ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd

Analysis

max time kernel
91s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
28/04/2024, 10:49 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winpcap_inst.exe
Size

893KB
MD5

a11a2f0cfe6d0b4c50945989db6360cd
SHA1

e2516fcd1573e70334c8f50bee5241cdfdf48a00
SHA256

fc4623b113a1f603c0d9ad5f83130bd6de1c62b973be9892305132389c8588de
SHA512

2652d84eb91ca7957b4fb3ff77313e5dae978960492669242df4f246296f1bedaa48c0d33ffb286b2859a1b86ef5460060b551edca597b4ec60ee08676877c70
SSDEEP

24576:UBOldyR6ORWsaM2QROxa6jsqUENfJjNK/CG6niqiL:2KzqWsayROxa6QDENuaG+ifL

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\npf.sys	winpcap_inst.exe

Loads dropped DLL 11 IoCs

pid	Process
3288	winpcap_inst.exe
3288	winpcap_inst.exe
3288	winpcap_inst.exe
3288	winpcap_inst.exe
3288	winpcap_inst.exe
3288	winpcap_inst.exe
3288	winpcap_inst.exe
3288	winpcap_inst.exe
3288	winpcap_inst.exe
3288	winpcap_inst.exe
3288	winpcap_inst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\wpcap.dll	winpcap_inst.exe
File created	C:\Windows\system32\Packet.dll	winpcap_inst.exe
File created	C:\Windows\SysWOW64\wpcap.dll	winpcap_inst.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	winpcap_inst.exe
File created	C:\Windows\SysWOW64\Packet.dll	winpcap_inst.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WinPcap\rpcapd.exe	winpcap_inst.exe
File created	C:\Program Files (x86)\WinPcap\WinPcapInstall.dll	winpcap_inst.exe
File created	C:\Program Files (x86)\WinPcap\Uninstall.exe	winpcap_inst.exe
File opened for modification	C:\Program Files (x86)\WinPcap\WinPcapInstall.dll	winpcap_inst.exe
File created	C:\Program Files (x86)\WinPcap\install.log	winpcap_inst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 3672	3288	winpcap_inst.exe	81
PID 3288 wrote to memory of 3672	3288	winpcap_inst.exe	81
PID 3288 wrote to memory of 3672	3288	winpcap_inst.exe	81
PID 3672 wrote to memory of 4908	3672	net.exe	83
PID 3672 wrote to memory of 4908	3672	net.exe	83
PID 3672 wrote to memory of 4908	3672	net.exe	83

C:\Users\Admin\AppData\Local\Temp\winpcap_inst.exe
"C:\Users\Admin\AppData\Local\Temp\winpcap_inst.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\SysWOW64\net.exe
  net start npf
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start npf
    3⤵
    PID:4908

Network

DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinPcap\WinPcapInstall.dll

Filesize
91KB

MD5
e78291558cb803dfd091ad8fb56feecc

SHA1
4bde2f87e903fe8d3bd80179c5584cec7a8cbdc4

SHA256
d9f4cd9f0e1bc9a138fb4da6f83c92c3e86eb3de4f988d5943d75c9b1dc6bb9d

SHA512
042b96bc2c0e6d8b6e2730426938eb7400fd833be8a108a4942f559fedefabc35fd5dcb7ea1898d377b4382c0a9af8eeeebd663a4c852c706e3bd168c1f1f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5E0F.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5E0F.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5E0F.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5E0F.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5E0F.tmp\bootOptions.ini

Filesize
362B

MD5
30f8e7705c417263f2a50832eea1b308

SHA1
d9bc77444694f77cac0d2e12ae85b20f96f71d19

SHA256
e3ad9bdc133905fe9370b7ae347dbd98ad6b60265c818543f8c4cb066f47cde4

SHA512
45f908c9064d8e99ea3239e6de7943e5023c15d1dd6823cc344474098b5e457ebc666274c990f83240ed31caff035ec54fd592c27f113e4cbcb99b1c3659d4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5E0F.tmp\bootOptions.ini

Filesize
371B

MD5
5260df4a7d31ca57369072f0752fe01a

SHA1
3a8d1bd86252d968131434517c5d06beb415e580

SHA256
a88a02b6caf8dbaeb67bd5e70bcf13e3132739bfae430e7ab74d51ce321a4f79

SHA512
33fed6c69257deea91f6efd1d820716b8a1763cfd3992dac4cb4329f576a430f08ac4d6ae21e3ec88543267ec2560b126d12c0606b97ec47bd0d50e67558a480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5E0F.tmp\ioSpecial.ini

Filesize
556B

MD5
85cc51fe034ce0612103b86de6dce4a8

SHA1
7b876c9073d6c5b95f022cf524fb0318c221f3e8

SHA256
0e292ede21a7a27a8807288a10c2812e01d3015f2e8e2a74d815aa53587b8dd3

SHA512
ffb0bf1b66ecb2c59e747ef8b4b4603de94bbe01d4b6d3103472e503354e05d23b76c7db0c5511b26899065c2b176bd2e39c321714dfc65761719f44ecabb31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5E0F.tmp\ioSpecial.ini

Filesize
578B

MD5
110a05b3bc7db8170f81809c4a5f71a7

SHA1
604b8c848a5a4fc4f2f4ddd69d95829c4fed5f4d

SHA256
6cc48fb586585bfdd134f0caa7b67b45b008e95b3d05294534f6b71c77938746

SHA512
69d519aca1e5c084e84f050fabd592b875ad089d1b35faea19fcb2ffe5c7dc48ae856c24aa265494136bc35ca91c37c2915e106c642f16a06a0bebd7e4d0981d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5E0F.tmp\ioSpecial.ini

Filesize
556B

MD5
6871ad5e3e87d6ac37a6bac303e98ddd

SHA1
c67c4377c5adb07d559b9dac30d8ffa122a06fc7

SHA256
2a13275d078b743f8ec784e73a3f5726ef118797d0ddb7b0fe523f32777b8d3f

SHA512
b1e6601e8bef7a777a3d2298e3dc5ad0f26a7abdfaa36cdaa0e06303a17ff2c318407a26b38b7fcdbc7607caa98be5350b86060728ce6a34838cfba76c37b3bd

Download Submit
memory/3288-141-0x00000000006A0000-0x00000000006B6000-memory.dmp

Filesize
88KB

Download