Overview
overview
4Static
static
3google_set...9_.exe
windows7-x64
4google_set...9_.exe
windows10-2004-x64
4$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$TEMP/npcap_inst.exe
windows7-x64
4$TEMP/npcap_inst.exe
windows10-2004-x64
4$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...SC.dll
windows7-x64
3$PLUGINSDI...SC.dll
windows10-2004-x64
3$PLUGINSDI...re.dll
windows7-x64
3$PLUGINSDI...re.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3DiagReport.bat
windows7-x64
1DiagReport.bat
windows10-2004-x64
1DiagReport.ps1
windows7-x64
1DiagReport.ps1
windows10-2004-x64
1FixInstall.bat
windows7-x64
1FixInstall.bat
windows10-2004-x64
1NpcapHelper.exe
windows7-x64
1NpcapHelper.exe
windows10-2004-x64
1Packet.dll
windows7-x64
3Packet.dll
windows10-2004-x64
3WlanHelper.exe
windows7-x64
1WlanHelper.exe
windows10-2004-x64
1npcap.sys
windows10-2004-x64
1wpcap.dll
windows7-x64
3Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
27/04/2024, 14:16
Static task
static1
Behavioral task
behavioral1
Sample
google_setup_S2105150849_.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral2
Sample
google_setup_S2105150849_.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$TEMP/npcap_inst.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
$TEMP/npcap_inst.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/SimpleSC.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/SimpleSC.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/SysRestore.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/SysRestore.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
DiagReport.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
DiagReport.bat
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
DiagReport.ps1
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral22
Sample
DiagReport.ps1
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
FixInstall.bat
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral24
Sample
FixInstall.bat
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
NpcapHelper.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
NpcapHelper.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Packet.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral28
Sample
Packet.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
WlanHelper.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral30
Sample
WlanHelper.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
npcap.sys
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
wpcap.dll
Resource
win7-20240221-en
windows7-x64
General
-
Target
FixInstall.bat
-
Size
2KB
-
MD5
6995c16f3fc3f788fd9e3e9c801f9758
-
SHA1
2eec9a249b77abee855de6e771ce69fa64b053ce
-
SHA256
0eef66a27fec8d6f74f1037dabdca0094c5c877606d33185fb560f26ecb08af1
-
SHA512
2e0f6730e5a28839fc664f397e6d56db48ba1fe8ce59dca8ccc506f2c2b0ce83e548097c84d3dc2a569ee36c32ff8eceb4668394d39d07a387fdbb998d3062cc
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2900 2868 cmd.exe 29 PID 2868 wrote to memory of 2900 2868 cmd.exe 29 PID 2868 wrote to memory of 2900 2868 cmd.exe 29 PID 2900 wrote to memory of 2988 2900 cmd.exe 30 PID 2900 wrote to memory of 2988 2900 cmd.exe 30 PID 2900 wrote to memory of 2988 2900 cmd.exe 30 PID 2900 wrote to memory of 2552 2900 cmd.exe 31 PID 2900 wrote to memory of 2552 2900 cmd.exe 31 PID 2900 wrote to memory of 2552 2900 cmd.exe 31 PID 2868 wrote to memory of 2924 2868 cmd.exe 32 PID 2868 wrote to memory of 2924 2868 cmd.exe 32 PID 2868 wrote to memory of 2924 2868 cmd.exe 32 PID 2924 wrote to memory of 2056 2924 cmd.exe 33 PID 2924 wrote to memory of 2056 2924 cmd.exe 33 PID 2924 wrote to memory of 2056 2924 cmd.exe 33 PID 2924 wrote to memory of 2568 2924 cmd.exe 34 PID 2924 wrote to memory of 2568 2924 cmd.exe 34 PID 2924 wrote to memory of 2568 2924 cmd.exe 34 PID 2868 wrote to memory of 2616 2868 cmd.exe 35 PID 2868 wrote to memory of 2616 2868 cmd.exe 35 PID 2868 wrote to memory of 2616 2868 cmd.exe 35 PID 2616 wrote to memory of 2620 2616 cmd.exe 36 PID 2616 wrote to memory of 2620 2616 cmd.exe 36 PID 2616 wrote to memory of 2620 2616 cmd.exe 36 PID 2616 wrote to memory of 2640 2616 cmd.exe 37 PID 2616 wrote to memory of 2640 2616 cmd.exe 37 PID 2616 wrote to memory of 2640 2616 cmd.exe 37 PID 2868 wrote to memory of 2636 2868 cmd.exe 38 PID 2868 wrote to memory of 2636 2868 cmd.exe 38 PID 2868 wrote to memory of 2636 2868 cmd.exe 38 PID 2636 wrote to memory of 2772 2636 cmd.exe 39 PID 2636 wrote to memory of 2772 2636 cmd.exe 39 PID 2636 wrote to memory of 2772 2636 cmd.exe 39 PID 2636 wrote to memory of 2760 2636 cmd.exe 40 PID 2636 wrote to memory of 2760 2636 cmd.exe 40 PID 2636 wrote to memory of 2760 2636 cmd.exe 40
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\FixInstall.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services\npcap\Parameters" /v "Dot11Support" 2>nul | find "Dot11Support"2⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Services\npcap\Parameters" /v "Dot11Support"3⤵PID:2988
-
-
C:\Windows\system32\find.exefind "Dot11Support"3⤵PID:2552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services\npcap\Parameters" /v "LoopbackAdapter" 2>nul | find "LoopbackAdapter"2⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Services\npcap\Parameters" /v "LoopbackAdapter"3⤵PID:2056
-
-
C:\Windows\system32\find.exefind "LoopbackAdapter"3⤵PID:2568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ"2⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\system32\reg.exereg query "HKLM\Software\WOW6432Node\Npcap" /ve3⤵PID:2620
-
-
C:\Windows\system32\find.exefind "REG_SZ"3⤵PID:2640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\Software\Npcap" /ve 2>nul | find "REG_SZ"2⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\system32\reg.exereg query "HKLM\Software\Npcap" /ve3⤵PID:2772
-
-
C:\Windows\system32\find.exefind "REG_SZ"3⤵PID:2760
-
-