Analysis
-
max time kernel
148s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 13:46
Static task
static1
Behavioral task
behavioral1
Sample
c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe
Resource
win10v2004-20220812-en
General
-
Target
c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe
-
Size
561KB
-
MD5
51d78c5c10d018c25d8deead57b14774
-
SHA1
55c7d7981376c551eb7dde77412f0b0bdda151a7
-
SHA256
c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9
-
SHA512
a28905caecc3fe3c4098aed205f9eb0a45880aeae718ec74495fc94e5d8c6cb4dcd4ca49c3b6955379b9341a526faee28c34719f24f4370ebb88cac8e4353389
-
SSDEEP
12288:9PRYzG1G+rlJ2GhpFe4dFo9/Df0Uh8FO:EzG18GnkWu97pis
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\nethfdrv.sys c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe -
Executes dropped EXE 5 IoCs
pid Process 4868 installd.exe 5016 nethtsrv.exe 4996 netupdsrv.exe 4216 nethtsrv.exe 1036 netupdsrv.exe -
Loads dropped DLL 14 IoCs
pid Process 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 4868 installd.exe 5016 nethtsrv.exe 5016 nethtsrv.exe 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 4216 nethtsrv.exe 4216 nethtsrv.exe 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\installd.exe c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe File created C:\Windows\SysWOW64\nethtsrv.exe c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe File created C:\Windows\SysWOW64\netupdsrv.exe c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe File created C:\Windows\SysWOW64\hfnapi.dll c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe File created C:\Windows\SysWOW64\hfpapi.dll c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Config\data.xml c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe File created C:\Program Files (x86)\Common Files\Config\ver.xml c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe File created C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections nethtsrv.exe -
Runs net.exe
-
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4216 nethtsrv.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 4860 wrote to memory of 384 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 79 PID 4860 wrote to memory of 384 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 79 PID 4860 wrote to memory of 384 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 79 PID 384 wrote to memory of 4220 384 net.exe 81 PID 384 wrote to memory of 4220 384 net.exe 81 PID 384 wrote to memory of 4220 384 net.exe 81 PID 4860 wrote to memory of 4812 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 82 PID 4860 wrote to memory of 4812 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 82 PID 4860 wrote to memory of 4812 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 82 PID 4812 wrote to memory of 4852 4812 net.exe 84 PID 4812 wrote to memory of 4852 4812 net.exe 84 PID 4812 wrote to memory of 4852 4812 net.exe 84 PID 4860 wrote to memory of 4868 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 85 PID 4860 wrote to memory of 4868 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 85 PID 4860 wrote to memory of 4868 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 85 PID 4860 wrote to memory of 5016 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 86 PID 4860 wrote to memory of 5016 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 86 PID 4860 wrote to memory of 5016 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 86 PID 4860 wrote to memory of 4996 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 88 PID 4860 wrote to memory of 4996 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 88 PID 4860 wrote to memory of 4996 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 88 PID 4860 wrote to memory of 4380 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 90 PID 4860 wrote to memory of 4380 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 90 PID 4860 wrote to memory of 4380 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 90 PID 4380 wrote to memory of 4964 4380 net.exe 92 PID 4380 wrote to memory of 4964 4380 net.exe 92 PID 4380 wrote to memory of 4964 4380 net.exe 92 PID 4860 wrote to memory of 224 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 94 PID 4860 wrote to memory of 224 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 94 PID 4860 wrote to memory of 224 4860 c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe 94 PID 224 wrote to memory of 4636 224 net.exe 96 PID 224 wrote to memory of 4636 224 net.exe 96 PID 224 wrote to memory of 4636 224 net.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe"C:\Users\Admin\AppData\Local\Temp\c97b2061a4f59ceab911a99761a45da8cc4ca3fcb924ca3eda1fef29deb879b9.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\net.exenet stop nethttpservice2⤵
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop nethttpservice3⤵PID:4220
-
-
-
C:\Windows\SysWOW64\net.exenet stop serviceupdater2⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop serviceupdater3⤵PID:4852
-
-
-
C:\Windows\SysWOW64\installd.exe"C:\Windows\system32\installd.exe" nethfdrv2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4868
-
-
C:\Windows\SysWOW64\nethtsrv.exe"C:\Windows\system32\nethtsrv.exe" -nfdi2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5016
-
-
C:\Windows\SysWOW64\netupdsrv.exe"C:\Windows\system32\netupdsrv.exe" -nfdi2⤵
- Executes dropped EXE
PID:4996
-
-
C:\Windows\SysWOW64\net.exenet start nethttpservice2⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start nethttpservice3⤵PID:4964
-
-
-
C:\Windows\SysWOW64\net.exenet start serviceupdater2⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start serviceupdater3⤵PID:4636
-
-
-
C:\Windows\SysWOW64\nethtsrv.exeC:\Windows\SysWOW64\nethtsrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4216
-
C:\Windows\SysWOW64\netupdsrv.exeC:\Windows\SysWOW64\netupdsrv.exe1⤵
- Executes dropped EXE
PID:1036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
106KB
MD53aefa843606d848c6e2f6ef839262431
SHA1553c9efeb33ed4127e3e01c5809e223c2cea06a9
SHA256afa58c962892dd7d9921852a4eb72bf4472a5b7312ecb13255c0428d542c955d
SHA51208484c0bf2fa7dfd6071e394a1a7e816aa21c3ec3d51e4bc90924001ac563179743e452aac60e390d5c4ad34b244c9d8db824298f661f71f0c97b4eb89a37957
-
Filesize
106KB
MD53aefa843606d848c6e2f6ef839262431
SHA1553c9efeb33ed4127e3e01c5809e223c2cea06a9
SHA256afa58c962892dd7d9921852a4eb72bf4472a5b7312ecb13255c0428d542c955d
SHA51208484c0bf2fa7dfd6071e394a1a7e816aa21c3ec3d51e4bc90924001ac563179743e452aac60e390d5c4ad34b244c9d8db824298f661f71f0c97b4eb89a37957
-
Filesize
106KB
MD53aefa843606d848c6e2f6ef839262431
SHA1553c9efeb33ed4127e3e01c5809e223c2cea06a9
SHA256afa58c962892dd7d9921852a4eb72bf4472a5b7312ecb13255c0428d542c955d
SHA51208484c0bf2fa7dfd6071e394a1a7e816aa21c3ec3d51e4bc90924001ac563179743e452aac60e390d5c4ad34b244c9d8db824298f661f71f0c97b4eb89a37957
-
Filesize
106KB
MD53aefa843606d848c6e2f6ef839262431
SHA1553c9efeb33ed4127e3e01c5809e223c2cea06a9
SHA256afa58c962892dd7d9921852a4eb72bf4472a5b7312ecb13255c0428d542c955d
SHA51208484c0bf2fa7dfd6071e394a1a7e816aa21c3ec3d51e4bc90924001ac563179743e452aac60e390d5c4ad34b244c9d8db824298f661f71f0c97b4eb89a37957
-
Filesize
241KB
MD512ac23a4d629fd8e363caa88b36b4922
SHA1e986eb7c5cd5d14c131541c287d63ea25eda47d2
SHA25690e2fef8c259953c772bf74d259fdd72da1af9a3696f072756e66880f5d55136
SHA512bcebe26a1bfa74a279ae19c5168d699ee8c71878b427ba4b4346f760b60123abb1e698747d1fe3c781c640f21613c64b798e279e229756d30bf2f216f89e3f69
-
Filesize
241KB
MD512ac23a4d629fd8e363caa88b36b4922
SHA1e986eb7c5cd5d14c131541c287d63ea25eda47d2
SHA25690e2fef8c259953c772bf74d259fdd72da1af9a3696f072756e66880f5d55136
SHA512bcebe26a1bfa74a279ae19c5168d699ee8c71878b427ba4b4346f760b60123abb1e698747d1fe3c781c640f21613c64b798e279e229756d30bf2f216f89e3f69
-
Filesize
241KB
MD512ac23a4d629fd8e363caa88b36b4922
SHA1e986eb7c5cd5d14c131541c287d63ea25eda47d2
SHA25690e2fef8c259953c772bf74d259fdd72da1af9a3696f072756e66880f5d55136
SHA512bcebe26a1bfa74a279ae19c5168d699ee8c71878b427ba4b4346f760b60123abb1e698747d1fe3c781c640f21613c64b798e279e229756d30bf2f216f89e3f69
-
Filesize
108KB
MD5db061f4efc4acefe0ee30d89738d7b11
SHA182a3007ba35101f47121c7f6fdd421cc28d7febb
SHA256c345e97e3d483d4376c1f47f65515c6d36715bb58502884be020244894412398
SHA512d50a87064abd1001966c78808d36db937558dd3c36778b0ad858d1d7525b8c8ef3afe04c32be14fe0d53cbeb113471afb50e9d6ca42cd4992e39becddef7df9c
-
Filesize
108KB
MD5db061f4efc4acefe0ee30d89738d7b11
SHA182a3007ba35101f47121c7f6fdd421cc28d7febb
SHA256c345e97e3d483d4376c1f47f65515c6d36715bb58502884be020244894412398
SHA512d50a87064abd1001966c78808d36db937558dd3c36778b0ad858d1d7525b8c8ef3afe04c32be14fe0d53cbeb113471afb50e9d6ca42cd4992e39becddef7df9c
-
Filesize
176KB
MD5930692c5562e53c275e67b3fe60cf17a
SHA19639484252137c7c220cf9683d6e433d28b59350
SHA256025d55a317ffe71ad03eb17976cd1749bb853f242297ee0f28c864e2163a0b37
SHA512236dd4b25fdfb5845cffad13a1477c9e34b9f7525a74e6d6af6001b8a9ae4e855c1f5917abcb677d491f419e7f662b29242dc896514cd420ffb1b967bbbf1ad0
-
Filesize
176KB
MD5930692c5562e53c275e67b3fe60cf17a
SHA19639484252137c7c220cf9683d6e433d28b59350
SHA256025d55a317ffe71ad03eb17976cd1749bb853f242297ee0f28c864e2163a0b37
SHA512236dd4b25fdfb5845cffad13a1477c9e34b9f7525a74e6d6af6001b8a9ae4e855c1f5917abcb677d491f419e7f662b29242dc896514cd420ffb1b967bbbf1ad0
-
Filesize
176KB
MD5930692c5562e53c275e67b3fe60cf17a
SHA19639484252137c7c220cf9683d6e433d28b59350
SHA256025d55a317ffe71ad03eb17976cd1749bb853f242297ee0f28c864e2163a0b37
SHA512236dd4b25fdfb5845cffad13a1477c9e34b9f7525a74e6d6af6001b8a9ae4e855c1f5917abcb677d491f419e7f662b29242dc896514cd420ffb1b967bbbf1ad0
-
Filesize
158KB
MD5f11f60a4878f23d392cec8fe64927b2c
SHA11b8116a4af62df8db50ccb3e6f361e7f91d3b437
SHA2565fd66252cc5277dc33f5938a3ca7819f6e91d5a55399f916db5d4e70b3d7f052
SHA512618f46fc38ba2672b837f59c57996c58457dc47a4f139b3701d7886fdc4cd0930b69758288be435a00967e0773128c0518de5d2071de640374f5bff38aaf2426
-
Filesize
158KB
MD5f11f60a4878f23d392cec8fe64927b2c
SHA11b8116a4af62df8db50ccb3e6f361e7f91d3b437
SHA2565fd66252cc5277dc33f5938a3ca7819f6e91d5a55399f916db5d4e70b3d7f052
SHA512618f46fc38ba2672b837f59c57996c58457dc47a4f139b3701d7886fdc4cd0930b69758288be435a00967e0773128c0518de5d2071de640374f5bff38aaf2426
-
Filesize
158KB
MD5f11f60a4878f23d392cec8fe64927b2c
SHA11b8116a4af62df8db50ccb3e6f361e7f91d3b437
SHA2565fd66252cc5277dc33f5938a3ca7819f6e91d5a55399f916db5d4e70b3d7f052
SHA512618f46fc38ba2672b837f59c57996c58457dc47a4f139b3701d7886fdc4cd0930b69758288be435a00967e0773128c0518de5d2071de640374f5bff38aaf2426