Analysis

  • max time kernel
    36s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 10:54

General

  • Target

    9bf9d1eebcae5dd8d35773c8c851eee29039bcacd24e685714bec18f3b68932f.exe

  • Size

    446KB

  • MD5

    d48903fe01a34933798b0c13ad436043

  • SHA1

    e6507e602b1e22a36b7dbb874620b7c280fd7fa3

  • SHA256

    9bf9d1eebcae5dd8d35773c8c851eee29039bcacd24e685714bec18f3b68932f

  • SHA512

    6441aaf45d2a5b5b17b28b137d8bc0bc1c71f93606affaaa1ff62ce3b434cb64791dc6a082bbee042dd645e077fba0815172be6c47a194e0ffb2d06a85b6d15e

  • SSDEEP

    12288:6srXevpWM7t4g5MCIAxwww+w4i1GCIuSrT9yWxPqfyS:6s4ph/9IAx065T9yWgyS

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 13 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9bf9d1eebcae5dd8d35773c8c851eee29039bcacd24e685714bec18f3b68932f.exe
    "C:\Users\Admin\AppData\Local\Temp\9bf9d1eebcae5dd8d35773c8c851eee29039bcacd24e685714bec18f3b68932f.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\SysWOW64\net.exe
      net stop nethttpservice
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop nethttpservice
        3⤵
          PID:592
      • C:\Windows\SysWOW64\net.exe
        net stop serviceupdater
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1760
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop serviceupdater
          3⤵
            PID:772
        • C:\Windows\SysWOW64\installd.exe
          "C:\Windows\system32\installd.exe" nethfdrv
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1888
        • C:\Windows\SysWOW64\nethtsrv.exe
          "C:\Windows\system32\nethtsrv.exe" -nfdi
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1864
        • C:\Windows\SysWOW64\netupdsrv.exe
          "C:\Windows\system32\netupdsrv.exe" -nfdi
          2⤵
          • Executes dropped EXE
          PID:1872
        • C:\Windows\SysWOW64\net.exe
          net start nethttpservice
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1624
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start nethttpservice
            3⤵
              PID:364
          • C:\Windows\SysWOW64\net.exe
            net start serviceupdater
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1848
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start serviceupdater
              3⤵
                PID:1800
          • C:\Windows\SysWOW64\nethtsrv.exe
            C:\Windows\SysWOW64\nethtsrv.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:1140
          • C:\Windows\SysWOW64\netupdsrv.exe
            C:\Windows\SysWOW64\netupdsrv.exe
            1⤵
            • Executes dropped EXE
            PID:1532

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\hfnapi.dll

            Filesize

            106KB

            MD5

            736df98c30e2bbc51a9c47276f2125b3

            SHA1

            5d9a72ddea0e13b4d829ef4a638ea94280ea1989

            SHA256

            9281702091774604bf9565d78cb59de8524707dd5cbb4b0433a8089b489f7020

            SHA512

            f9d41cce3c2692df5fd9822d9416b6791619edca63352ca9d7f8c8f8a5850d8bd59e23b8500461d688fd41a313f74cae513a08d823b5064869ff4bc8a867e05e

          • C:\Windows\SysWOW64\hfpapi.dll

            Filesize

            241KB

            MD5

            3db7cf9309f2b1f2f39ad4b5a8851107

            SHA1

            8d408342301cc9dfd0fc36298e9d40bad0aeb5f3

            SHA256

            28967d856812c7c243ff6ee269f9edfe9314f93c5d3712996d7388f68ffcc819

            SHA512

            c18f5d3b3c9eb7d0358677601efa4d4af9f452769c1e964995730af88a96feb8f73e527b2d16d36a77f68b53c4beedf76ad2384888deabd50ef3ce20e5bee9df

          • C:\Windows\SysWOW64\installd.exe

            Filesize

            108KB

            MD5

            0dc5fb10a050b7d251deed956598203f

            SHA1

            e6fb1125bed8d807f99a76e456e19f6ab247ca0c

            SHA256

            20d355b042d527386926aa8bb7933f80afcc254e0bcfd3b63bad89ae889265b8

            SHA512

            340a64d6d7d84c57a1aac725de6444bb40178464d425863b6a958ffae3021765e6c6d4b47d71a01df6ce4631ae1daa5fd04af41361bdf30d896a98251097d94a

          • C:\Windows\SysWOW64\nethtsrv.exe

            Filesize

            176KB

            MD5

            916c109a1f205475e8f62f72a4f7701f

            SHA1

            3b104f7197f9b573dc75a2fabed1c20db3dbe10c

            SHA256

            edfee9167e7626e3fe46fe53fe83387ae964112a065273826d30cee25544ad73

            SHA512

            086c9e81ed7e22ce45a3efffef0639798ca56c7f5c6e8bbc0f63adb7ed264bc6eb650b2fb12c34a8df016c1e95a13911068c9c88b0b2aea7b80f59733e24d31b

          • C:\Windows\SysWOW64\nethtsrv.exe

            Filesize

            176KB

            MD5

            916c109a1f205475e8f62f72a4f7701f

            SHA1

            3b104f7197f9b573dc75a2fabed1c20db3dbe10c

            SHA256

            edfee9167e7626e3fe46fe53fe83387ae964112a065273826d30cee25544ad73

            SHA512

            086c9e81ed7e22ce45a3efffef0639798ca56c7f5c6e8bbc0f63adb7ed264bc6eb650b2fb12c34a8df016c1e95a13911068c9c88b0b2aea7b80f59733e24d31b

          • C:\Windows\SysWOW64\netupdsrv.exe

            Filesize

            158KB

            MD5

            d0e8207d025f38b3678ed88d7365da4f

            SHA1

            c192212ad076283093b622f46538c921b485704f

            SHA256

            f3102c262691aa9bb942e68ee5debafa43992037725471d156a5742e6dd45322

            SHA512

            0a6da3c210da36d1f6d054b7f0866cb8936f7eb45210a3b98783aa3f3fd4e8d14db94c6f12a1afca14c2f9610b458d4a67407ef1a990a835cd70a34c28ff7904

          • C:\Windows\SysWOW64\netupdsrv.exe

            Filesize

            158KB

            MD5

            d0e8207d025f38b3678ed88d7365da4f

            SHA1

            c192212ad076283093b622f46538c921b485704f

            SHA256

            f3102c262691aa9bb942e68ee5debafa43992037725471d156a5742e6dd45322

            SHA512

            0a6da3c210da36d1f6d054b7f0866cb8936f7eb45210a3b98783aa3f3fd4e8d14db94c6f12a1afca14c2f9610b458d4a67407ef1a990a835cd70a34c28ff7904

          • \Users\Admin\AppData\Local\Temp\nsj95CD.tmp\System.dll

            Filesize

            11KB

            MD5

            c17103ae9072a06da581dec998343fc1

            SHA1

            b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

            SHA256

            dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

            SHA512

            d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

          • \Users\Admin\AppData\Local\Temp\nsj95CD.tmp\nsExec.dll

            Filesize

            6KB

            MD5

            acc2b699edfea5bf5aae45aba3a41e96

            SHA1

            d2accf4d494e43ceb2cff69abe4dd17147d29cc2

            SHA256

            168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

            SHA512

            e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

          • \Users\Admin\AppData\Local\Temp\nsj95CD.tmp\nsExec.dll

            Filesize

            6KB

            MD5

            acc2b699edfea5bf5aae45aba3a41e96

            SHA1

            d2accf4d494e43ceb2cff69abe4dd17147d29cc2

            SHA256

            168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

            SHA512

            e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

          • \Users\Admin\AppData\Local\Temp\nsj95CD.tmp\nsExec.dll

            Filesize

            6KB

            MD5

            acc2b699edfea5bf5aae45aba3a41e96

            SHA1

            d2accf4d494e43ceb2cff69abe4dd17147d29cc2

            SHA256

            168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

            SHA512

            e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

          • \Users\Admin\AppData\Local\Temp\nsj95CD.tmp\nsExec.dll

            Filesize

            6KB

            MD5

            acc2b699edfea5bf5aae45aba3a41e96

            SHA1

            d2accf4d494e43ceb2cff69abe4dd17147d29cc2

            SHA256

            168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

            SHA512

            e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

          • \Windows\SysWOW64\hfnapi.dll

            Filesize

            106KB

            MD5

            736df98c30e2bbc51a9c47276f2125b3

            SHA1

            5d9a72ddea0e13b4d829ef4a638ea94280ea1989

            SHA256

            9281702091774604bf9565d78cb59de8524707dd5cbb4b0433a8089b489f7020

            SHA512

            f9d41cce3c2692df5fd9822d9416b6791619edca63352ca9d7f8c8f8a5850d8bd59e23b8500461d688fd41a313f74cae513a08d823b5064869ff4bc8a867e05e

          • \Windows\SysWOW64\hfnapi.dll

            Filesize

            106KB

            MD5

            736df98c30e2bbc51a9c47276f2125b3

            SHA1

            5d9a72ddea0e13b4d829ef4a638ea94280ea1989

            SHA256

            9281702091774604bf9565d78cb59de8524707dd5cbb4b0433a8089b489f7020

            SHA512

            f9d41cce3c2692df5fd9822d9416b6791619edca63352ca9d7f8c8f8a5850d8bd59e23b8500461d688fd41a313f74cae513a08d823b5064869ff4bc8a867e05e

          • \Windows\SysWOW64\hfnapi.dll

            Filesize

            106KB

            MD5

            736df98c30e2bbc51a9c47276f2125b3

            SHA1

            5d9a72ddea0e13b4d829ef4a638ea94280ea1989

            SHA256

            9281702091774604bf9565d78cb59de8524707dd5cbb4b0433a8089b489f7020

            SHA512

            f9d41cce3c2692df5fd9822d9416b6791619edca63352ca9d7f8c8f8a5850d8bd59e23b8500461d688fd41a313f74cae513a08d823b5064869ff4bc8a867e05e

          • \Windows\SysWOW64\hfpapi.dll

            Filesize

            241KB

            MD5

            3db7cf9309f2b1f2f39ad4b5a8851107

            SHA1

            8d408342301cc9dfd0fc36298e9d40bad0aeb5f3

            SHA256

            28967d856812c7c243ff6ee269f9edfe9314f93c5d3712996d7388f68ffcc819

            SHA512

            c18f5d3b3c9eb7d0358677601efa4d4af9f452769c1e964995730af88a96feb8f73e527b2d16d36a77f68b53c4beedf76ad2384888deabd50ef3ce20e5bee9df

          • \Windows\SysWOW64\hfpapi.dll

            Filesize

            241KB

            MD5

            3db7cf9309f2b1f2f39ad4b5a8851107

            SHA1

            8d408342301cc9dfd0fc36298e9d40bad0aeb5f3

            SHA256

            28967d856812c7c243ff6ee269f9edfe9314f93c5d3712996d7388f68ffcc819

            SHA512

            c18f5d3b3c9eb7d0358677601efa4d4af9f452769c1e964995730af88a96feb8f73e527b2d16d36a77f68b53c4beedf76ad2384888deabd50ef3ce20e5bee9df

          • \Windows\SysWOW64\installd.exe

            Filesize

            108KB

            MD5

            0dc5fb10a050b7d251deed956598203f

            SHA1

            e6fb1125bed8d807f99a76e456e19f6ab247ca0c

            SHA256

            20d355b042d527386926aa8bb7933f80afcc254e0bcfd3b63bad89ae889265b8

            SHA512

            340a64d6d7d84c57a1aac725de6444bb40178464d425863b6a958ffae3021765e6c6d4b47d71a01df6ce4631ae1daa5fd04af41361bdf30d896a98251097d94a

          • \Windows\SysWOW64\nethtsrv.exe

            Filesize

            176KB

            MD5

            916c109a1f205475e8f62f72a4f7701f

            SHA1

            3b104f7197f9b573dc75a2fabed1c20db3dbe10c

            SHA256

            edfee9167e7626e3fe46fe53fe83387ae964112a065273826d30cee25544ad73

            SHA512

            086c9e81ed7e22ce45a3efffef0639798ca56c7f5c6e8bbc0f63adb7ed264bc6eb650b2fb12c34a8df016c1e95a13911068c9c88b0b2aea7b80f59733e24d31b

          • \Windows\SysWOW64\netupdsrv.exe

            Filesize

            158KB

            MD5

            d0e8207d025f38b3678ed88d7365da4f

            SHA1

            c192212ad076283093b622f46538c921b485704f

            SHA256

            f3102c262691aa9bb942e68ee5debafa43992037725471d156a5742e6dd45322

            SHA512

            0a6da3c210da36d1f6d054b7f0866cb8936f7eb45210a3b98783aa3f3fd4e8d14db94c6f12a1afca14c2f9610b458d4a67407ef1a990a835cd70a34c28ff7904

          • memory/364-80-0x0000000000000000-mapping.dmp

          • memory/592-58-0x0000000000000000-mapping.dmp

          • memory/772-61-0x0000000000000000-mapping.dmp

          • memory/1508-54-0x0000000075451000-0x0000000075453000-memory.dmp

            Filesize

            8KB

          • memory/1624-79-0x0000000000000000-mapping.dmp

          • memory/1760-60-0x0000000000000000-mapping.dmp

          • memory/1800-86-0x0000000000000000-mapping.dmp

          • memory/1848-85-0x0000000000000000-mapping.dmp

          • memory/1864-69-0x0000000000000000-mapping.dmp

          • memory/1872-75-0x0000000000000000-mapping.dmp

          • memory/1888-63-0x0000000000000000-mapping.dmp

          • memory/2032-57-0x0000000000000000-mapping.dmp