04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe
Size

339KB
MD5

1ef5430dede374b8e65d118bc62a606c
SHA1

95f68358055d5d40dd1e3b197915a08e246f47cb
SHA256

04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad
SHA512

7107776ae2b31d65072e9c640720b470cbb33ad7d483db3a766e35c371bdbb03a7566003278c3a6b99f945318557da026fac4ad39a9de300ce25d6c5ec472bc2
SSDEEP

6144:IDSoIPzvwUerre8qDSkMtF2BmcMWxa4GcMc8XuDHnL7L6TBUGecgbx2X5:XDwUem8qMtF24c7njpNDHvGAbC

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\nethfdrv.sys	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe

Executes dropped EXE 5 IoCs

pid	Process
5028	installd.exe
4316	nethtsrv.exe
2528	netupdsrv.exe
4616	nethtsrv.exe
4204	netupdsrv.exe

Loads dropped DLL 14 IoCs

pid	Process
544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe
544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe
544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe
544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe
544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe
5028	installd.exe
4316	nethtsrv.exe
4316	nethtsrv.exe
544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe
544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe
4616	nethtsrv.exe
4616	nethtsrv.exe
544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe
544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\netupdsrv.exe	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe
File created	C:\Windows\SysWOW64\installd.exe	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	nethtsrv.exe

Runs net.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4616	nethtsrv.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 1476	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	88
PID 544 wrote to memory of 1476	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	88
PID 544 wrote to memory of 1476	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	88
PID 1476 wrote to memory of 2728	1476	net.exe	90
PID 1476 wrote to memory of 2728	1476	net.exe	90
PID 1476 wrote to memory of 2728	1476	net.exe	90
PID 544 wrote to memory of 1260	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	91
PID 544 wrote to memory of 1260	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	91
PID 544 wrote to memory of 1260	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	91
PID 1260 wrote to memory of 1320	1260	net.exe	93
PID 1260 wrote to memory of 1320	1260	net.exe	93
PID 1260 wrote to memory of 1320	1260	net.exe	93
PID 544 wrote to memory of 5028	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	95
PID 544 wrote to memory of 5028	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	95
PID 544 wrote to memory of 5028	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	95
PID 544 wrote to memory of 4316	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	97
PID 544 wrote to memory of 4316	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	97
PID 544 wrote to memory of 4316	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	97
PID 544 wrote to memory of 2528	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	99
PID 544 wrote to memory of 2528	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	99
PID 544 wrote to memory of 2528	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	99
PID 544 wrote to memory of 3484	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	102
PID 544 wrote to memory of 3484	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	102
PID 544 wrote to memory of 3484	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	102
PID 3484 wrote to memory of 896	3484	net.exe	104
PID 3484 wrote to memory of 896	3484	net.exe	104
PID 3484 wrote to memory of 896	3484	net.exe	104
PID 544 wrote to memory of 3784	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	110
PID 544 wrote to memory of 3784	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	110
PID 544 wrote to memory of 3784	544	04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe	110
PID 3784 wrote to memory of 3412	3784	net.exe	112
PID 3784 wrote to memory of 3412	3784	net.exe	112
PID 3784 wrote to memory of 3412	3784	net.exe	112

C:\Users\Admin\AppData\Local\Temp\04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe
"C:\Users\Admin\AppData\Local\Temp\04ed57967e448c86800cb023d415403d103a5628ee3097d03e8265b67c31bcad.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\SysWOW64\net.exe
  net stop nethttpservice
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop nethttpservice
    3⤵
    PID:2728
- C:\Windows\SysWOW64\net.exe
  net stop serviceupdater
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop serviceupdater
    3⤵
    PID:1320
- C:\Windows\SysWOW64\installd.exe
  "C:\Windows\system32\installd.exe" nethfdrv
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5028
- C:\Windows\SysWOW64\nethtsrv.exe
  "C:\Windows\system32\nethtsrv.exe" -nfdi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4316
- C:\Windows\SysWOW64\netupdsrv.exe
  "C:\Windows\system32\netupdsrv.exe" -nfdi
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\SysWOW64\net.exe
  net start nethttpservice
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start nethttpservice
    3⤵
    PID:896
- C:\Windows\SysWOW64\net.exe
  net start serviceupdater
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start serviceupdater
    3⤵
    PID:3412

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsh33D3.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh33D3.tmp\nsExec.dll

Filesize
6KB

MD5
51e63a9c5d6d230ef1c421b2eccd45dc

SHA1
c499cdad5c613d71ed3f7e93360f1bbc5748c45d

SHA256
cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f

SHA512
c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522

Download Submit
C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
eda2418d89c0e55e67ee9806fe9d723e

SHA1
e12d5833025128150d36f230cf751ba63432590b

SHA256
8fa2497b49120b081ee3bfdad89fd5ea4f60c8f621361abfc11fe5f57f40c413

SHA512
e0c70ebc9de8f185559df9ff5f37bc6243c18d3c8f915010f80c07c0021318923d708ebb2e722446acbd54f8fe7f91f46842fd0de77b8ce12066c957346a032e

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
46c429be6083f866de8b9ce5d15273cd

SHA1
f03b0b4925649524e65ddc470d99559315c8de38

SHA256
a1af8fb2817bf888dec0db8ec0812b628e4c4cb7e7f03757283134daf3f6a3bf

SHA512
25a420a785a0b10e71ff3e0b99877d39370f0601ab9f0726b5da4e7b22d95d3da18a0d65de88f4a83177ae7cf37d4af9aae8f19fd7cd3fe457d0b46f5169d86c

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
106KB

MD5
84c7c5a06e1d25ee77b2788b59210d86

SHA1
440c45292469c6eb668ad29b2c23bf225af2efe1

SHA256
3d4ed087119f2ff07a55caf3dbbd0b5dc3016a08b9b23043ce7f48dbe1078015

SHA512
e3ad28d941c99de5215a86af9385bf509a11fb5ed26163040be20c088d663c4b62b6759a286027b0f87c5c5c7db043073514bdc89546f22dfb7b6a537f3f44e3

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
72ff39a4554adbd6d0a2ea593380d603

SHA1
af7047b25cfc657e33e3442fa4690a6b9bd2a6ec

SHA256
ffbb56b5323e479cdd8fe3dcb3cbc96acfcbf4c6939ed95f89f2fed83bbf6bea

SHA512
512da81412fd80c74cd85b42dfecc83ddac72304c6911aba8a1428466b433ec3320d4481f6dd53ef404e9e25dd9e3277c4aaabee0c8523a6cd7b3ed6c2ad3ae7

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
156KB

MD5
822f825ce0495d028bb97a5e66c85dc8

SHA1
7028c35948103894fee1cdc80b82a5fd6fc0bf13

SHA256
58861d39b2ebdc0b081536dc12ec61358304fd9efdfa8d65f80762141cd4c37f

SHA512
ee6cd6a535d261a27fbddd8a78adae9a8824189a9f83987eceacdc3abe1039024bb9bff0d8a746aa220896e1294b9f1b8b251f39c5f2a918c904783f566daf27

Download Submit