83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59

Analysis

max time kernel
225s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe
Size

445KB
MD5

e51801717048b502fa213fee3a73cb84
SHA1

21a0d0d591238b0fac03d7bc45ac35609e102b69
SHA256

83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59
SHA512

2780351054d7ac9e96eac76be604a84d27cbb30f8df62b94736919ecfa6b00abc5e1b4d9d8a374a2fdccfeefa3e540fed17d124e58f7c95cba9219b47d8b3bd9
SSDEEP

6144:XzftF6bSb+w6tRj4aVrYvmXVeV/AJJVz7+EXex/oosO7eagpAUzGcqx3TG38dmFN:BUWbmtxVrYvml1JVXIgpURw84FN

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe
Executes dropped EXE 3 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exe

pid process

1620 installd.exe
756 nethtsrv.exe
784 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe

pid	process
1620	installd.exe
756	nethtsrv.exe
784	netupdsrv.exe

Loads dropped DLL 9 IoCs

Processes:

83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exeinstalld.exenethtsrv.exe

pid	process
1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe
1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe
1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe
1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe
1620	installd.exe
1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe
756	nethtsrv.exe
756	nethtsrv.exe
1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe
File created	C:\Windows\SysWOW64\installd.exe	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe

Drops file in Program Files directory 3 IoCs

Processes:

83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exenet.exenet.exe

description	pid	process	target process
PID 1836 wrote to memory of 900	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	net.exe
PID 1836 wrote to memory of 900	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	net.exe
PID 1836 wrote to memory of 900	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	net.exe
PID 1836 wrote to memory of 900	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	net.exe
PID 900 wrote to memory of 924	900	net.exe	net1.exe
PID 900 wrote to memory of 924	900	net.exe	net1.exe
PID 900 wrote to memory of 924	900	net.exe	net1.exe
PID 900 wrote to memory of 924	900	net.exe	net1.exe
PID 1836 wrote to memory of 1764	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	net.exe
PID 1836 wrote to memory of 1764	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	net.exe
PID 1836 wrote to memory of 1764	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	net.exe
PID 1836 wrote to memory of 1764	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	net.exe
PID 1764 wrote to memory of 1784	1764	net.exe	net1.exe
PID 1764 wrote to memory of 1784	1764	net.exe	net1.exe
PID 1764 wrote to memory of 1784	1764	net.exe	net1.exe
PID 1764 wrote to memory of 1784	1764	net.exe	net1.exe
PID 1836 wrote to memory of 1620	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	installd.exe
PID 1836 wrote to memory of 1620	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	installd.exe
PID 1836 wrote to memory of 1620	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	installd.exe
PID 1836 wrote to memory of 1620	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	installd.exe
PID 1836 wrote to memory of 1620	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	installd.exe
PID 1836 wrote to memory of 1620	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	installd.exe
PID 1836 wrote to memory of 1620	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	installd.exe
PID 1836 wrote to memory of 756	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	nethtsrv.exe
PID 1836 wrote to memory of 756	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	nethtsrv.exe
PID 1836 wrote to memory of 756	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	nethtsrv.exe
PID 1836 wrote to memory of 756	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	nethtsrv.exe
PID 1836 wrote to memory of 784	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	netupdsrv.exe
PID 1836 wrote to memory of 784	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	netupdsrv.exe
PID 1836 wrote to memory of 784	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	netupdsrv.exe
PID 1836 wrote to memory of 784	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	netupdsrv.exe
PID 1836 wrote to memory of 784	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	netupdsrv.exe
PID 1836 wrote to memory of 784	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	netupdsrv.exe
PID 1836 wrote to memory of 784	1836	83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe	netupdsrv.exe

C:\Users\Admin\AppData\Local\Temp\83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe
"C:\Users\Admin\AppData\Local\Temp\83000da22b715f1278d9fad1b8bcdc529ab49d36a1ff49678f143ec68e044e59.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:924

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1784

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:756

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:784

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
8c51da32e0cf7c7fb3d61e65cda16454

SHA1
7be78d37b9e69064bb54faac889c21fff37aa929

SHA256
c27cf476a631ec9063cd2e31eae4bbbd15428d521672e6bccb36912c1f6e6429

SHA512
d88a7812b513b044620634405a57e8e06d3a9a0f536211a3ef39e4b4e9c0b93a692df3d3973786be72ce52389141afc8f5e455e42c12ba8d5cd13190e45e9807

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
d2351c0a8aad7dac959fef2a1b1d0878

SHA1
6ff8076b58530e334a0439c1a122cfe5d93febb1

SHA256
a64193f6833e35684810421d1dc5e9bb69c0b347abbb76e10086ba44b065c5d8

SHA512
24f2769581e24dbb8221e6eacd0c3b6dea73972ac52078dc71b2eca80250327e5e54eb084035594ea56b30df861f795885392440be357d3304e978eb151df6f7

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
9fd9d261116b41ed32f576b0e4d309cc

SHA1
4b6db678766e80964fcc8062154cf88bcf371df2

SHA256
edf02ded35cab4cf1ec1a90c682d3dd3efaf7f467df3de947da9c476517653bc

SHA512
d1d931374c5ace7af63989f0caab998d1bf974ffadceff027341b237b9ebe0ac72416eb7df00fd7b4d11fd89b09ff7cbad93a4e64eea9c8bf37181cc420fd5a1

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
9461c89b0696d17dc0b44e8ce5930a1c

SHA1
4cff6947c89a6fe1e45703d0c5dc7dc3f7eb2127

SHA256
5c9abc2f134183ee1d8ed59f4996d32b7da90cc1ec8d27e291b413ca3ef4dc16

SHA512
a0bd9f6ae24c0a8b4c2de7d145ea0b08ed47ee985599a59e715398e55dc219057ae3c7ef42976613da5866b261e7dd9c0a9f317020db4a339ac0b0fc8794c4b6

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
70c7174f425edf4e63070438a04b301b

SHA1
3257b3e10b2add66db4c6207cff25eb261c7da4f

SHA256
f385eb19f0dcc5980272051dd0c12c23e709dd1e1d82ef82ce394b727cbcb5b4

SHA512
9e92db8cc998c90208a9fd13af8405bba05c1312ca2a65f586987e96b168f6a2962d1f49dea939c75188195dbe7122bdc2c7d4ea937d3dfbcb73b36e33b94e18

Download Submit
\Users\Admin\AppData\Local\Temp\nsp5EA7.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsp5EA7.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsp5EA7.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
8c51da32e0cf7c7fb3d61e65cda16454

SHA1
7be78d37b9e69064bb54faac889c21fff37aa929

SHA256
c27cf476a631ec9063cd2e31eae4bbbd15428d521672e6bccb36912c1f6e6429

SHA512
d88a7812b513b044620634405a57e8e06d3a9a0f536211a3ef39e4b4e9c0b93a692df3d3973786be72ce52389141afc8f5e455e42c12ba8d5cd13190e45e9807

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
8c51da32e0cf7c7fb3d61e65cda16454

SHA1
7be78d37b9e69064bb54faac889c21fff37aa929

SHA256
c27cf476a631ec9063cd2e31eae4bbbd15428d521672e6bccb36912c1f6e6429

SHA512
d88a7812b513b044620634405a57e8e06d3a9a0f536211a3ef39e4b4e9c0b93a692df3d3973786be72ce52389141afc8f5e455e42c12ba8d5cd13190e45e9807

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
d2351c0a8aad7dac959fef2a1b1d0878

SHA1
6ff8076b58530e334a0439c1a122cfe5d93febb1

SHA256
a64193f6833e35684810421d1dc5e9bb69c0b347abbb76e10086ba44b065c5d8

SHA512
24f2769581e24dbb8221e6eacd0c3b6dea73972ac52078dc71b2eca80250327e5e54eb084035594ea56b30df861f795885392440be357d3304e978eb151df6f7

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
9fd9d261116b41ed32f576b0e4d309cc

SHA1
4b6db678766e80964fcc8062154cf88bcf371df2

SHA256
edf02ded35cab4cf1ec1a90c682d3dd3efaf7f467df3de947da9c476517653bc

SHA512
d1d931374c5ace7af63989f0caab998d1bf974ffadceff027341b237b9ebe0ac72416eb7df00fd7b4d11fd89b09ff7cbad93a4e64eea9c8bf37181cc420fd5a1

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
9461c89b0696d17dc0b44e8ce5930a1c

SHA1
4cff6947c89a6fe1e45703d0c5dc7dc3f7eb2127

SHA256
5c9abc2f134183ee1d8ed59f4996d32b7da90cc1ec8d27e291b413ca3ef4dc16

SHA512
a0bd9f6ae24c0a8b4c2de7d145ea0b08ed47ee985599a59e715398e55dc219057ae3c7ef42976613da5866b261e7dd9c0a9f317020db4a339ac0b0fc8794c4b6

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
70c7174f425edf4e63070438a04b301b

SHA1
3257b3e10b2add66db4c6207cff25eb261c7da4f

SHA256
f385eb19f0dcc5980272051dd0c12c23e709dd1e1d82ef82ce394b727cbcb5b4

SHA512
9e92db8cc998c90208a9fd13af8405bba05c1312ca2a65f586987e96b168f6a2962d1f49dea939c75188195dbe7122bdc2c7d4ea937d3dfbcb73b36e33b94e18

Download Submit
memory/756-69-0x0000000000000000-mapping.dmp

Download
memory/784-75-0x0000000000000000-mapping.dmp

Download
memory/900-57-0x0000000000000000-mapping.dmp

Download
memory/924-58-0x0000000000000000-mapping.dmp

Download
memory/1620-63-0x0000000000000000-mapping.dmp

Download
memory/1764-60-0x0000000000000000-mapping.dmp

Download
memory/1784-61-0x0000000000000000-mapping.dmp

Download
memory/1836-54-0x0000000075151000-0x0000000075153000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads