gCtVwjFGzjSsMr+yhxslm5dOZNjBaHCL:TWtLMACHeSHL6Ftu0CbSybmNl9L

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe
Executes dropped EXE 3 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exe

pid process

1504 installd.exe
864 nethtsrv.exe
1248 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe

pid	process
1504	installd.exe
864	nethtsrv.exe
1248	netupdsrv.exe

Loads dropped DLL 9 IoCs

Processes:

f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exeinstalld.exenethtsrv.exe

pid	process
584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe
584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe
584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe
584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe
1504	installd.exe
584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe
864	nethtsrv.exe
864	nethtsrv.exe
584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe

description	ioc	process
File created	C:\Windows\SysWOW64\nethtsrv.exe	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe
File created	C:\Windows\SysWOW64\installd.exe	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe

Drops file in Program Files directory 3 IoCs

Processes:

f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exenet.exenet.exe

description	pid	process	target process
PID 584 wrote to memory of 520	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	net.exe
PID 584 wrote to memory of 520	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	net.exe
PID 584 wrote to memory of 520	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	net.exe
PID 584 wrote to memory of 520	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	net.exe
PID 520 wrote to memory of 1940	520	net.exe	net1.exe
PID 520 wrote to memory of 1940	520	net.exe	net1.exe
PID 520 wrote to memory of 1940	520	net.exe	net1.exe
PID 520 wrote to memory of 1940	520	net.exe	net1.exe
PID 584 wrote to memory of 756	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	net.exe
PID 584 wrote to memory of 756	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	net.exe
PID 584 wrote to memory of 756	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	net.exe
PID 584 wrote to memory of 756	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	net.exe
PID 756 wrote to memory of 1696	756	net.exe	net1.exe
PID 756 wrote to memory of 1696	756	net.exe	net1.exe
PID 756 wrote to memory of 1696	756	net.exe	net1.exe
PID 756 wrote to memory of 1696	756	net.exe	net1.exe
PID 584 wrote to memory of 1504	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	installd.exe
PID 584 wrote to memory of 1504	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	installd.exe
PID 584 wrote to memory of 1504	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	installd.exe
PID 584 wrote to memory of 1504	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	installd.exe
PID 584 wrote to memory of 1504	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	installd.exe
PID 584 wrote to memory of 1504	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	installd.exe
PID 584 wrote to memory of 1504	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	installd.exe
PID 584 wrote to memory of 864	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	nethtsrv.exe
PID 584 wrote to memory of 864	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	nethtsrv.exe
PID 584 wrote to memory of 864	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	nethtsrv.exe
PID 584 wrote to memory of 864	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	nethtsrv.exe
PID 584 wrote to memory of 1248	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	netupdsrv.exe
PID 584 wrote to memory of 1248	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	netupdsrv.exe
PID 584 wrote to memory of 1248	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	netupdsrv.exe
PID 584 wrote to memory of 1248	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	netupdsrv.exe
PID 584 wrote to memory of 1248	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	netupdsrv.exe
PID 584 wrote to memory of 1248	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	netupdsrv.exe
PID 584 wrote to memory of 1248	584	f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe	netupdsrv.exe

C:\Users\Admin\AppData\Local\Temp\f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe
"C:\Users\Admin\AppData\Local\Temp\f48b4fe7f505da8a6bb94bec6866443217c3f93072a28f933a9c33c7503086eb.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1940

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1696

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
05645079892e310fbbc413b1e7b046bc

SHA1
93af80fbea055961489ebb1ab87103ac9a072882

SHA256
130824e9575ef469c021fbc2e01957541b8141f4d430efe8ee9696b6bcf2bb02

SHA512
9275103ac57aec035d7ae9eeca918ffadf556b526b3bb38d51f8d6f0e4c5859561ea4e8cdb15d48505638b3ef06e6ec0599b996dc03ae7563ae2cf41757812d0

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
3ca51dee456ce30ae5854e64c90bcf70

SHA1
5e92820e8acb77c8e181724bdf528f7e6c20030f

SHA256
8cb8460a9507b9d6aa87fb636dc6d139a01183bdeed23abebb76824c2f4820e1

SHA512
7ef2f7c117ea5c51ef999111085cd13c156bd47dd50965c4a88c0668b5c1948262453fa6a3b6e0c3e02fa9a38824bd4f3646bcc46c3ed8dadf116260be2c7acd

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
0227d0f9482144a0848f78a2f9345b90

SHA1
3d03bf878ce3fff92e9a938bab67abe43ec7e78b

SHA256
0051a57aa8561a0155b8376c0850e6003d5122bb63ef929d1d9651d9ee89fa8c

SHA512
ce74d506ef8ceacd5a3d2a4c0810e79fcdd2923b1e15b2db4c3464e7a55331414aedd46fe4e500e15a4c1a786bbde79c3436f24d8e195755aacd296fb4577ab1

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
6b07e52bcf2919a34fea8cf324086d40

SHA1
06a510b7d9eb232500a2f6cbfa2cf9547ae04659

SHA256
e5238ee78047cee42458f1e98dde1e24ce145737db21dea36f72669eb2268fce

SHA512
9a47dfa8b0ce53f457abe03d33e564735e837afdc684343906324addb10f7bc44da9c5c0268d4cb748343dd6ced389d167fefd959281a50af8f1d91c6f69796b

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
0b22c5710adc056ab41515303577fd30

SHA1
2e9cb2269002cbf012685687547348835ffe1f90

SHA256
fe668a20d2330646acf0360d0cd4d036c38d28c3d29de587701aaed6ae9339ce

SHA512
38d361b881e511eac6143e97e45bdd3ad8ff095a55cc0fa1c43e324bd3393e8f5249a2b47b2d9a582a8a3ca714ccaf24754bb5835d72167e49a554f2a390b7ed

Download Submit
\Users\Admin\AppData\Local\Temp\nsj55B1.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj55B1.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsj55B1.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
05645079892e310fbbc413b1e7b046bc

SHA1
93af80fbea055961489ebb1ab87103ac9a072882

SHA256
130824e9575ef469c021fbc2e01957541b8141f4d430efe8ee9696b6bcf2bb02

SHA512
9275103ac57aec035d7ae9eeca918ffadf556b526b3bb38d51f8d6f0e4c5859561ea4e8cdb15d48505638b3ef06e6ec0599b996dc03ae7563ae2cf41757812d0

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
05645079892e310fbbc413b1e7b046bc

SHA1
93af80fbea055961489ebb1ab87103ac9a072882

SHA256
130824e9575ef469c021fbc2e01957541b8141f4d430efe8ee9696b6bcf2bb02

SHA512
9275103ac57aec035d7ae9eeca918ffadf556b526b3bb38d51f8d6f0e4c5859561ea4e8cdb15d48505638b3ef06e6ec0599b996dc03ae7563ae2cf41757812d0

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
3ca51dee456ce30ae5854e64c90bcf70

SHA1
5e92820e8acb77c8e181724bdf528f7e6c20030f

SHA256
8cb8460a9507b9d6aa87fb636dc6d139a01183bdeed23abebb76824c2f4820e1

SHA512
7ef2f7c117ea5c51ef999111085cd13c156bd47dd50965c4a88c0668b5c1948262453fa6a3b6e0c3e02fa9a38824bd4f3646bcc46c3ed8dadf116260be2c7acd

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
0227d0f9482144a0848f78a2f9345b90

SHA1
3d03bf878ce3fff92e9a938bab67abe43ec7e78b

SHA256
0051a57aa8561a0155b8376c0850e6003d5122bb63ef929d1d9651d9ee89fa8c

SHA512
ce74d506ef8ceacd5a3d2a4c0810e79fcdd2923b1e15b2db4c3464e7a55331414aedd46fe4e500e15a4c1a786bbde79c3436f24d8e195755aacd296fb4577ab1

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
6b07e52bcf2919a34fea8cf324086d40

SHA1
06a510b7d9eb232500a2f6cbfa2cf9547ae04659

SHA256
e5238ee78047cee42458f1e98dde1e24ce145737db21dea36f72669eb2268fce

SHA512
9a47dfa8b0ce53f457abe03d33e564735e837afdc684343906324addb10f7bc44da9c5c0268d4cb748343dd6ced389d167fefd959281a50af8f1d91c6f69796b

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
0b22c5710adc056ab41515303577fd30

SHA1
2e9cb2269002cbf012685687547348835ffe1f90

SHA256
fe668a20d2330646acf0360d0cd4d036c38d28c3d29de587701aaed6ae9339ce

SHA512
38d361b881e511eac6143e97e45bdd3ad8ff095a55cc0fa1c43e324bd3393e8f5249a2b47b2d9a582a8a3ca714ccaf24754bb5835d72167e49a554f2a390b7ed

Download Submit
memory/520-57-0x0000000000000000-mapping.dmp

Download
memory/584-54-0x0000000076D71000-0x0000000076D73000-memory.dmp

Filesize
8KB

Download
memory/756-60-0x0000000000000000-mapping.dmp

Download
memory/864-69-0x0000000000000000-mapping.dmp

Download
memory/1248-75-0x0000000000000000-mapping.dmp

Download
memory/1504-63-0x0000000000000000-mapping.dmp

Download
memory/1696-61-0x0000000000000000-mapping.dmp

Download
memory/1940-58-0x0000000000000000-mapping.dmp

Download