a1e9d2a0a36f1cb5b3fd09a3e07335f9987549fca015428369043031e2cc67cc

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A Installer/npcap-1.79.exe
Size

1.1MB
MD5

a4d7e47df742f62080bf845d606045b4
SHA1

723743dc9fa4a190452a7ffc971adfaac91606fa
SHA256

a95577ebbc67fc45b319e2ef3a55f4e9b211fe82ed4cb9d8be6b1a9e2425ce53
SHA512

8582b51b5fea23de43803fa925d13f1eb6d91b708be133be745d7d6155082cd131c9b62dc6a08b77f419a239efe6eb55a98f02f5783c7cd46e284ec3241fc2ee
SSDEEP

24576:q7INqm36s9R26Vhund3idw1/fayC9nHgeFhPuKX+dXlVp0WgB4:v13TR2ChAdLpfaVgUuZXlVpk4

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

872 powershell.exe
2672 powershell.exe
2412 powershell.exe
1200 powershell.exe

pid	process
872	powershell.exe
2672	powershell.exe
2412	powershell.exe
1200	powershell.exe

Manipulates Digital Signatures 1 TTPs 5 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

certutil.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3BA63A6E4841355772DEBEF9CDCF4D5AF353A297\Blob = 0300000001000000140000003ba63a6e4841355772debef9cdcf4d5af353a2972000000001000000350500003082053130820419a00302010202100aa125d6d6321b7e41e405da3697c215300d06092a864886f70d01010b05003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3136303130373132303030305a170d3331303130373132303030305a3072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bdd032ee4bcd8f7fdda9ba8299c539542857b6234ac40e07453351107dd0f97d4d687ee7b6a0f48db388e497bf63219098bf13bc57d3c3e17e08d66a140038f72e1e3beecca6f63259fe5f653fe09bebe34647061a557e0b277ec0a2f5a0e0de223f0eff7e95fbf3a3ba223e18ac11e4f099036d3b857c09d3ee5dc89a0b54e3a809716be0cf22100f75cf71724e0aaddf403a5cb751e1a17914c64d2423305dbcec3c606aac2f07ccfdf0ea47d988505efd666e56612729898451e682e74650fd942a2ca7e4753eba980f847f9f3114d6add5f264cb7b1e05d084197217f11706ef3dcdd64def0642fda2532a4f851dc41d3cafcfdaac10f5ddacace956ff930203010001a38201ce308201ca301d0603551d0e04160414f4b6e1201dfe29aed2e461a5b2a225b2c817356e301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f30120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070308307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e6372743081810603551d1f047a3078303aa038a0368634687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c303aa038a0368634687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c30500603551d20044930473038060a6086480186fd6c000204302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c0701300d06092a864886f70d01010b05000382010100719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3\Blob = 030000000100000014000000e1d782a8e191beef6bca1691b5aab494a6249bf3200000000100000002050000308204fe308203e6a00302010202100d424ae0be3a88ff604021ce1400f0dd300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e67204341301e170d3231303130313030303030305a170d3331303130363030303030305a3048310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3120301e0603550403131744696769436572742054696d657374616d70203230323130820122300d06092a864886f70d01010105000382010f003082010a0282010100c2e6618467c58af50d08a445ca636b51d73a1142bd0a75754d94b40c50b52610fe1dc86f916b0c96e71a5c48ef44e5bf9b61cd1591625ab8ff670b9c63fd366a81fa29f8dd2b7085de0218f3786dbc7df9c76d093dbe6a7687e98abdf8845d1e76c9e4c676763a53d1d1d35a368fc6a3e12f1b3ab761d673ec4e6d338a7c5d452d4bb150e6413a375686dc93238df75025e864e6ddd38f2f57b58720eb0e8e2cd523daf44d7846e3038331294a5c0c318a4a8c88c5f7305af914af155f6c434909fd262353f68d63e81aab5bb11d30c29b6982b4dbfc5654bc1fa187abbe7a5b0a202f4b09c995a78db2fad6638b4ea5721cee9f7a0173f819d6fe0d4984bd010203010001a38201b8308201b4300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030160603551d250101ff040c300a06082b0601050507030830410603551d20043a3038303606096086480186fd6c07013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f435053301f0603551d23041830168014f4b6e1201dfe29aed2e461a5b2a225b2c817356e301d0603551d0e041604143644868ea4bab066bebc282d1d4436dde36a7abc30710603551d1f046a30683032a030a02e862c687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c3032a030a02e862c687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c30818506082b0601050507010104793077302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304f06082b060105050730028643687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572745348413241737375726564494454696d657374616d70696e6743412e637274300d06092a864886f70d01010b05000382010100481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3C0D087ECDCC76D1084ABE00F1FEE5040400AE37\Blob = 0300000001000000140000003c0d087ecdcc76d1084abe00f1fee5040400ae372000000001000000c6050000308205c2308204aaa00302010202100aa60783ebb5076ebc2d12da9b04c290300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3231303530353030303030305a170d3234303631303233353935395a3081d2311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a6ec814ee2c7075e2e29ac7ebd10b6188055929370a213b83fb6e337d82ed0756d15e267f6bc645e6db5bb1d586ef1098ead1595147d03897af04b666aa5a50def2b3af23974896c6fb4f5246baf3ec374dbfd90eeec7575ffb11a6efea7a0d7da0adb04eaf000b1ad520d9e9529b2a8cf420998d4c7a46c1f95e405e35f69ad8c05d62df0f9745017a6284134afba26f905d900da1c412200e6ca5c6b148f3f785aa0ebe35ea9160644bd6924b54625eb404ab39db981f6b216b6dd960930a1443b26aab08cdbcf1c5fd74dbb56c3e9df791f8429401dee5869e90c39f95000fc616b5ac8396b588e24407235ea074328c608112f6cb4f07347cd4d28d28ab90203010001a38201f7308201f3301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e04160414c5b210483c7598f90d32838cd0763d3cd85fef5130350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304a0603551d2004433041303606096086480186fd6c03023029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008b2182887ada0e08e4afe89019ded16e88ff6ff1b12fd9b2994b945b8c76c63862ae35a1751672c474c8575a039250105e346bb7ce7ae1f2494e760de418b9453f1bbac9255b0dccafd296adb3cdb49d46d54c3413bfc34a3e640e244da7b1e1dbd1b04cea414ff64fe57f0ef28944a42e41065548e4834f2b05d4aae8516a1f154c5b09af25fe059a69a7dc75a7deb4cf3068c402614ece0509edf02b0968b5c8d1081cdafcfba3b7c1599256e6685ef7391f46746eaf829bc8fd40f55be70a3fc51142648b78a903e750158328cb80d54aaddce82df8fe983b0e36af4dafbdbdffe8896bee9a93c370e77f735fe9c42fc2259a3e5672e9f75f37ecf7104e53	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4CE89794FE2D2F7E30121F10BCF76AC3CCF77CA9\Blob = 0300000001000000140000004ce89794fe2d2f7e30121f10bcf76ac3ccf77ca92000000001000000c7050000308205c3308204aba003020102021009256314069e7e6a88cb823075c0d9c9300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3230303530313030303030305a170d3231303530373132303030305a3081d231133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a88cd713346c50a5cd2a62900419f091330f9820b73b38785a8b5a25ceda8e11b71b2d11ff4b0c18cad405a2a195a6462619fa3ddf6d14466a350d1cf1c6ad48cce166fe6011a62ee62751046dd264b1cc145c4a4354537cec1ae615b6b8566a28ddf3b510fee92023dbe4190b44bb4174f94c4ec62256bd4aa5ba541ee833388db8cc411365e094ee6314eaff59ca6659bb6388300e7ffbd0f8b299889b8e3ea526f8ca926ded79eac89a6b068757ae428022e2602ec98babf5998216b0c28a709129a1300872878d9971e3130826a7d1ce894fe649a017003f07ee3c53ca0cba998fab097e573723fbd3e0ea1b742dd6d076b4c2284b93500021a7d27109630203010001a38201f8308201f4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604140a9c208099309acdddf9c9909a03890dcd30c8ea30350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038201010042368fc33025a2a1338cf35a08d00e263958f825e79b6d3af23e0e4e4cf59bc8502022d452cbba14a53274e3a12a5b01f4aee16abfcb1b28d63484a0ae1995c9759c6f0970254da8902fb479f5f7869a566aa285f2c28e50096dfd2e14a9ecf0000963c570d2338def108dfe66b1e44d22182826749871a7f3977eba4976910f1f0de866fc75b918c1a9f466fcf96ae90df932071b9c770f0f3193f8ca500abe52cc316549403a5ca5b5422d1ebffffc3cbe3b926de552f493b53c6570fdd0736550f080c2db204b03bc00ff724241581b5dfb0dff7b8f2cc28f136c19cca8bd4b3c3d81404e69f4598e7b5458e41c6f2e6622a212d28c2615565782a1f66987	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3\Blob = 03000000010000001400000060ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e32000000001000000c0060000308206bc308205a4a003020102021003f1b4e15f3a82f1149678b3d7d8475c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3132303431383132303030305a170d3237303431383132303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e672043412028534841322930820122300d06092a864886f70d01010105000382010f003082010a0282010100a753fa0fb2b513f164cf8480fcae8035d1b6d7c7a32cac1a2cacf184ac3a35123a9291ba57e4c4c9f32fa8483cb7d66edc9722ba517961af432f0db79bb44931ae44583ea4a196a7874f237ec36c652490553ea1ca237cc542e9c47a62459b7dde6374cb9e6325f8849a9aad454fae7d1fc813cb759bc9e1e18af80b0c98f4ca3ed045aa7a1ea558933634be2b2e2b315866b432109f9df052a1efe83ed376f2405adcfa6a3d1b4bad76b08c5cee36ba83ea30a84cdef10b2a584188ae0089ab03d11682202276eb5e54381262e1d27024dbed1f70d26409802de2b69dce1ff2bb21f36cdbd8b3197b8a509fefec360a5c9ab74ad308a03979fdddbf3d3a09250203010001a38203583082035430120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307f06082b0601050507010104733071302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304906082b06010505073002863d687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63727430818f0603551d1f0481873081843040a03ea03c863a687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c3040a03ea03c863a687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0302308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e301d0603551d0e041604148fe87ef06d326a000523c770976a3a90ff6bead4301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d01010b0500038201010019334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480	certutil.exe

Drops file in System32 directory 25 IoCs

Processes:

DrvInst.exenpcap-1.79.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2b6948f9-c23d-67a2-5e76-6c5700be3142}\npcap.cat	DrvInst.exe
File created	C:\Windows\SysWOW64\Npcap\wpcap.dll	npcap-1.79.exe
File created	C:\Windows\SysWOW64\Npcap\NpcapHelper.exe	npcap-1.79.exe
File created	C:\Windows\SysWOW64\Npcap\WlanHelper.exe	npcap-1.79.exe
File created	C:\Windows\system32\WlanHelper.exe	npcap-1.79.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2b6948f9-c23d-67a2-5e76-6c5700be3142}\SET20F8.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2b6948f9-c23d-67a2-5e76-6c5700be3142}\SET20F9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2b6948f9-c23d-67a2-5e76-6c5700be3142}\npcap.sys	DrvInst.exe
File created	C:\Windows\system32\Npcap\wpcap.dll	npcap-1.79.exe
File created	C:\Windows\system32\NpcapHelper.exe	npcap-1.79.exe
File created	C:\Windows\SysWOW64\wpcap.dll	npcap-1.79.exe
File created	C:\Windows\system32\Npcap\Packet.dll	npcap-1.79.exe
File created	C:\Windows\System32\DriverStore\Temp\{2b6948f9-c23d-67a2-5e76-6c5700be3142}\SET20F8.tmp	DrvInst.exe
File created	C:\Windows\SysWOW64\Npcap\Packet.dll	npcap-1.79.exe
File created	C:\Windows\system32\Npcap\WlanHelper.exe	npcap-1.79.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2b6948f9-c23d-67a2-5e76-6c5700be3142}\NPCAP.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2b6948f9-c23d-67a2-5e76-6c5700be3142}\SET20F9.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2b6948f9-c23d-67a2-5e76-6c5700be3142}\SET20FA.tmp	DrvInst.exe
File created	C:\Windows\SysWOW64\Packet.dll	npcap-1.79.exe
File created	C:\Windows\SysWOW64\NpcapHelper.exe	npcap-1.79.exe
File created	C:\Windows\SysWOW64\WlanHelper.exe	npcap-1.79.exe
File created	C:\Windows\system32\Packet.dll	npcap-1.79.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2b6948f9-c23d-67a2-5e76-6c5700be3142}\SET20FA.tmp	DrvInst.exe
File created	C:\Windows\system32\wpcap.dll	npcap-1.79.exe
File created	C:\Windows\system32\Npcap\NpcapHelper.exe	npcap-1.79.exe

Drops file in Program Files directory 15 IoCs

Processes:

npcap-1.79.exeNPFInstall.exeNPFInstall.exeNPFInstall.exeNPFInstall.exe

description	ioc	process
File created	C:\Program Files\Npcap\DiagReport.ps1	npcap-1.79.exe
File created	C:\Program Files\Npcap\DiagReport.bat	npcap-1.79.exe
File created	C:\Program Files\Npcap\Uninstall.exe	npcap-1.79.exe
File created	C:\Program Files\Npcap\NPFInstall.exe	npcap-1.79.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File opened for modification	C:\Program Files\Npcap\install.log	npcap-1.79.exe
File created	C:\Program Files\Npcap\LICENSE	npcap-1.79.exe
File created	C:\Program Files\Npcap\npcap.sys	npcap-1.79.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files\Npcap\FixInstall.bat	npcap-1.79.exe
File created	C:\Program Files\Npcap\npcap.cat	npcap-1.79.exe
File created	C:\Program Files\Npcap\npcap.inf	npcap-1.79.exe
File created	C:\Program Files\Npcap\npcap_wfp.inf	npcap-1.79.exe

Drops file in Windows directory 5 IoCs

Processes:

pnputil.exeNPFInstall.exeNPFInstall.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\INF\oem0.PNF	pnputil.exe
File created	C:\Windows\INF\oem1.PNF	pnputil.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 4 IoCs

Processes:

NPFInstall.exeNPFInstall.exeNPFInstall.exeNPFInstall.exe

pid process

2364 NPFInstall.exe
1712 NPFInstall.exe
1000 NPFInstall.exe
536 NPFInstall.exe

pid	process
2364	NPFInstall.exe
1712	NPFInstall.exe
1000	NPFInstall.exe
536	NPFInstall.exe

Loads dropped DLL 24 IoCs

Processes:

npcap-1.79.exe

pid	process
1260	npcap-1.79.exe
1260	npcap-1.79.exe
1260	npcap-1.79.exe
1260	npcap-1.79.exe
1260	npcap-1.79.exe
1260	npcap-1.79.exe
1260	npcap-1.79.exe
2384
1260	npcap-1.79.exe
1260	npcap-1.79.exe
1260	npcap-1.79.exe
1260	npcap-1.79.exe
1260	npcap-1.79.exe
1260	npcap-1.79.exe
1260	npcap-1.79.exe
1260	npcap-1.79.exe
1260	npcap-1.79.exe
1260	npcap-1.79.exe
1260	npcap-1.79.exe
1364
1260	npcap-1.79.exe
2976
1260	npcap-1.79.exe
772

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

NPFInstall.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2364 NPFInstall.exe
1200 powershell.exe
872 powershell.exe
2672 powershell.exe
2412 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

npcap-1.79.exe

pid process

1260 npcap-1.79.exe

pid	process
2364	NPFInstall.exe
1200	powershell.exe
872	powershell.exe
2672	powershell.exe
2412	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeNPFInstall.exepowershell.exepowershell.exepowershell.exepowershell.exepnputil.exeNPFInstall.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2532	WMIC.exe
Token: SeSecurityPrivilege	2532	WMIC.exe
Token: SeTakeOwnershipPrivilege	2532	WMIC.exe
Token: SeLoadDriverPrivilege	2532	WMIC.exe
Token: SeSystemProfilePrivilege	2532	WMIC.exe
Token: SeSystemtimePrivilege	2532	WMIC.exe
Token: SeProfSingleProcessPrivilege	2532	WMIC.exe
Token: SeIncBasePriorityPrivilege	2532	WMIC.exe
Token: SeCreatePagefilePrivilege	2532	WMIC.exe
Token: SeBackupPrivilege	2532	WMIC.exe
Token: SeRestorePrivilege	2532	WMIC.exe
Token: SeShutdownPrivilege	2532	WMIC.exe
Token: SeDebugPrivilege	2532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2532	WMIC.exe
Token: SeRemoteShutdownPrivilege	2532	WMIC.exe
Token: SeUndockPrivilege	2532	WMIC.exe
Token: SeManageVolumePrivilege	2532	WMIC.exe
Token: 33	2532	WMIC.exe
Token: 34	2532	WMIC.exe
Token: 35	2532	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2532	WMIC.exe
Token: SeSecurityPrivilege	2532	WMIC.exe
Token: SeTakeOwnershipPrivilege	2532	WMIC.exe
Token: SeLoadDriverPrivilege	2532	WMIC.exe
Token: SeSystemProfilePrivilege	2532	WMIC.exe
Token: SeSystemtimePrivilege	2532	WMIC.exe
Token: SeProfSingleProcessPrivilege	2532	WMIC.exe
Token: SeIncBasePriorityPrivilege	2532	WMIC.exe
Token: SeCreatePagefilePrivilege	2532	WMIC.exe
Token: SeBackupPrivilege	2532	WMIC.exe
Token: SeRestorePrivilege	2532	WMIC.exe
Token: SeShutdownPrivilege	2532	WMIC.exe
Token: SeDebugPrivilege	2532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2532	WMIC.exe
Token: SeRemoteShutdownPrivilege	2532	WMIC.exe
Token: SeUndockPrivilege	2532	WMIC.exe
Token: SeManageVolumePrivilege	2532	WMIC.exe
Token: 33	2532	WMIC.exe
Token: 34	2532	WMIC.exe
Token: 35	2532	WMIC.exe
Token: SeDebugPrivilege	2364	NPFInstall.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeRestorePrivilege	2708	pnputil.exe
Token: SeRestorePrivilege	2708	pnputil.exe
Token: SeRestorePrivilege	2708	pnputil.exe
Token: SeRestorePrivilege	2708	pnputil.exe
Token: SeRestorePrivilege	2708	pnputil.exe
Token: SeRestorePrivilege	2708	pnputil.exe
Token: SeRestorePrivilege	2708	pnputil.exe
Token: SeRestorePrivilege	2708	pnputil.exe
Token: SeRestorePrivilege	2708	pnputil.exe
Token: SeRestorePrivilege	2708	pnputil.exe
Token: SeRestorePrivilege	2708	pnputil.exe
Token: SeRestorePrivilege	2708	pnputil.exe
Token: SeRestorePrivilege	2708	pnputil.exe
Token: SeRestorePrivilege	2708	pnputil.exe
Token: SeRestorePrivilege	1000	NPFInstall.exe
Token: SeRestorePrivilege	1000	NPFInstall.exe
Token: SeRestorePrivilege	1000	NPFInstall.exe
Token: SeRestorePrivilege	1000	NPFInstall.exe
Token: SeRestorePrivilege	1000	NPFInstall.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

npcap-1.79.execmd.exeNPFInstall.exe

description	pid	process	target process
PID 1260 wrote to memory of 2552	1260	npcap-1.79.exe	cmd.exe
PID 1260 wrote to memory of 2552	1260	npcap-1.79.exe	cmd.exe
PID 1260 wrote to memory of 2552	1260	npcap-1.79.exe	cmd.exe
PID 1260 wrote to memory of 2552	1260	npcap-1.79.exe	cmd.exe
PID 2552 wrote to memory of 2532	2552	cmd.exe	WMIC.exe
PID 2552 wrote to memory of 2532	2552	cmd.exe	WMIC.exe
PID 2552 wrote to memory of 2532	2552	cmd.exe	WMIC.exe
PID 2552 wrote to memory of 2532	2552	cmd.exe	WMIC.exe
PID 2552 wrote to memory of 2208	2552	cmd.exe	findstr.exe
PID 2552 wrote to memory of 2208	2552	cmd.exe	findstr.exe
PID 2552 wrote to memory of 2208	2552	cmd.exe	findstr.exe
PID 2552 wrote to memory of 2208	2552	cmd.exe	findstr.exe
PID 1260 wrote to memory of 2364	1260	npcap-1.79.exe	NPFInstall.exe
PID 1260 wrote to memory of 2364	1260	npcap-1.79.exe	NPFInstall.exe
PID 1260 wrote to memory of 2364	1260	npcap-1.79.exe	NPFInstall.exe
PID 1260 wrote to memory of 2364	1260	npcap-1.79.exe	NPFInstall.exe
PID 1260 wrote to memory of 1200	1260	npcap-1.79.exe	powershell.exe
PID 1260 wrote to memory of 1200	1260	npcap-1.79.exe	powershell.exe
PID 1260 wrote to memory of 1200	1260	npcap-1.79.exe	powershell.exe
PID 1260 wrote to memory of 1200	1260	npcap-1.79.exe	powershell.exe
PID 1260 wrote to memory of 872	1260	npcap-1.79.exe	powershell.exe
PID 1260 wrote to memory of 872	1260	npcap-1.79.exe	powershell.exe
PID 1260 wrote to memory of 872	1260	npcap-1.79.exe	powershell.exe
PID 1260 wrote to memory of 872	1260	npcap-1.79.exe	powershell.exe
PID 1260 wrote to memory of 1456	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 1456	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 1456	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 1456	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 2608	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 2608	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 2608	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 2608	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 2672	1260	npcap-1.79.exe	powershell.exe
PID 1260 wrote to memory of 2672	1260	npcap-1.79.exe	powershell.exe
PID 1260 wrote to memory of 2672	1260	npcap-1.79.exe	powershell.exe
PID 1260 wrote to memory of 2672	1260	npcap-1.79.exe	powershell.exe
PID 1260 wrote to memory of 2412	1260	npcap-1.79.exe	powershell.exe
PID 1260 wrote to memory of 2412	1260	npcap-1.79.exe	powershell.exe
PID 1260 wrote to memory of 2412	1260	npcap-1.79.exe	powershell.exe
PID 1260 wrote to memory of 2412	1260	npcap-1.79.exe	powershell.exe
PID 1260 wrote to memory of 2964	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 2964	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 2964	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 2964	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 2696	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 2696	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 2696	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 2696	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 2628	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 2628	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 2628	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 2628	1260	npcap-1.79.exe	certutil.exe
PID 1260 wrote to memory of 1712	1260	npcap-1.79.exe	NPFInstall.exe
PID 1260 wrote to memory of 1712	1260	npcap-1.79.exe	NPFInstall.exe
PID 1260 wrote to memory of 1712	1260	npcap-1.79.exe	NPFInstall.exe
PID 1260 wrote to memory of 1712	1260	npcap-1.79.exe	NPFInstall.exe
PID 1712 wrote to memory of 2708	1712	NPFInstall.exe	pnputil.exe
PID 1712 wrote to memory of 2708	1712	NPFInstall.exe	pnputil.exe
PID 1712 wrote to memory of 2708	1712	NPFInstall.exe	pnputil.exe
PID 1260 wrote to memory of 1000	1260	npcap-1.79.exe	NPFInstall.exe
PID 1260 wrote to memory of 1000	1260	npcap-1.79.exe	NPFInstall.exe
PID 1260 wrote to memory of 1000	1260	npcap-1.79.exe	NPFInstall.exe
PID 1260 wrote to memory of 1000	1260	npcap-1.79.exe	NPFInstall.exe
PID 1260 wrote to memory of 536	1260	npcap-1.79.exe	NPFInstall.exe

C:\Users\Admin\AppData\Local\Temp\A Installer\npcap-1.79.exe
"C:\Users\Admin\AppData\Local\Temp\A Installer\npcap-1.79.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\cmd.exe
cmd /Q /C "%SYSTEMROOT%\System32\wbem\wmic.exe qfe get hotfixid | %SYSTEMROOT%\System32\findstr.exe "^KB4474419""
2⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe qfe get hotfixid
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\SysWOW64\findstr.exe
C:\Windows\System32\findstr.exe "^KB4474419"
3⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\nsd1D81.tmp\NPFInstall.exe
"C:\Users\Admin\AppData\Local\Temp\nsd1D81.tmp\NPFInstall.exe" -n -check_dll
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43){certutil.exe -verifystore 'Root' '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43}}"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\SysWOW64\certutil.exe
certutil.exe -verifystore "Root" "0563b8630d62d75abbc8ab1e4bdfb5a899b24d43"
2⤵
PID:1456

C:\Windows\SysWOW64\certutil.exe
certutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nsd1D81.tmp\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.sst"
2⤵
PID:2608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25){certutil.exe -verifystore 'Root' '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25}}"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\SysWOW64\certutil.exe
certutil.exe -verifystore "Root" "5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25"
2⤵
PID:2964

C:\Windows\SysWOW64\certutil.exe
certutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nsd1D81.tmp\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.sst"
2⤵
PID:2696

C:\Windows\SysWOW64\certutil.exe
certutil.exe -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nsd1D81.tmp\signing.p7b"
2⤵
- Manipulates Digital Signatures
PID:2628

C:\Program Files\Npcap\NPFInstall.exe
"C:\Program Files\Npcap\NPFInstall.exe" -n -c
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\system32\pnputil.exe
pnputil.exe -e
3⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Program Files\Npcap\NPFInstall.exe
"C:\Program Files\Npcap\NPFInstall.exe" -n -iw
2⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Program Files\Npcap\NPFInstall.exe
"C:\Program Files\Npcap\NPFInstall.exe" -n -i
2⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
PID:536

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{76005bbe-bf28-0d6b-2bdb-412a9fdffb64}\NPCAP.inf" "9" "605306be3" "00000000000005A0" "WinSta0\Default" "0000000000000534" "208" "C:\Program Files\Npcap"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1692

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{422c7907-c42c-137d-5a2f-77280b494a24} Global\{6852a80b-ad1b-5a5f-7908-78182eaa4e69} C:\Windows\System32\DriverStore\Temp\{2b6948f9-c23d-67a2-5e76-6c5700be3142}\NPCAP.inf C:\Windows\System32\DriverStore\Temp\{2b6948f9-c23d-67a2-5e76-6c5700be3142}\npcap.cat
2⤵
PID:2540

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Npcap\npcap.sys
Filesize
66KB

MD5
65aa128151daf6a5a21906107a2d85be

SHA1
7d211c1505079aa71be7df271f8d19a5a96aca94

SHA256
df2da73f0907a8af4cc9501e617ff390c49af58faaf9682cf8fe574c52851d8b

SHA512
a031307cb6bc95d9c15d8321499eb0be88ccbd3440f3f7ee6664f4e7a0afadc1af6b7287019a9aceae1a95d656db9ac0df67cb3526f706f49144d05da07500a5

Download Submit
C:\Program Files\Npcap\NPCAP.inf
Filesize
8KB

MD5
a5fbc6cc7ae6e924ec4a327e0e012359

SHA1
918604a7cf830f8f18801503e02582033cafdca8

SHA256
1c4c9e51c26478fa8b9ae02ea0a240cde8826bcfea1c37b9fb60e5ef5e7e4f65

SHA512
fa47357cddb0bf2cbb27eb6ce43beda02abc43a3c0351bbd440dbb8272811d79f8a4218599e235cbe3cf4caebc0c586a963e0f7f8d8f6424b27944a782e214b3

Download Submit
C:\Program Files\Npcap\NPCAP_wfp.inf
Filesize
2KB

MD5
ed98682f57f41b83b8c8e2a5152222c7

SHA1
67efe8d8a103ea6298d69106a072e2c0e7c9c6c2

SHA256
5145a40ddeaa77c88e743685717faa5a57f5dc2ef624e483690d0259ea76fbce

SHA512
fbb764398cc6cf4a01fddd3419d524973742571f20bd4883c4baa0ca5a72d13c22ef521f3d89b2af355865fc9d85af48edb62de8a08589ccbd1f945876433819

Download Submit
C:\Program Files\Npcap\NPFInstall.log
Filesize
393B

MD5
99cb0e9034fda37f3b4f675bac1232cf

SHA1
536cc921902157b6a183f5d17a552b62b39cb224

SHA256
7d4b98d3aa69b0ed0e64f496c8baec916eee25546446ba9479ff697ab91271ab

SHA512
bdf42801c56da805fa8b11d1de801f75da1b117b4369b47be94a9c101374746d0201b97a6564cdf5d0b5035c7ecd699cebaf3792b2dc020957b8c75024293949

Download Submit
C:\Program Files\Npcap\NPFInstall.log
Filesize
876B

MD5
d183311aeb2c6d699e05ee3cea507a9d

SHA1
fa3310e26f845d99a0af1d8d14734a2cda8d8564

SHA256
d77c0da29874452fd432b801b68da9823c133e1f0299e4742651f8a46c8561af

SHA512
6bdadc17be24d4fc42416e599c8b5ac4cb0a162f3a792ddeec688ccf6930a2d6dd850b181c0a62b331313be98e230150a1a7a8c78ba269cab01e19258341c7bd

Download Submit
C:\Program Files\Npcap\NPFInstall.log
Filesize
2KB

MD5
02a5bcac122f5d6acf60025292e3a3ee

SHA1
927db46a0dc97551454c2e30f00262b4cb4dba7f

SHA256
f5781b66e3b9787a642fc9841aa20fd4f0c48014d652067660b55d469d81df7a

SHA512
9d9b39b8782461a08c4068e3b20a5a4ea505c8b252e515ef6702114342e2fc17a3f288b5bdf95096343c4d05e13642a7af6415ef4fc9554464ccdc4c037235d0

Download Submit
C:\Program Files\Npcap\NPFInstall.log
Filesize
2KB

MD5
421ef7ddf3d8d4fbe9fd34a21450de9b

SHA1
e78c98c050675d4b6d94de39ba5ce6d38d7eab5d

SHA256
a6fd12507b1d2a57984105a2dc905c977d4a58e2d61bc676b637a76e56ef2f46

SHA512
f29d6209387d4efa86361b9c289f9d0f182cebd363c54f3fb994fdda73a2b5bc1f9e7a8a6ed07c3ab60d6a24010696fc1835d09354815e4edadc3ab405a7df63

Download Submit
C:\Program Files\Npcap\NPFInstall.log
Filesize
2KB

MD5
becb40b193eae5477a7b77605224c08f

SHA1
559dd22477eb8a805834cd7aeacf93c52185200c

SHA256
7be4286a76060c3700765ff6c89ffab192f282e7f84a6efe8a22277f4cfac7db

SHA512
798f5dab08b44734ec272ecbaf362954713bd06b406dfa08a5633ce832cc57088ac2719b411d18fe4064b6127c9e755e4a3ede9566c0dc8e4e36d83f8597a5a3

Download Submit
C:\Program Files\Npcap\NPFInstall.log
Filesize
4KB

MD5
8f8e4c70caeebb3739b6f4f6601425e4

SHA1
a33dd70b58440ce01ff0208541dda49ce433863a

SHA256
4838684e0907963b5dc285c074546e58a7e57ee9487015c30a271824f7aab01c

SHA512
646067afc37b5c44fd502dbadf01de98433fa3de3a1f93325732dea56e3ed701c4dd3b0ea75249e9defd78b74d057132199b896f6ed4e8a207ed6536b524e74d

Download Submit
C:\Program Files\Npcap\npcap.cat
Filesize
12KB

MD5
372a97f66a7a39f64b1407fef35dfc7f

SHA1
a5bf28c85f92265cddea9a627405e20b3ab880c1

SHA256
b586e6b6be5cd2c8b71527a3a7ace8be8fa36b99ba8d440e1cafc4b61d909b4a

SHA512
f18c6500ecdb3b765a2cf2f7fad1040ca0619d050b73c9639c4938442ae9c7f3a3c6e250b3b2cec54bb46f23c7567c680ca5a704c1a2c2186ae5590d9b489581

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2280.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1D81.tmp\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.sst
Filesize
1KB

MD5
de825a838e33ccf3d06b82de337c06d8

SHA1
68956e777f646361eae3f06ce6899cd48bb9f593

SHA256
3b63b09dff7e4c5fe7ccafff74d9f845d1eb04809b0b77a536b2e4aa7dd1097e

SHA512
e935ef759abfcafa4d9cf70a1c5508179600fc85d237e53d3e7f2683fa2e14859e5eee167007328995606996a19f4fcc0c1f9a851011a6fa8db6b53c68160a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1D81.tmp\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.sst
Filesize
1KB

MD5
a52f3195b5585e1d9a9b38fef66a1801

SHA1
986a5f05ff51d261fe595f0ab56598658aadc9c9

SHA256
40795f603b2eab75fbd886715b0103f2f362494576400ae88925ed1ba7063bdc

SHA512
e9eeb34c3667e56c425b91890f463b5d80e4e5e9f485c2bd3ac064e1784ad118c1460af461e5af8acbbb3bc02432e4f914e54e41d2bdaeaa8af528f0e669b64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1D81.tmp\options.ini
Filesize
2KB

MD5
728b3bf50f388125e4043dfd8feb9cec

SHA1
0507c139fadfbb7ea9847ae6242414f54dfdb957

SHA256
5d01492c42f9b2d1a393cb37bca89c86ec07c9e15faf78771c2c1a6da4a9cbbe

SHA512
0d6cb4cf83b1a2f827a208954d99457fa69858290890a5376584e0935112db22b1cd84e68ec03a1e58f2b5cdecf96caa28786123ea6dd3518f6ebfcaf46be18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1D81.tmp\options.ini
Filesize
2KB

MD5
f4b7b7ad3343e84c0430d104e5fb797d

SHA1
bf12e3564618996f82b07a50a21a2a9a1f7cb4b7

SHA256
989aca9ccd954dd860fd18735852095d8b6b142d5a58847feab9175a9e4467f3

SHA512
d54d6d1f035e481273fe1ec5b4ab8bfc2ab4f7d77cb1b8aeb18ca0bd0c587d5b614cc115ca4818124de188ffe0ccb5f9d65d582e2595f07f8467373615370a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1D81.tmp\options.ini
Filesize
2KB

MD5
d7881c822c30ccdf875ddb5b5e7e66fd

SHA1
e256f02678898cea48ed89c77eb0cb3e8c75eed1

SHA256
45e10f4dbe0cc65e5ff2cedd251d15cf6c8145e792f0afb7919c957216ab7d25

SHA512
56d2c0011ec398ade4b4acb67971e5516fce60beb54510b91bea566b4b5b8fded18707168335539f5cf4449bc90b79e4062760db0c463afe94ed2fa82bc9b245

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1D81.tmp\signing.p7b
Filesize
7KB

MD5
dd4bc901ef817319791337fb345932e8

SHA1
f8a3454a09d90a09273935020c1418fdb7b7eb7c

SHA256
8e681692403c0f7c0b24160f4642daa1eb080ce5ec754b6f47cc56b43e731b71

SHA512
0a67cc346f9752e1c868b7dc60b25704255ab1e6ea745850c069212f2724eba62ffaaa48309d5eba6ae0235223518610fb4b60fc422e4babba4f33d331c71db5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
dfe18e121a7fb570dd04eca95fd6a10a

SHA1
583fc0adb1c68fc5e0e281b45e7a31d9df43b0bb

SHA256
f26cefe48b5a537c81182e13a18fbd4139b6c5be70afaebe12d13b8c4203f303

SHA512
ce772b0dd0a5967e43ceef5ad74708e71e5d811e7b2709e3c18fbfc375eecebce0065a44bbbb301315fb317cd54696f364e7b4d61e4fae1f819f6478d4e930f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
cf42b6d8c901fb05d07b63a22caa3abd

SHA1
facfd3265c05c58791884c56f3caf47eff3b44f3

SHA256
37ccb37ce10a904927660dfbf7e2b61ddb71a2cea8a967bf3e693d2a2fe4e15f

SHA512
44fbf555b73bd44dc66b514c8a7578dfc69b03a544ece19a4bd549b31fcf7817717b76024e52595e9f928846ec297d7d2e18f71b8375624453883a1a8d77f60e

Download Submit
C:\Windows\Temp\Cab2148.tmp
Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar216B.tmp
Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1D81.tmp\InstallOptions.dll
Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1D81.tmp\NPFInstall.exe
Filesize
300KB

MD5
c01beb6c3526554ec9dfad40502317f2

SHA1
89f468496bd7e6d993a032f918c5baabb21c11be

SHA256
5d54a5e7230baf2b80689ee49d263612a6011bc46ec52843e7b4297e9656d32d

SHA512
a7fdb3d69cc2b12c9795c8f5e34f64014273e471dc0639ff4693f18e3d5ea758f38f58a5dfc4d1800511ce3e130a7454fd371579e31dbba049770fb74b889339

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1D81.tmp\System.dll
Filesize
19KB

MD5
f020a8d9ede1fb2af3651ad6e0ac9cb1

SHA1
341f9345d669432b2a51d107cbd101e8b82e37b1

SHA256
7efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0

SHA512
408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1D81.tmp\nsExec.dll
Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads