Analysis

  • max time kernel
    323s
  • max time network
    404s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 03:41

General

  • Target

    153669557bbc10fa2b8b3654f02fbb5f46eb75b6784d6b20b1ff18e8db26dc2a.exe

  • Size

    1.1MB

  • MD5

    e44e0582cc8132d206930faa9205d65a

  • SHA1

    29ffd368c4b02c44282e6d58c7de9ac5a0edd3ed

  • SHA256

    153669557bbc10fa2b8b3654f02fbb5f46eb75b6784d6b20b1ff18e8db26dc2a

  • SHA512

    dd1fae32c6ce6bf5f9ad09e4db8390a00442d3c6d3ad6feed80b12bc48b86c3cc85809d1b3409865c481dbb328faf03dc974ebab6225f16ecc5234ce689ec5ae

  • SSDEEP

    24576:bUufo4RTOs5lvyEodpUdjMQHYodL6GOv4ldkUcnA7RdVe4dRrV:Zo4RTOjEQMj5HYqL4UT7RdVeuL

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\153669557bbc10fa2b8b3654f02fbb5f46eb75b6784d6b20b1ff18e8db26dc2a.exe
    "C:\Users\Admin\AppData\Local\Temp\153669557bbc10fa2b8b3654f02fbb5f46eb75b6784d6b20b1ff18e8db26dc2a.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4544
    • C:\Program Files (x86)\WNet\nfregdrv.exe
      nfregdrv.exe C:\Windows\system32\drivers\ssfilterdrv.sys
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:4048
    • C:\Program Files (x86)\WNet\WNet.exe
      "C:\Program Files (x86)\WNet\WNet.exe" /install /SILENT
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1084

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\WNet\ProtocolFilters.dll

    Filesize

    244KB

    MD5

    9a0c59099f8589ee0f026bcd42c06800

    SHA1

    297564fe1624998ec4c0654b74255e0d0c66fb3e

    SHA256

    3d2eae03606f773a80df2cb58a8be15a6aa7475d8eabb546612294c880f57b8b

    SHA512

    c6dd547c2657ac317768612ee5fbec3e42af68fabd51b707b4b8f36e39635d418347d0dd0446e4c8779fc2e1225020bd5e5612555e60b85e9318870d66cdf550

  • C:\Program Files (x86)\WNet\WNet.exe

    Filesize

    426KB

    MD5

    45571677457a9bfd49aadada0fd91ca8

    SHA1

    15bb2446b1b6a54c03963c02dcffbe6886d09a56

    SHA256

    4dad1b7a2398c2d770d1d5d519c8a9b1877c430017cf1f17d414b926d6056ad3

    SHA512

    27d78e775cf275e1f068bb72056f8e9694006c75f674449ef2696791edb504e54aacea702152f9947b369b3c93488a91d54b15175a81b544e4ffacfd1eb45cbd

  • C:\Program Files (x86)\WNet\WNet.exe

    Filesize

    426KB

    MD5

    45571677457a9bfd49aadada0fd91ca8

    SHA1

    15bb2446b1b6a54c03963c02dcffbe6886d09a56

    SHA256

    4dad1b7a2398c2d770d1d5d519c8a9b1877c430017cf1f17d414b926d6056ad3

    SHA512

    27d78e775cf275e1f068bb72056f8e9694006c75f674449ef2696791edb504e54aacea702152f9947b369b3c93488a91d54b15175a81b544e4ffacfd1eb45cbd

  • C:\Program Files (x86)\WNet\nfapi.dll

    Filesize

    122KB

    MD5

    8249371485714e1f45a4b1c67002cf47

    SHA1

    a43795953b471b01ef36e2d98ed3ccafd5b8762a

    SHA256

    df66130db5aafdc2761dd739bba15af38fba3a7c1b93457d97690ead85036e9f

    SHA512

    b9309a7d079a14febddc01e704f85b27ae83288a956f3ba4eebc8163b6f14f68a702f072dd09f1e13f59f5e846bd1914b6be394182cd995c292978d0d5eb5fab

  • C:\Program Files (x86)\WNet\nfapi.dll

    Filesize

    122KB

    MD5

    8249371485714e1f45a4b1c67002cf47

    SHA1

    a43795953b471b01ef36e2d98ed3ccafd5b8762a

    SHA256

    df66130db5aafdc2761dd739bba15af38fba3a7c1b93457d97690ead85036e9f

    SHA512

    b9309a7d079a14febddc01e704f85b27ae83288a956f3ba4eebc8163b6f14f68a702f072dd09f1e13f59f5e846bd1914b6be394182cd995c292978d0d5eb5fab

  • C:\Program Files (x86)\WNet\nfapi.dll

    Filesize

    122KB

    MD5

    8249371485714e1f45a4b1c67002cf47

    SHA1

    a43795953b471b01ef36e2d98ed3ccafd5b8762a

    SHA256

    df66130db5aafdc2761dd739bba15af38fba3a7c1b93457d97690ead85036e9f

    SHA512

    b9309a7d079a14febddc01e704f85b27ae83288a956f3ba4eebc8163b6f14f68a702f072dd09f1e13f59f5e846bd1914b6be394182cd995c292978d0d5eb5fab

  • C:\Program Files (x86)\WNet\nfregdrv.exe

    Filesize

    48KB

    MD5

    92a6df47283b49b207045fa7a4502bc1

    SHA1

    718e9ff5f0fd9143de4f8fcf135d78165f991e9d

    SHA256

    d714695c9775bd7dbb1fa40882bbe03216acb3994b94514a68892454eada0358

    SHA512

    f2b08a4ae33e87a786fe25a2d902c8acb002faa4893a1f21d5608cbe070477af1b9c553c8960486a65089ad1e0be1491cb93cc60da9f3394c893525fa075d645

  • C:\Program Files (x86)\WNet\nfregdrv.exe

    Filesize

    48KB

    MD5

    92a6df47283b49b207045fa7a4502bc1

    SHA1

    718e9ff5f0fd9143de4f8fcf135d78165f991e9d

    SHA256

    d714695c9775bd7dbb1fa40882bbe03216acb3994b94514a68892454eada0358

    SHA512

    f2b08a4ae33e87a786fe25a2d902c8acb002faa4893a1f21d5608cbe070477af1b9c553c8960486a65089ad1e0be1491cb93cc60da9f3394c893525fa075d645

  • C:\Users\Admin\AppData\Local\Temp\nsi8427.tmp\SimpleSC.dll

    Filesize

    61KB

    MD5

    d63975ce28f801f236c4aca5af726961

    SHA1

    3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

    SHA256

    e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

    SHA512

    8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

  • C:\Users\Admin\AppData\Local\Temp\nsi8427.tmp\SimpleSC.dll

    Filesize

    61KB

    MD5

    d63975ce28f801f236c4aca5af726961

    SHA1

    3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

    SHA256

    e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

    SHA512

    8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

  • C:\Users\Admin\AppData\Local\Temp\nsi8427.tmp\System.dll

    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • memory/1084-142-0x0000000000000000-mapping.dmp

  • memory/4048-134-0x0000000000000000-mapping.dmp

  • memory/4544-141-0x0000000000640000-0x0000000000653000-memory.dmp

    Filesize

    76KB