d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01

Analysis

max time kernel
266s
max time network
341s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe
Size

445KB
MD5

9930389f759b81f8facb1bf64b0d9646
SHA1

ebc422114f3d1b0858e9d4f7c90197a71223f72e
SHA256

d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01
SHA512

1bf042eb3592a4b9136849add5867dc3f369b2b086ebefeca7be62668af3f83d88809265fc1b2ccfca494cab33e90411fc50da952b21cb5d68db7d681ce3b0d4
SSDEEP

6144:Xzfv2mUpQBJNfhOVQ0WJL6xwamCJYZAd24nvxQbGaZYGNdIwAzhw2yC0DaOGci1A:j2OZOVQRqi3/4nvxQboNzmBMPzqVv2OZ

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe
Executes dropped EXE 3 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exe

pid process

2368 installd.exe
2828 nethtsrv.exe
3488 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe

pid	process
2368	installd.exe
2828	nethtsrv.exe
3488	netupdsrv.exe

Loads dropped DLL 10 IoCs

Processes:

d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exeinstalld.exenethtsrv.exe

pid	process
2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe
2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe
2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe
2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe
2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe
2368	installd.exe
2828	nethtsrv.exe
2828	nethtsrv.exe
2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe
2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe

description	ioc	process
File created	C:\Windows\SysWOW64\installd.exe	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe

Drops file in Program Files directory 3 IoCs

Processes:

d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
656

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exenet.exenet.exe

description	pid	process	target process
PID 2088 wrote to memory of 4156	2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe	net.exe
PID 2088 wrote to memory of 4156	2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe	net.exe
PID 2088 wrote to memory of 4156	2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe	net.exe
PID 4156 wrote to memory of 772	4156	net.exe	net1.exe
PID 4156 wrote to memory of 772	4156	net.exe	net1.exe
PID 4156 wrote to memory of 772	4156	net.exe	net1.exe
PID 2088 wrote to memory of 4408	2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe	net.exe
PID 2088 wrote to memory of 4408	2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe	net.exe
PID 2088 wrote to memory of 4408	2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe	net.exe
PID 4408 wrote to memory of 4412	4408	net.exe	net1.exe
PID 4408 wrote to memory of 4412	4408	net.exe	net1.exe
PID 4408 wrote to memory of 4412	4408	net.exe	net1.exe
PID 2088 wrote to memory of 2368	2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe	installd.exe
PID 2088 wrote to memory of 2368	2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe	installd.exe
PID 2088 wrote to memory of 2368	2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe	installd.exe
PID 2088 wrote to memory of 2828	2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe	nethtsrv.exe
PID 2088 wrote to memory of 2828	2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe	nethtsrv.exe
PID 2088 wrote to memory of 2828	2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe	nethtsrv.exe
PID 2088 wrote to memory of 3488	2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe	netupdsrv.exe
PID 2088 wrote to memory of 3488	2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe	netupdsrv.exe
PID 2088 wrote to memory of 3488	2088	d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe	netupdsrv.exe

C:\Users\Admin\AppData\Local\Temp\d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe
"C:\Users\Admin\AppData\Local\Temp\d4d3ef1b6d9c7080b11d05ad8081b7ae9f54fcfd3dbcb28623d1c45b36a75a01.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:772

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:4412

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:3488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsfC656.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC656.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC656.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC656.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC656.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC656.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC656.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
5062bb7b1646fc145f2980dc115dc76b

SHA1
6101276f0c8c490c641c382ec5275f0ff30c4368

SHA256
56b4047b770c0b54e440d70eee480faa451956a298b790add1f0265292c004a7

SHA512
1cef2082dd2693a55bac43f0d29bf75c619d7da5ef63b0809aedc9c160330f217c73c68fea12dbfbdf667f1127cb3f10275b9efe805c64cf957791fab787f116

Download Submit
C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
5062bb7b1646fc145f2980dc115dc76b

SHA1
6101276f0c8c490c641c382ec5275f0ff30c4368

SHA256
56b4047b770c0b54e440d70eee480faa451956a298b790add1f0265292c004a7

SHA512
1cef2082dd2693a55bac43f0d29bf75c619d7da5ef63b0809aedc9c160330f217c73c68fea12dbfbdf667f1127cb3f10275b9efe805c64cf957791fab787f116

Download Submit
C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
5062bb7b1646fc145f2980dc115dc76b

SHA1
6101276f0c8c490c641c382ec5275f0ff30c4368

SHA256
56b4047b770c0b54e440d70eee480faa451956a298b790add1f0265292c004a7

SHA512
1cef2082dd2693a55bac43f0d29bf75c619d7da5ef63b0809aedc9c160330f217c73c68fea12dbfbdf667f1127cb3f10275b9efe805c64cf957791fab787f116

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
426b16ced6c3aaa1452333ec899a7c16

SHA1
c26473b2a833fe04040cfa1272002618ae6063f8

SHA256
3fbc97af0b560fcf45ac08e43c0b2c9e1be5a4aaa117f6c6b789a6cc0b921d45

SHA512
683b9e4b875022c0e20f64c89781f69b3d7817637807680b46dbc2f2ee84b5a39357c29591eff2ebe9919d605b1ff0e1c43396b54a2c90e209c0436f68b9315b

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
426b16ced6c3aaa1452333ec899a7c16

SHA1
c26473b2a833fe04040cfa1272002618ae6063f8

SHA256
3fbc97af0b560fcf45ac08e43c0b2c9e1be5a4aaa117f6c6b789a6cc0b921d45

SHA512
683b9e4b875022c0e20f64c89781f69b3d7817637807680b46dbc2f2ee84b5a39357c29591eff2ebe9919d605b1ff0e1c43396b54a2c90e209c0436f68b9315b

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
fd4ef588e7de1bdc639e2adfca25ba44

SHA1
56bf79d4e684eb3c8f1d9aa82f355e9293f2b170

SHA256
03d3a4c27a3320e7ea18010dd88fddd95e1d906756346aed037e854b6b8875e1

SHA512
cb5778ec41debdc57d9c5768a6b2859f89b9f1743e5c61514508854b64359184f0523888c50a2b3d10f67010087b0b77e333bcba018ef06b9c7decb0e28f4dab

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
fd4ef588e7de1bdc639e2adfca25ba44

SHA1
56bf79d4e684eb3c8f1d9aa82f355e9293f2b170

SHA256
03d3a4c27a3320e7ea18010dd88fddd95e1d906756346aed037e854b6b8875e1

SHA512
cb5778ec41debdc57d9c5768a6b2859f89b9f1743e5c61514508854b64359184f0523888c50a2b3d10f67010087b0b77e333bcba018ef06b9c7decb0e28f4dab

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
eb52661ee1bf1489a6b1c0dee28c03b9

SHA1
ed5fbba6695055586c07d86dcd891a09cc309007

SHA256
133fd3dcf4353af4a7090303bdabc07d615c153ddd0404b399fa18c534ceee4e

SHA512
e33cee6cb075d1ac9f08143550d3f9932a34e3addda7ec8ecbff440bd4187a030893a84d0bd2c95fc8f9c502e04c552f0077b1ac6d8d98008cdbea6d1fbaf0df

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
eb52661ee1bf1489a6b1c0dee28c03b9

SHA1
ed5fbba6695055586c07d86dcd891a09cc309007

SHA256
133fd3dcf4353af4a7090303bdabc07d615c153ddd0404b399fa18c534ceee4e

SHA512
e33cee6cb075d1ac9f08143550d3f9932a34e3addda7ec8ecbff440bd4187a030893a84d0bd2c95fc8f9c502e04c552f0077b1ac6d8d98008cdbea6d1fbaf0df

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
f590e89c0b2ef32f05c6983004ff44df

SHA1
1af3993ddd592b1b5087e2f93f2e10e7a8f2a4c5

SHA256
26eb353f95415a8ae5b1a6f0d4ff83cf297ccc50415029bad1b91a2a121a03c3

SHA512
b8037f6967060ea9cc1d1062a99534ac31dbcfaf57585c841dcf9c44c97b7c033d8d43276c38884ae96387da0a75c9c266e39d2bd23e90ba6e39b8074a10a3e9

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
f590e89c0b2ef32f05c6983004ff44df

SHA1
1af3993ddd592b1b5087e2f93f2e10e7a8f2a4c5

SHA256
26eb353f95415a8ae5b1a6f0d4ff83cf297ccc50415029bad1b91a2a121a03c3

SHA512
b8037f6967060ea9cc1d1062a99534ac31dbcfaf57585c841dcf9c44c97b7c033d8d43276c38884ae96387da0a75c9c266e39d2bd23e90ba6e39b8074a10a3e9

Download Submit
memory/772-136-0x0000000000000000-mapping.dmp

Download
memory/2368-141-0x0000000000000000-mapping.dmp

Download
memory/2828-146-0x0000000000000000-mapping.dmp

Download
memory/3488-152-0x0000000000000000-mapping.dmp

Download
memory/4156-135-0x0000000000000000-mapping.dmp

Download
memory/4408-139-0x0000000000000000-mapping.dmp

Download
memory/4412-140-0x0000000000000000-mapping.dmp

Download