23475aee0e4d8abe53c9bd030c836fb9c33347f67a018f22d79eb15ed81ed49a

General

Target

0df17d5cfa13effb717fbec11eee10ee.exe
Size

587KB
MD5

0df17d5cfa13effb717fbec11eee10ee
SHA1

f71e02fcc4b13250876753e480578a28873edfbb
SHA256

23475aee0e4d8abe53c9bd030c836fb9c33347f67a018f22d79eb15ed81ed49a
SHA512

b3d71520a68cd5d607643baf4590b602bc26e79a89ee9cf634a39f4f7f1d753eb6b6345c90b835a39ac92a47cdf31e20d8bb3cd6d591f284b8d62390c615b252
SSDEEP

12288:utma6AJBIfoBtuD59XKlCIRKLVvUg4u0QDG+5ISzQL/VE/l6xxDM7pbC:DzgLutRKlCIRKxcEG+5fQL/VtNMtC

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\npf.sys	0df17d5cfa13effb717fbec11eee10ee.exe
File opened for modification	C:\Windows\system32\drivers\npf.sys	C_1746073242b.nls
File opened for modification	C:\Windows\system32\drivers\npf.sys	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4532	C_1746073242b.nls

Loads dropped DLL 8 IoCs

pid	Process
4532	C_1746073242b.nls
4532	C_1746073242b.nls
4532	C_1746073242b.nls
4532	C_1746073242b.nls
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe

Drops file in System32 directory 23 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Packet.dll	0df17d5cfa13effb717fbec11eee10ee.exe
File opened for modification	C:\Windows\SysWOW64\C_1746073242b1.nls	0df17d5cfa13effb717fbec11eee10ee.exe
File created	C:\Windows\SysWOW64\C_1746073242b.nls	0df17d5cfa13effb717fbec11eee10ee.exe
File created	C:\Windows\SysWOW64\npptools.dll	C_1746073242b.nls
File opened for modification	C:\Windows\SysWOW64\C_1746073242b3.nls	0df17d5cfa13effb717fbec11eee10ee.exe
File opened for modification	C:\Windows\SysWOW64\C_1746073242b4.nls	0df17d5cfa13effb717fbec11eee10ee.exe
File created	C:\Windows\SysWOW64\wpcap.dll	C_1746073242b.nls
File created	C:\Windows\SysWOW64\npptools.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\C_1746073242b.nls.delme.0	0df17d5cfa13effb717fbec11eee10ee.exe
File created	C:\Windows\SysWOW64\Packet.dll	svchost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\C_1746073242b.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\C_1746073242b2.nls	0df17d5cfa13effb717fbec11eee10ee.exe
File opened for modification	C:\Windows\SysWOW64\C_1746073242b6.nls	0df17d5cfa13effb717fbec11eee10ee.exe
File opened for modification	C:\Windows\SysWOW64\C_1746073242b8.nls	0df17d5cfa13effb717fbec11eee10ee.exe
File opened for modification	C:\Windows\SysWOW64\C_1746073242b9.nls	0df17d5cfa13effb717fbec11eee10ee.exe
File created	C:\Windows\SysWOW64\C_1746073242b.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\C_1746073242b7.nls	0df17d5cfa13effb717fbec11eee10ee.exe
File created	C:\Windows\SysWOW64\Packet.dll	C_1746073242b.nls
File created	C:\Windows\SysWOW64\npptools.dll	0df17d5cfa13effb717fbec11eee10ee.exe
File created	C:\Windows\SysWOW64\wpcap.dll	0df17d5cfa13effb717fbec11eee10ee.exe
File opened for modification	C:\Windows\SysWOW64\C_1746073242b.nls	0df17d5cfa13effb717fbec11eee10ee.exe
File opened for modification	C:\Windows\SysWOW64\C_1746073242b5.nls	0df17d5cfa13effb717fbec11eee10ee.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4532 set thread context of 2364	4532	C_1746073242b.nls	106

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4964	0df17d5cfa13effb717fbec11eee10ee.exe
Token: SeDebugPrivilege	4532	C_1746073242b.nls
Token: SeDebugPrivilege	2364	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 1720	4964	0df17d5cfa13effb717fbec11eee10ee.exe	105
PID 4964 wrote to memory of 1720	4964	0df17d5cfa13effb717fbec11eee10ee.exe	105
PID 4964 wrote to memory of 1720	4964	0df17d5cfa13effb717fbec11eee10ee.exe	105
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106
PID 4532 wrote to memory of 2364	4532	C_1746073242b.nls	106

C:\Users\Admin\AppData\Local\Temp\0df17d5cfa13effb717fbec11eee10ee.exe
"C:\Users\Admin\AppData\Local\Temp\0df17d5cfa13effb717fbec11eee10ee.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240821593.bat
  2⤵
  PID:1720

C:\Windows\SysWOW64\C_1746073242b.nls
C:\Windows\SysWOW64\C_1746073242b.nls -service
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe" -k LocalService
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240821593.bat

Filesize
233B

MD5
5e3b9d7b4960569906d18057028df9e8

SHA1
3d9a6c41dac4d8113b505371bb6986cb4cf11f92

SHA256
b517e67654f4ff4c7b660aaac487a722730c43a401fdfa29629acc4af5b64e3a

SHA512
d234e6b96d542b197be853af309046e09dfc26d3a7f17ea398e0103001bfbc9f6c7e981a97535a9166054e6341c78312dc2968a5373ce14448efa7ef888ad719

Download Submit
C:\Windows\SysWOW64\C_1746073242b.nls

Filesize
587KB

MD5
33684934e807a102381206fa07974801

SHA1
3b7da2722a667161ce46989619b24d3b1423b39d

SHA256
99e8a4e64eb03bf4e1f547e97867d43de81b15e157012cfca96a54108418f0b1

SHA512
100b1686034c1c7157e128ce33388163a9f79de608cabfb7b25eee4c678bd5c8765459a1cb1761e03c1113612a060efa277152b1d0065a1f39697fffd6cc6307

Download Submit
C:\Windows\SysWOW64\C_1746073242b.nls

Filesize
256KB

MD5
31e8fb7826c155ac81b6cdc80f83afa6

SHA1
695c197491ae110980625d2d6c97ab9690e09be5

SHA256
b2f6242a18591e6dbb12453ab49e00170a8d3bb5521fe7eeb47e1b8c1f631b2a

SHA512
71ed0aae26c0543439ebee8506ecc3fda667176811d1735ec9fceb463936fd2dfa52b94741a44a3b5f2fcf89ab61ae8e32b1e59aa2601905f69ed8ca1bb34dd5

Download Submit
C:\Windows\SysWOW64\NPPTools.dll

Filesize
53KB

MD5
8c1f35a036da231fbf6b7636f1101bd1

SHA1
6dc2a3b0c9d741437ec65e3b33a4ed3a02d3329b

SHA256
2c086d74eaa8791b9e58923e663c5627647336ad67c936d979fef1b06f92c95f

SHA512
ef510a1a781204e0e4e3f97715ab41aec0c82e91102f66d9e7c5b4fb74f3a94cdf441baca214c5b90d0fb03b8d22c7b39eafae59d2e309bdbb2bc4553ec1d4ee

Download Submit
C:\Windows\SysWOW64\Packet.dll

Filesize
98KB

MD5
94ec0b68b4f933cbe5b92523adc4ae2c

SHA1
b8efe133d421ccef04fcf13a4aba78999db936e9

SHA256
fa7f1c39218dcd45044f2a54d1744f65edc3f2b0a9024252244f503830b52269

SHA512
e7e8b250f4c0bf7f7809ac1cf4c4152e7ca66d1534568a17c3c97c41d91e575ca67f12f481b151ee3337df7fc39072d6055807b10d04aced92e6385929a705a3

Download Submit
C:\Windows\SysWOW64\WPCAP.DLL

Filesize
274KB

MD5
190fb481d293d85b507d071e75bcb05c

SHA1
d2afb08d0379bd96e423857963791e2ba00c9645

SHA256
0948518b229fb502b9c063966fc3afafbb749241a1c184f6eb7d532e00bce1d8

SHA512
e27e4c0ca604baafcd3d5986f49f8d90596ac1e9c84e5e0a9c3d4219aa644de80771c36ad9bf52aab2f452f463438852fef2366b493927bcf82f8b2dbeca45f3

Download Submit
C:\Windows\system32\drivers\npf.sys

Filesize
34KB

MD5
351533acc2a069b94e80bbfc177e8fdf

SHA1
67c9c64f7642456c86e49a1f600712139a9de1f2

SHA256
54b2749e0496ecc94ce65657627762b485cbc825767baeddad0d2598820ffb9e

SHA512
736686aaf7d046086bfc2aa3bf008668293c1373d80246214bd35be70c584a72445fbb388ae43dbd6f51617072b927acbc1d5db4b76d956973f7b22d7b973178

Download Submit
memory/2364-38-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2364-55-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2364-44-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2364-45-0x0000000001F80000-0x0000000001FDE000-memory.dmp

Filesize
376KB

Download
memory/2364-33-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2364-37-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4532-20-0x0000000001470000-0x0000000001489000-memory.dmp

Filesize
100KB

Download
memory/4532-32-0x0000000077BC2000-0x0000000077C73000-memory.dmp

Filesize
708KB

Download
memory/4532-31-0x000000007F720000-0x000000007F721000-memory.dmp

Filesize
4KB

Download
memory/4532-54-0x0000000077BC2000-0x0000000077C73000-memory.dmp

Filesize
708KB

Download
memory/4532-23-0x0000000002220000-0x000000000227E000-memory.dmp

Filesize
376KB

Download
memory/4964-3-0x0000000010000000-0x000000001005E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing