Analysis
-
max time kernel
172s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 15:36
Static task
static1
Behavioral task
behavioral1
Sample
bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe
Resource
win10v2004-20221111-en
General
-
Target
bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe
-
Size
832KB
-
MD5
e94d702959182103d7f8e00de740f2f6
-
SHA1
7e3c779d720179c1ea51d92e338bd811e4cbbd3b
-
SHA256
bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402
-
SHA512
0dc02298ed5345109ef5310d2a2066b276bf079142e3bb54df693a5a13d9b2f1426a058098b7bab2af721abb2dd6a282f00dd5aafb2f761adb19f2a68f9838c3
-
SSDEEP
24576:FrfGR2wDeRMT4Rg9vUJ965XEaogR028IpwqEBA:FYYRMT6YvB5XDM28Gk
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\nethfdrv.sys bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe -
Executes dropped EXE 5 IoCs
pid Process 4928 installd.exe 4872 nethtsrv.exe 1852 netupdsrv.exe 4588 nethtsrv.exe 2664 netupdsrv.exe -
Loads dropped DLL 14 IoCs
pid Process 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 4928 installd.exe 4872 nethtsrv.exe 4872 nethtsrv.exe 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 4588 nethtsrv.exe 4588 nethtsrv.exe 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\hfnapi.dll bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe File created C:\Windows\SysWOW64\hfpapi.dll bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe File created C:\Windows\SysWOW64\installd.exe bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe File created C:\Windows\SysWOW64\nethtsrv.exe bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe File created C:\Windows\SysWOW64\netupdsrv.exe bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Config\data.xml bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe File created C:\Program Files (x86)\Common Files\Config\ver.xml bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe File created C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections nethtsrv.exe -
Runs net.exe
-
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 648 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4588 nethtsrv.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2136 wrote to memory of 260 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 83 PID 2136 wrote to memory of 260 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 83 PID 2136 wrote to memory of 260 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 83 PID 260 wrote to memory of 2268 260 net.exe 85 PID 260 wrote to memory of 2268 260 net.exe 85 PID 260 wrote to memory of 2268 260 net.exe 85 PID 2136 wrote to memory of 3416 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 86 PID 2136 wrote to memory of 3416 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 86 PID 2136 wrote to memory of 3416 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 86 PID 3416 wrote to memory of 4848 3416 net.exe 88 PID 3416 wrote to memory of 4848 3416 net.exe 88 PID 3416 wrote to memory of 4848 3416 net.exe 88 PID 2136 wrote to memory of 4928 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 89 PID 2136 wrote to memory of 4928 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 89 PID 2136 wrote to memory of 4928 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 89 PID 2136 wrote to memory of 4872 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 91 PID 2136 wrote to memory of 4872 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 91 PID 2136 wrote to memory of 4872 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 91 PID 2136 wrote to memory of 1852 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 93 PID 2136 wrote to memory of 1852 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 93 PID 2136 wrote to memory of 1852 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 93 PID 2136 wrote to memory of 4360 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 95 PID 2136 wrote to memory of 4360 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 95 PID 2136 wrote to memory of 4360 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 95 PID 4360 wrote to memory of 3524 4360 net.exe 97 PID 4360 wrote to memory of 3524 4360 net.exe 97 PID 4360 wrote to memory of 3524 4360 net.exe 97 PID 2136 wrote to memory of 2992 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 99 PID 2136 wrote to memory of 2992 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 99 PID 2136 wrote to memory of 2992 2136 bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe 99 PID 2992 wrote to memory of 3388 2992 net.exe 101 PID 2992 wrote to memory of 3388 2992 net.exe 101 PID 2992 wrote to memory of 3388 2992 net.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe"C:\Users\Admin\AppData\Local\Temp\bffe8ffa3d6b4269c02122d34cd899abc2afd12a1415ac0510928a2d29c1b402.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\net.exenet stop nethttpservice2⤵
- Suspicious use of WriteProcessMemory
PID:260 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop nethttpservice3⤵PID:2268
-
-
-
C:\Windows\SysWOW64\net.exenet stop serviceupdater2⤵
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop serviceupdater3⤵PID:4848
-
-
-
C:\Windows\SysWOW64\installd.exe"C:\Windows\system32\installd.exe" nethfdrv2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4928
-
-
C:\Windows\SysWOW64\nethtsrv.exe"C:\Windows\system32\nethtsrv.exe" -nfdi2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4872
-
-
C:\Windows\SysWOW64\netupdsrv.exe"C:\Windows\system32\netupdsrv.exe" -nfdi2⤵
- Executes dropped EXE
PID:1852
-
-
C:\Windows\SysWOW64\net.exenet start nethttpservice2⤵
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start nethttpservice3⤵PID:3524
-
-
-
C:\Windows\SysWOW64\net.exenet start serviceupdater2⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start serviceupdater3⤵PID:3388
-
-
-
C:\Windows\SysWOW64\nethtsrv.exeC:\Windows\SysWOW64\nethtsrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
C:\Windows\SysWOW64\netupdsrv.exeC:\Windows\SysWOW64\netupdsrv.exe1⤵
- Executes dropped EXE
PID:2664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
106KB
MD5174773a174fb2f78c2546620dc7b5d53
SHA1562434f81808dff0fae5651934efd077fd6f8b97
SHA2562999ba2fe9b7a7a9f0256b2c22affa057d1b3489a772915faca25848e0da6e55
SHA512e7e49464f4a819076f4faf6c2c2077e63f5e2e4af9ab2f76c50e2a9b04ae3f0a4dc5a716875c754b526e9205414489d925d0ea88108cf809c261c7b0c0389f45
-
Filesize
106KB
MD5174773a174fb2f78c2546620dc7b5d53
SHA1562434f81808dff0fae5651934efd077fd6f8b97
SHA2562999ba2fe9b7a7a9f0256b2c22affa057d1b3489a772915faca25848e0da6e55
SHA512e7e49464f4a819076f4faf6c2c2077e63f5e2e4af9ab2f76c50e2a9b04ae3f0a4dc5a716875c754b526e9205414489d925d0ea88108cf809c261c7b0c0389f45
-
Filesize
106KB
MD5174773a174fb2f78c2546620dc7b5d53
SHA1562434f81808dff0fae5651934efd077fd6f8b97
SHA2562999ba2fe9b7a7a9f0256b2c22affa057d1b3489a772915faca25848e0da6e55
SHA512e7e49464f4a819076f4faf6c2c2077e63f5e2e4af9ab2f76c50e2a9b04ae3f0a4dc5a716875c754b526e9205414489d925d0ea88108cf809c261c7b0c0389f45
-
Filesize
106KB
MD5174773a174fb2f78c2546620dc7b5d53
SHA1562434f81808dff0fae5651934efd077fd6f8b97
SHA2562999ba2fe9b7a7a9f0256b2c22affa057d1b3489a772915faca25848e0da6e55
SHA512e7e49464f4a819076f4faf6c2c2077e63f5e2e4af9ab2f76c50e2a9b04ae3f0a4dc5a716875c754b526e9205414489d925d0ea88108cf809c261c7b0c0389f45
-
Filesize
428KB
MD5de7f9d01e6bbba1b545945f929420665
SHA16fbdd64780c83932b47457fecb8c1c1b947edd12
SHA256adc9b67d4b395ea77d04f116df8bb78ea01d0cca73c3942a5d19e61b987b90c6
SHA5126e4df5975f7768778a3cab9238f0dff72c85b8f896afff14d29dfc01b0ef1a6fed94047a0284bd96cfa668752a17d340c4004d6554171c094cd9dfb5dd5a3e82
-
Filesize
428KB
MD5de7f9d01e6bbba1b545945f929420665
SHA16fbdd64780c83932b47457fecb8c1c1b947edd12
SHA256adc9b67d4b395ea77d04f116df8bb78ea01d0cca73c3942a5d19e61b987b90c6
SHA5126e4df5975f7768778a3cab9238f0dff72c85b8f896afff14d29dfc01b0ef1a6fed94047a0284bd96cfa668752a17d340c4004d6554171c094cd9dfb5dd5a3e82
-
Filesize
428KB
MD5de7f9d01e6bbba1b545945f929420665
SHA16fbdd64780c83932b47457fecb8c1c1b947edd12
SHA256adc9b67d4b395ea77d04f116df8bb78ea01d0cca73c3942a5d19e61b987b90c6
SHA5126e4df5975f7768778a3cab9238f0dff72c85b8f896afff14d29dfc01b0ef1a6fed94047a0284bd96cfa668752a17d340c4004d6554171c094cd9dfb5dd5a3e82
-
Filesize
137KB
MD5a6628ba826e286f9c70a02e22fadbd70
SHA144c49d97b0f6532e84e26d3c79f041d5a4a44733
SHA25663a5a435ef0b123b1835a81aaab79b3d2f23f5dca3cbb03285ec556966234bb4
SHA512c029d34721ef845759f60a63fad533fd4803ae749e40d530b9808634308d8e951952712d5b614aeac2864e4b4ab11f1e72c8fd38cc415ab40aa4808b05019861
-
Filesize
137KB
MD5a6628ba826e286f9c70a02e22fadbd70
SHA144c49d97b0f6532e84e26d3c79f041d5a4a44733
SHA25663a5a435ef0b123b1835a81aaab79b3d2f23f5dca3cbb03285ec556966234bb4
SHA512c029d34721ef845759f60a63fad533fd4803ae749e40d530b9808634308d8e951952712d5b614aeac2864e4b4ab11f1e72c8fd38cc415ab40aa4808b05019861
-
Filesize
331KB
MD51176337c39220290ec5a0fbcf7f7eb0f
SHA14d24dc52b60dda5894990059ac090c537f584b34
SHA256d13daaf777fd4f104707f4516bf460aada7c8fd4e1f08fbcac499a3a247b9b8f
SHA512f84751da1a92dc5ef9c1a1e307d267e335998a87a4e64ff63af8795fed7502e98f50f2d674a9674eda4d18bb1428ec2f6c8f6487ccf3f6b852672afaeab32863
-
Filesize
331KB
MD51176337c39220290ec5a0fbcf7f7eb0f
SHA14d24dc52b60dda5894990059ac090c537f584b34
SHA256d13daaf777fd4f104707f4516bf460aada7c8fd4e1f08fbcac499a3a247b9b8f
SHA512f84751da1a92dc5ef9c1a1e307d267e335998a87a4e64ff63af8795fed7502e98f50f2d674a9674eda4d18bb1428ec2f6c8f6487ccf3f6b852672afaeab32863
-
Filesize
331KB
MD51176337c39220290ec5a0fbcf7f7eb0f
SHA14d24dc52b60dda5894990059ac090c537f584b34
SHA256d13daaf777fd4f104707f4516bf460aada7c8fd4e1f08fbcac499a3a247b9b8f
SHA512f84751da1a92dc5ef9c1a1e307d267e335998a87a4e64ff63af8795fed7502e98f50f2d674a9674eda4d18bb1428ec2f6c8f6487ccf3f6b852672afaeab32863
-
Filesize
187KB
MD57734c86419f587ed020e813f270a37a3
SHA174152a27164bc1bca10aae6125fce63cab95a4a4
SHA25632e94c0c8b62aeb53a40003a499eded4cad24ec13849888f3fcbae1a75ddd879
SHA5127956d9f52755c6eeb6f91ea39f4a5502ab30f1140f2b026f0c2f7b5f3d354388892e8a075f4d1fc9842377a5546a9419e77e565c44f5bda028abd7e9fd9b82d7
-
Filesize
187KB
MD57734c86419f587ed020e813f270a37a3
SHA174152a27164bc1bca10aae6125fce63cab95a4a4
SHA25632e94c0c8b62aeb53a40003a499eded4cad24ec13849888f3fcbae1a75ddd879
SHA5127956d9f52755c6eeb6f91ea39f4a5502ab30f1140f2b026f0c2f7b5f3d354388892e8a075f4d1fc9842377a5546a9419e77e565c44f5bda028abd7e9fd9b82d7
-
Filesize
187KB
MD57734c86419f587ed020e813f270a37a3
SHA174152a27164bc1bca10aae6125fce63cab95a4a4
SHA25632e94c0c8b62aeb53a40003a499eded4cad24ec13849888f3fcbae1a75ddd879
SHA5127956d9f52755c6eeb6f91ea39f4a5502ab30f1140f2b026f0c2f7b5f3d354388892e8a075f4d1fc9842377a5546a9419e77e565c44f5bda028abd7e9fd9b82d7