Analysis
-
max time kernel
39s -
max time network
56s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-05-2021 17:07
Static task
static1
Behavioral task
behavioral1
Sample
WinPcap_4_1_3.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
WinPcap_4_1_3.exe
Resource
win10v20210408
General
-
Target
WinPcap_4_1_3.exe
-
Size
893KB
-
MD5
a11a2f0cfe6d0b4c50945989db6360cd
-
SHA1
e2516fcd1573e70334c8f50bee5241cdfdf48a00
-
SHA256
fc4623b113a1f603c0d9ad5f83130bd6de1c62b973be9892305132389c8588de
-
SHA512
2652d84eb91ca7957b4fb3ff77313e5dae978960492669242df4f246296f1bedaa48c0d33ffb286b2859a1b86ef5460060b551edca597b4ec60ee08676877c70
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
WinPcap_4_1_3.exedescription ioc process File created C:\Windows\system32\drivers\npf.sys WinPcap_4_1_3.exe -
Loads dropped DLL 11 IoCs
Processes:
WinPcap_4_1_3.exepid process 4044 WinPcap_4_1_3.exe 4044 WinPcap_4_1_3.exe 4044 WinPcap_4_1_3.exe 4044 WinPcap_4_1_3.exe 4044 WinPcap_4_1_3.exe 4044 WinPcap_4_1_3.exe 4044 WinPcap_4_1_3.exe 4044 WinPcap_4_1_3.exe 4044 WinPcap_4_1_3.exe 4044 WinPcap_4_1_3.exe 4044 WinPcap_4_1_3.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
Processes:
WinPcap_4_1_3.exedescription ioc process File created C:\Windows\SysWOW64\wpcap.dll WinPcap_4_1_3.exe File created C:\Windows\SysWOW64\pthreadVC.dll WinPcap_4_1_3.exe File created C:\Windows\SysWOW64\Packet.dll WinPcap_4_1_3.exe File created C:\Windows\system32\wpcap.dll WinPcap_4_1_3.exe File created C:\Windows\system32\Packet.dll WinPcap_4_1_3.exe -
Drops file in Program Files directory 5 IoCs
Processes:
WinPcap_4_1_3.exedescription ioc process File created C:\Program Files (x86)\WinPcap\install.log WinPcap_4_1_3.exe File created C:\Program Files (x86)\WinPcap\rpcapd.exe WinPcap_4_1_3.exe File created C:\Program Files (x86)\WinPcap\WinPcapInstall.dll WinPcap_4_1_3.exe File created C:\Program Files (x86)\WinPcap\Uninstall.exe WinPcap_4_1_3.exe File opened for modification C:\Program Files (x86)\WinPcap\WinPcapInstall.dll WinPcap_4_1_3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 628 -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WinPcap_4_1_3.exenet.exedescription pid process target process PID 4044 wrote to memory of 212 4044 WinPcap_4_1_3.exe net.exe PID 4044 wrote to memory of 212 4044 WinPcap_4_1_3.exe net.exe PID 4044 wrote to memory of 212 4044 WinPcap_4_1_3.exe net.exe PID 212 wrote to memory of 1116 212 net.exe net1.exe PID 212 wrote to memory of 1116 212 net.exe net1.exe PID 212 wrote to memory of 1116 212 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinPcap_4_1_3.exe"C:\Users\Admin\AppData\Local\Temp\WinPcap_4_1_3.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\net.exenet start npf2⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf3⤵PID:1116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e78291558cb803dfd091ad8fb56feecc
SHA14bde2f87e903fe8d3bd80179c5584cec7a8cbdc4
SHA256d9f4cd9f0e1bc9a138fb4da6f83c92c3e86eb3de4f988d5943d75c9b1dc6bb9d
SHA512042b96bc2c0e6d8b6e2730426938eb7400fd833be8a108a4942f559fedefabc35fd5dcb7ea1898d377b4382c0a9af8eeeebd663a4c852c706e3bd168c1f1f62f
-
MD5
e78291558cb803dfd091ad8fb56feecc
SHA14bde2f87e903fe8d3bd80179c5584cec7a8cbdc4
SHA256d9f4cd9f0e1bc9a138fb4da6f83c92c3e86eb3de4f988d5943d75c9b1dc6bb9d
SHA512042b96bc2c0e6d8b6e2730426938eb7400fd833be8a108a4942f559fedefabc35fd5dcb7ea1898d377b4382c0a9af8eeeebd663a4c852c706e3bd168c1f1f62f
-
MD5
e78291558cb803dfd091ad8fb56feecc
SHA14bde2f87e903fe8d3bd80179c5584cec7a8cbdc4
SHA256d9f4cd9f0e1bc9a138fb4da6f83c92c3e86eb3de4f988d5943d75c9b1dc6bb9d
SHA512042b96bc2c0e6d8b6e2730426938eb7400fd833be8a108a4942f559fedefabc35fd5dcb7ea1898d377b4382c0a9af8eeeebd663a4c852c706e3bd168c1f1f62f
-
MD5
e78291558cb803dfd091ad8fb56feecc
SHA14bde2f87e903fe8d3bd80179c5584cec7a8cbdc4
SHA256d9f4cd9f0e1bc9a138fb4da6f83c92c3e86eb3de4f988d5943d75c9b1dc6bb9d
SHA512042b96bc2c0e6d8b6e2730426938eb7400fd833be8a108a4942f559fedefabc35fd5dcb7ea1898d377b4382c0a9af8eeeebd663a4c852c706e3bd168c1f1f62f
-
MD5
a7cd6206240484c8436c66afb12bdfbf
SHA10bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919
SHA25669ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926
SHA512b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904
-
MD5
a7cd6206240484c8436c66afb12bdfbf
SHA10bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919
SHA25669ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926
SHA512b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904
-
MD5
325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
MD5
c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
MD5
c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
MD5
7579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
MD5
7579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b