Overview
overview
4Static
static
3google_set...9_.exe
windows7-x64
4google_set...9_.exe
windows10-2004-x64
4$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$TEMP/npcap_inst.exe
windows7-x64
4$TEMP/npcap_inst.exe
windows10-2004-x64
4$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...SC.dll
windows7-x64
3$PLUGINSDI...SC.dll
windows10-2004-x64
3$PLUGINSDI...re.dll
windows7-x64
3$PLUGINSDI...re.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3DiagReport.bat
windows7-x64
1DiagReport.bat
windows10-2004-x64
1DiagReport.ps1
windows7-x64
1DiagReport.ps1
windows10-2004-x64
1FixInstall.bat
windows7-x64
1FixInstall.bat
windows10-2004-x64
1NpcapHelper.exe
windows7-x64
1NpcapHelper.exe
windows10-2004-x64
1Packet.dll
windows7-x64
3Packet.dll
windows10-2004-x64
3WlanHelper.exe
windows7-x64
1WlanHelper.exe
windows10-2004-x64
1npcap.sys
windows10-2004-x64
1wpcap.dll
windows7-x64
3Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/04/2024, 14:16
Static task
static1
Behavioral task
behavioral1
Sample
google_setup_S2105150849_.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral2
Sample
google_setup_S2105150849_.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$TEMP/npcap_inst.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
$TEMP/npcap_inst.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/SimpleSC.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/SimpleSC.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/SysRestore.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/SysRestore.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
DiagReport.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
DiagReport.bat
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
DiagReport.ps1
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral22
Sample
DiagReport.ps1
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
FixInstall.bat
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral24
Sample
FixInstall.bat
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
NpcapHelper.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
NpcapHelper.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Packet.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral28
Sample
Packet.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
WlanHelper.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral30
Sample
WlanHelper.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
npcap.sys
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
wpcap.dll
Resource
win7-20240221-en
windows7-x64
General
-
Target
DiagReport.bat
-
Size
1KB
-
MD5
b82606a6afb3777d62e35e8d9850faed
-
SHA1
13b5cd6ce43346eacc6d8334a251b429ca8d30f7
-
SHA256
0843361f05255e3970ed955171c20003238756c57137fef9ac19d29fbd49f9f6
-
SHA512
e2852b1862d9a3aaa52367ca885951e63bf519159cb5358131792c7dcfe5b3acd8f9282279af0323804f246f853ed7627c370d2ec541452995c9177bd115e9c6
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2964 powershell.exe 2096 powershell.exe 2096 powershell.exe 2740 powershell.exe 2740 powershell.exe 2740 powershell.exe 2436 powershell.exe 2424 powershell.exe 2424 powershell.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 1068 whoami.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 2436 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1636 wrote to memory of 1068 1636 cmd.exe 29 PID 1636 wrote to memory of 1068 1636 cmd.exe 29 PID 1636 wrote to memory of 1068 1636 cmd.exe 29 PID 1636 wrote to memory of 2144 1636 cmd.exe 30 PID 1636 wrote to memory of 2144 1636 cmd.exe 30 PID 1636 wrote to memory of 2144 1636 cmd.exe 30 PID 1636 wrote to memory of 2960 1636 cmd.exe 31 PID 1636 wrote to memory of 2960 1636 cmd.exe 31 PID 1636 wrote to memory of 2960 1636 cmd.exe 31 PID 2960 wrote to memory of 2964 2960 cmd.exe 32 PID 2960 wrote to memory of 2964 2960 cmd.exe 32 PID 2960 wrote to memory of 2964 2960 cmd.exe 32 PID 1636 wrote to memory of 2096 1636 cmd.exe 33 PID 1636 wrote to memory of 2096 1636 cmd.exe 33 PID 1636 wrote to memory of 2096 1636 cmd.exe 33 PID 1636 wrote to memory of 2740 1636 cmd.exe 34 PID 1636 wrote to memory of 2740 1636 cmd.exe 34 PID 1636 wrote to memory of 2740 1636 cmd.exe 34 PID 2740 wrote to memory of 2436 2740 powershell.exe 35 PID 2740 wrote to memory of 2436 2740 powershell.exe 35 PID 2740 wrote to memory of 2436 2740 powershell.exe 35 PID 1636 wrote to memory of 2424 1636 cmd.exe 37 PID 1636 wrote to memory of 2424 1636 cmd.exe 37 PID 1636 wrote to memory of 2424 1636 cmd.exe 37
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DiagReport.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\whoami.exewhoami /Groups2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\system32\find.exefind "S-1-16-12288"2⤵PID:2144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell Get-ExecutionPolicy2⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ExecutionPolicy3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy 02⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -command "&{start-process powershell -ArgumentList '-noprofile -file \"C:\Users\Admin\AppData\Local\Temp\DiagReport.ps1\"' -verb RunAs}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -file "C:\Users\Admin\AppData\Local\Temp\DiagReport.ps1"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Restricted2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50fa226ea319801f2be125b0e071d4180
SHA132c47aecba15574d7904b6f7d8ca58175faae35b
SHA2562c59caca18e8dd50d52780eb76505e818a2d913ea41db08e31794f3eb3f9b21a
SHA5125773ea730fca8b0b044cb7e84f516404ada5fa5f42406b22c47c1f97dfb520ba0e01669de494439ab642ab8df755cd601c6d9f0ddd9495d23d407d54f90bd266