fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb

Analysis

max time kernel
275s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe
Size

445KB
MD5

23c6c2600fe2ab7792af388ed525525e
SHA1

ff0ffcbf0db9e343551e9d7e4529481773577cc2
SHA256

fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb
SHA512

3ccfcde3a7b4eb1befb9c19884bd9df8c3f5f77de44e0c42a7281c2446227a018e5479a3d7df732e062d18a798e924ff4cc9caf8569daa081285f3143fdce8f1
SSDEEP

12288:MucPqvfNupc1+p4vl4J4hrrcOddl38HE1LvEvnKQXt/p1kLsF:M6vfNyAlg4dT3X1LYnZz1kLsF

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe
Executes dropped EXE 2 IoCs

Processes:

installd.exenethtsrv.exe

pid process

4376 installd.exe
3928 nethtsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe

pid	process
4376	installd.exe
3928	nethtsrv.exe

Loads dropped DLL 8 IoCs

Processes:

fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exeinstalld.exenethtsrv.exe

pid	process
2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe
2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe
2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe
2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe
2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe
4376	installd.exe
3928	nethtsrv.exe
3928	nethtsrv.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe

description	ioc	process
File created	C:\Windows\SysWOW64\netupdsrv.exe	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe
File created	C:\Windows\SysWOW64\installd.exe	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe

Drops file in Program Files directory 3 IoCs

Processes:

fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664

pid	process
664

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exenet.exenet.exe

description	pid	process	target process
PID 2396 wrote to memory of 1372	2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe	net.exe
PID 2396 wrote to memory of 1372	2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe	net.exe
PID 2396 wrote to memory of 1372	2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe	net.exe
PID 1372 wrote to memory of 4900	1372	net.exe	net1.exe
PID 1372 wrote to memory of 4900	1372	net.exe	net1.exe
PID 1372 wrote to memory of 4900	1372	net.exe	net1.exe
PID 2396 wrote to memory of 1596	2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe	net.exe
PID 2396 wrote to memory of 1596	2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe	net.exe
PID 2396 wrote to memory of 1596	2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe	net.exe
PID 1596 wrote to memory of 1848	1596	net.exe	net1.exe
PID 1596 wrote to memory of 1848	1596	net.exe	net1.exe
PID 1596 wrote to memory of 1848	1596	net.exe	net1.exe
PID 2396 wrote to memory of 4376	2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe	installd.exe
PID 2396 wrote to memory of 4376	2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe	installd.exe
PID 2396 wrote to memory of 4376	2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe	installd.exe
PID 2396 wrote to memory of 3928	2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe	nethtsrv.exe
PID 2396 wrote to memory of 3928	2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe	nethtsrv.exe
PID 2396 wrote to memory of 3928	2396	fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe	nethtsrv.exe

C:\Users\Admin\AppData\Local\Temp\fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe
"C:\Users\Admin\AppData\Local\Temp\fc2631d49f26e2e5397283f6f1151e17cdbdd28f5f867f05572f38d513e046bb.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:4900

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1848

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4376

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsvEC41.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvEC41.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvEC41.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvEC41.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvEC41.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
418927d3699cbf6f15d3b1b2a8e4114d

SHA1
54f66840b8c504c8ae8a8cfb7913f71a80a47d77

SHA256
edc310b5bc4622b654291a8cac20ceb73d483962eebe61d355424f5905c2a9d7

SHA512
3eb30733e2c426c868c644a5ced5a56ae36b8052f740c645a9ab5087baae3aca58e3c1ebb18b315e3dbde91bc37793ab17fb57d3178679f9922ecce2cc2ea4cf

Download Submit
C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
418927d3699cbf6f15d3b1b2a8e4114d

SHA1
54f66840b8c504c8ae8a8cfb7913f71a80a47d77

SHA256
edc310b5bc4622b654291a8cac20ceb73d483962eebe61d355424f5905c2a9d7

SHA512
3eb30733e2c426c868c644a5ced5a56ae36b8052f740c645a9ab5087baae3aca58e3c1ebb18b315e3dbde91bc37793ab17fb57d3178679f9922ecce2cc2ea4cf

Download Submit
C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
418927d3699cbf6f15d3b1b2a8e4114d

SHA1
54f66840b8c504c8ae8a8cfb7913f71a80a47d77

SHA256
edc310b5bc4622b654291a8cac20ceb73d483962eebe61d355424f5905c2a9d7

SHA512
3eb30733e2c426c868c644a5ced5a56ae36b8052f740c645a9ab5087baae3aca58e3c1ebb18b315e3dbde91bc37793ab17fb57d3178679f9922ecce2cc2ea4cf

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
e750b8b7842a4ad337cf582c796212df

SHA1
f98ce3b882f5d68a81e710ee2667ee0a3e8d3ba0

SHA256
496cc62a3b6790a3e06c8481ad7c951227a0ed834c2d4a2f3970377a5e481bce

SHA512
ea2bbeb72d08052b7a5a25c1fb7d95b678825ccd484f6b7270e87b0be28e3d9653d6c55e579fada24aacde8663bea1ec005b29de3d849589a0db5769a306ad7a

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
e750b8b7842a4ad337cf582c796212df

SHA1
f98ce3b882f5d68a81e710ee2667ee0a3e8d3ba0

SHA256
496cc62a3b6790a3e06c8481ad7c951227a0ed834c2d4a2f3970377a5e481bce

SHA512
ea2bbeb72d08052b7a5a25c1fb7d95b678825ccd484f6b7270e87b0be28e3d9653d6c55e579fada24aacde8663bea1ec005b29de3d849589a0db5769a306ad7a

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
6a8ed3ce9d3a8cc786a989e5eb62dbe9

SHA1
5915faf8ad766d3025f566f0cd4af05c394f5a5c

SHA256
dfdb05d1f452b19f9aa2f12948cf4358b46c5af82af177d3afade0692cb8e8ce

SHA512
0b6a6c8d2bb4e2888db884ebba2cbb027f1bd1436d73b8a0d88c621324b13094bdcc4b5a3005bf84d5b780b4129c068ad2b2d1f11f33be7e190e7ae6171189a8

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
6a8ed3ce9d3a8cc786a989e5eb62dbe9

SHA1
5915faf8ad766d3025f566f0cd4af05c394f5a5c

SHA256
dfdb05d1f452b19f9aa2f12948cf4358b46c5af82af177d3afade0692cb8e8ce

SHA512
0b6a6c8d2bb4e2888db884ebba2cbb027f1bd1436d73b8a0d88c621324b13094bdcc4b5a3005bf84d5b780b4129c068ad2b2d1f11f33be7e190e7ae6171189a8

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
bb7e8c5ff88d0cef4a2a62c8d869456b

SHA1
e55ba0217669bfecee4af474ece48c4d40b19f14

SHA256
3df1392e86c4cde4d8b0c5efa4dd20cd21b948906c4acabdf9950cefec216228

SHA512
c8d448eaa08a7a9f8e585b92a2ca25ed16393fa73c58f29b6e35a47627cad3ccda6d247143d0a5099716a782db17e7bdb7e8673ca476e709d04c186224e25c05

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
bb7e8c5ff88d0cef4a2a62c8d869456b

SHA1
e55ba0217669bfecee4af474ece48c4d40b19f14

SHA256
3df1392e86c4cde4d8b0c5efa4dd20cd21b948906c4acabdf9950cefec216228

SHA512
c8d448eaa08a7a9f8e585b92a2ca25ed16393fa73c58f29b6e35a47627cad3ccda6d247143d0a5099716a782db17e7bdb7e8673ca476e709d04c186224e25c05

Download Submit
memory/1372-135-0x0000000000000000-mapping.dmp

Download
memory/1596-139-0x0000000000000000-mapping.dmp

Download
memory/1848-140-0x0000000000000000-mapping.dmp

Download
memory/3928-146-0x0000000000000000-mapping.dmp

Download
memory/4376-141-0x0000000000000000-mapping.dmp

Download
memory/4900-136-0x0000000000000000-mapping.dmp

Download