53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669

Analysis

max time kernel
252s
max time network
333s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe
Size

562KB
MD5

240a77dd273775670ead65caa489e4bf
SHA1

15c89fdfa4b86a0a635c5a7bee97047182562419
SHA256

53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669
SHA512

9479ee6f765077e909d2f8ddb6542f388d6cbe6ecfc310d0800b66206d35bdad1b7915e91004bff59e0fc6adc550b7fc7b1fc242b6fd832e4922da32b9437a6a
SSDEEP

12288:0PRYzJbfDCuo/8IyXOw49KITHLvNypjiJFZ6ngAYjdhlMGFcN7gA270IG:lz9fG3/8IM4HH7NhJegJjfiGFKgRk

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\nethfdrv.sys	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe

Executes dropped EXE 3 IoCs

pid	Process
1728	installd.exe
2004	nethtsrv.exe
532	netupdsrv.exe

Loads dropped DLL 9 IoCs

pid	Process
876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe
876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe
876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe
876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe
1728	installd.exe
876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe
2004	nethtsrv.exe
2004	nethtsrv.exe
876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hfnapi.dll	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe
File created	C:\Windows\SysWOW64\installd.exe	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 1828	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	28
PID 876 wrote to memory of 1828	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	28
PID 876 wrote to memory of 1828	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	28
PID 876 wrote to memory of 1828	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	28
PID 1828 wrote to memory of 1792	1828	net.exe	30
PID 1828 wrote to memory of 1792	1828	net.exe	30
PID 1828 wrote to memory of 1792	1828	net.exe	30
PID 1828 wrote to memory of 1792	1828	net.exe	30
PID 876 wrote to memory of 752	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	31
PID 876 wrote to memory of 752	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	31
PID 876 wrote to memory of 752	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	31
PID 876 wrote to memory of 752	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	31
PID 752 wrote to memory of 1292	752	net.exe	33
PID 752 wrote to memory of 1292	752	net.exe	33
PID 752 wrote to memory of 1292	752	net.exe	33
PID 752 wrote to memory of 1292	752	net.exe	33
PID 876 wrote to memory of 1728	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	34
PID 876 wrote to memory of 1728	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	34
PID 876 wrote to memory of 1728	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	34
PID 876 wrote to memory of 1728	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	34
PID 876 wrote to memory of 1728	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	34
PID 876 wrote to memory of 1728	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	34
PID 876 wrote to memory of 1728	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	34
PID 876 wrote to memory of 2004	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	36
PID 876 wrote to memory of 2004	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	36
PID 876 wrote to memory of 2004	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	36
PID 876 wrote to memory of 2004	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	36
PID 876 wrote to memory of 532	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	38
PID 876 wrote to memory of 532	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	38
PID 876 wrote to memory of 532	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	38
PID 876 wrote to memory of 532	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	38
PID 876 wrote to memory of 532	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	38
PID 876 wrote to memory of 532	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	38
PID 876 wrote to memory of 532	876	53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe	38

C:\Users\Admin\AppData\Local\Temp\53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe
"C:\Users\Admin\AppData\Local\Temp\53921b6717bf9e68dfe335ef026fd2f7628e001534dc0b17e1ced92c6ed8c669.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\SysWOW64\net.exe
  net stop nethttpservice
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop nethttpservice
    3⤵
    PID:1792
- C:\Windows\SysWOW64\net.exe
  net stop serviceupdater
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop serviceupdater
    3⤵
    PID:1292
- C:\Windows\SysWOW64\installd.exe
  "C:\Windows\system32\installd.exe" nethfdrv
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1728
- C:\Windows\SysWOW64\nethtsrv.exe
  "C:\Windows\system32\nethtsrv.exe" -nfdi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2004
- C:\Windows\SysWOW64\netupdsrv.exe
  "C:\Windows\system32\netupdsrv.exe" -nfdi
  2⤵
  - Executes dropped EXE
  PID:532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
3fbe83533efd9ac6ffec6ff6e599770a

SHA1
e6d3648e0f2a89581635dee0b8b0a03a77369bc1

SHA256
a7b2c2892927297d522b48b28e5d1d8f04cc61aca454ed599363c98d46f8c1fc

SHA512
8f8876694e50456ec3f6b327e10f6222a161fddb71e0507da94cc99c0b596dbaa3dafabdc8a697d5fd467f1ae550d75379e04a63567893f7dacd4fb1b71b4145

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
72ead6866292afa38f3eaec8056b24c5

SHA1
bb368b8f604ab9d9cd9e9f1461510bc649989b06

SHA256
d0c412f7268c8dd4a0346b96d3be4916570d1d67a2a0402991a07d57bad3c1b2

SHA512
bde8962bc9fdef1112ebb64bebca894046c77447c1064076fd291e3f778a5def4fda3216c738c3f399900f6cfe626e52afe750428ef8bcd890d90f10c5ccc0d2

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
021640c3f24e32f8380c28a620ac66b3

SHA1
94860d36aca906ae9448fd68b5b1efc119f4aea9

SHA256
25b9050ee76c58e236114daf7bd751c8ee7bba09e6eff7c7e9d87281c00bc7c9

SHA512
ea6892e60d07f8f80461d136b481bef5e0cfecf51362530645bdc3f70255e2873f9249cb758f80c294bb91849b80d0cce207a3820b19bb33526021b334dc7b1e

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
2c23c6ed36a85780802e8bb6facd3e38

SHA1
07ac87cc90f8ee8ae76a34839612b70b02e0a275

SHA256
9566c298afb9e839d82e76542ae958ba86fe16289de6043b60618e40eefea661

SHA512
c41c3eec68e2e1d699da11396aad842ffc29663bac1cc6f8f738598cc6876ac1569be89438282f3006abee60d7ea5851af33d3c2a4f81f5ce793eae837bcb3c9

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
c8110c6df19e376864012cf9566e48ff

SHA1
726296920a646b0385804ed39fb207eaa211a223

SHA256
7270f5c2de9ad14252848992b592c9b811137ee43a9149aaf31eb7ba69d50f8e

SHA512
5ba1c166cabfddea5a93606b45d9e05838ae2372f7cd543901539d075c14c15e063d77dc5bb52cb1b843ecb41f3c8d081f4471dce4d21aeb310bf854e0818b99

Download Submit
\Users\Admin\AppData\Local\Temp\nskCD0.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nskCD0.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nskCD0.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
3fbe83533efd9ac6ffec6ff6e599770a

SHA1
e6d3648e0f2a89581635dee0b8b0a03a77369bc1

SHA256
a7b2c2892927297d522b48b28e5d1d8f04cc61aca454ed599363c98d46f8c1fc

SHA512
8f8876694e50456ec3f6b327e10f6222a161fddb71e0507da94cc99c0b596dbaa3dafabdc8a697d5fd467f1ae550d75379e04a63567893f7dacd4fb1b71b4145

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
3fbe83533efd9ac6ffec6ff6e599770a

SHA1
e6d3648e0f2a89581635dee0b8b0a03a77369bc1

SHA256
a7b2c2892927297d522b48b28e5d1d8f04cc61aca454ed599363c98d46f8c1fc

SHA512
8f8876694e50456ec3f6b327e10f6222a161fddb71e0507da94cc99c0b596dbaa3dafabdc8a697d5fd467f1ae550d75379e04a63567893f7dacd4fb1b71b4145

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
72ead6866292afa38f3eaec8056b24c5

SHA1
bb368b8f604ab9d9cd9e9f1461510bc649989b06

SHA256
d0c412f7268c8dd4a0346b96d3be4916570d1d67a2a0402991a07d57bad3c1b2

SHA512
bde8962bc9fdef1112ebb64bebca894046c77447c1064076fd291e3f778a5def4fda3216c738c3f399900f6cfe626e52afe750428ef8bcd890d90f10c5ccc0d2

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
021640c3f24e32f8380c28a620ac66b3

SHA1
94860d36aca906ae9448fd68b5b1efc119f4aea9

SHA256
25b9050ee76c58e236114daf7bd751c8ee7bba09e6eff7c7e9d87281c00bc7c9

SHA512
ea6892e60d07f8f80461d136b481bef5e0cfecf51362530645bdc3f70255e2873f9249cb758f80c294bb91849b80d0cce207a3820b19bb33526021b334dc7b1e

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
2c23c6ed36a85780802e8bb6facd3e38

SHA1
07ac87cc90f8ee8ae76a34839612b70b02e0a275

SHA256
9566c298afb9e839d82e76542ae958ba86fe16289de6043b60618e40eefea661

SHA512
c41c3eec68e2e1d699da11396aad842ffc29663bac1cc6f8f738598cc6876ac1569be89438282f3006abee60d7ea5851af33d3c2a4f81f5ce793eae837bcb3c9

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
c8110c6df19e376864012cf9566e48ff

SHA1
726296920a646b0385804ed39fb207eaa211a223

SHA256
7270f5c2de9ad14252848992b592c9b811137ee43a9149aaf31eb7ba69d50f8e

SHA512
5ba1c166cabfddea5a93606b45d9e05838ae2372f7cd543901539d075c14c15e063d77dc5bb52cb1b843ecb41f3c8d081f4471dce4d21aeb310bf854e0818b99

Download Submit
memory/876-69-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/876-55-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/876-54-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download