25512356b45d1f25c9f5e1ebfd53005773f95a6354c12aa9e8801f764daf215f

Analysis

max time kernel
28s
max time network
19s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SmartClient/WinPcap.exe
Size

893KB
MD5

a11a2f0cfe6d0b4c50945989db6360cd
SHA1

e2516fcd1573e70334c8f50bee5241cdfdf48a00
SHA256

fc4623b113a1f603c0d9ad5f83130bd6de1c62b973be9892305132389c8588de
SHA512

2652d84eb91ca7957b4fb3ff77313e5dae978960492669242df4f246296f1bedaa48c0d33ffb286b2859a1b86ef5460060b551edca597b4ec60ee08676877c70
SSDEEP

24576:UBOldyR6ORWsaM2QROxa6jsqUENfJjNK/CG6niqiL:2KzqWsayROxa6QDENuaG+ifL

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\npf.sys	WinPcap.exe

Loads dropped DLL 7 IoCs

pid	Process
2260	WinPcap.exe
2260	WinPcap.exe
2260	WinPcap.exe
2260	WinPcap.exe
2260	WinPcap.exe
2260	WinPcap.exe
2260	WinPcap.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wpcap.dll	WinPcap.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	WinPcap.exe
File created	C:\Windows\SysWOW64\Packet.dll	WinPcap.exe
File created	C:\Windows\system32\wpcap.dll	WinPcap.exe
File created	C:\Windows\system32\Packet.dll	WinPcap.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WinPcap\rpcapd.exe	WinPcap.exe
File created	C:\Program Files (x86)\WinPcap\WinPcapInstall.dll	WinPcap.exe
File created	C:\Program Files (x86)\WinPcap\Uninstall.exe	WinPcap.exe
File opened for modification	C:\Program Files (x86)\WinPcap\WinPcapInstall.dll	WinPcap.exe
File created	C:\Program Files (x86)\WinPcap\install.log	WinPcap.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 1080	2260	WinPcap.exe	28
PID 2260 wrote to memory of 1080	2260	WinPcap.exe	28
PID 2260 wrote to memory of 1080	2260	WinPcap.exe	28
PID 2260 wrote to memory of 1080	2260	WinPcap.exe	28
PID 2260 wrote to memory of 1080	2260	WinPcap.exe	28
PID 2260 wrote to memory of 1080	2260	WinPcap.exe	28
PID 2260 wrote to memory of 1080	2260	WinPcap.exe	28
PID 1080 wrote to memory of 2716	1080	net.exe	30
PID 1080 wrote to memory of 2716	1080	net.exe	30
PID 1080 wrote to memory of 2716	1080	net.exe	30
PID 1080 wrote to memory of 2716	1080	net.exe	30
PID 1080 wrote to memory of 2716	1080	net.exe	30
PID 1080 wrote to memory of 2716	1080	net.exe	30
PID 1080 wrote to memory of 2716	1080	net.exe	30

C:\Users\Admin\AppData\Local\Temp\SmartClient\WinPcap.exe
"C:\Users\Admin\AppData\Local\Temp\SmartClient\WinPcap.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\net.exe
  net start npf
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start npf
    3⤵
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso7927.tmp\bootOptions.ini

Filesize
371B

MD5
c3655063fb2c5d311032636d4ea80a6a

SHA1
5eee37720532b7f155a917a52c1f3780ad89040b

SHA256
36dac7ae69334f64c9d24d6b2420fe562131ae225ad849ae6a97dedc3b18a156

SHA512
1bb4c042516c1654ee8d53973ac338b3c4742168071a5891e10d519811d99443b35ea29090b3869479fdcfa68046cdd829ccedc22cc7955e461a532926ab6203

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso7927.tmp\bootOptions.ini

Filesize
362B

MD5
00b10dd8ca1c1534f9753318a6e142e8

SHA1
32c78676bc74a0f183ee9f26e87926d033e11d20

SHA256
efc0bfc6aed4ce606c08191ca0cd1d055e1bd836ed93369f4755a2f3be94e9f9

SHA512
18375736d34a2850e0ffa4da388e770fa52503cb7e7625637a723f118283f19a8a57993ae6703f9b7c3127cdc5e4ec931de3a71c23e9f4f5cfc3da1ab29dbfc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso7927.tmp\ioSpecial.ini

Filesize
556B

MD5
1c141d7001f621345f5de6b396598404

SHA1
1edbb12e02f1ea32278045ecbeda504e9186851d

SHA256
beaab3a5c04737c09b1ccd240252985a84378db099888a1c6ad98d529e667520

SHA512
a44a27c5d67b434ad461cfb134e302563999c82197c48149e6df806f29354198e427817a528a28dea311149f396387ef175f1d5402f5460638f70130fe711da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso7927.tmp\ioSpecial.ini

Filesize
578B

MD5
e298238f5274ee8026d922febcd9fd4d

SHA1
bf73767a384601b90048792cce0afdf40255d1bb

SHA256
58c1a9020590c6fd372274f39f93f52b9e0d7cc803bc5fbc442b3e90867f4b12

SHA512
c4ccdca92c83dd3d716eaccec71a453980e35c3b92569479403d7504c87cfe7032db75a2019bf1b0563237659960a94f78a0f07b58df4ca9af122f84e3be4109

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso7927.tmp\ioSpecial.ini

Filesize
556B

MD5
b551777687220b45e0317a5671078717

SHA1
b463d0a8eda68e2e8a758eb26f80c5d33a5d986f

SHA256
3c402799cb908abc38f7a064500baa58ecad549394200ca86b1a8f43984581da

SHA512
3c85d600827eece277ebe9983ec83e40ffd8795b0c362fd52c4d10de10c073d9ba18a9c93abe700e4c36c83bb3f67f01494e52e709f0426941cf308a246b7cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso7927.tmp\ioSpecial.ini

Filesize
591B

MD5
6d197bd83bb63dd13cd9d39b378dace7

SHA1
979b27260988b23ac5def10e82937a39b7817799

SHA256
36917079871eb4c26044a2d8514a8990014071a9195be3c78d30fba2c835bf05

SHA512
4fd4415fbf3795682f234e68db40807b09181b3c60d6224b251c3e4119c2f7cd0606a358ff2309a01a71815c38f5b3b27f6a74278ede18522dafd1728f967304

Download Submit
\Program Files (x86)\WinPcap\WinPcapInstall.dll

Filesize
91KB

MD5
e78291558cb803dfd091ad8fb56feecc

SHA1
4bde2f87e903fe8d3bd80179c5584cec7a8cbdc4

SHA256
d9f4cd9f0e1bc9a138fb4da6f83c92c3e86eb3de4f988d5943d75c9b1dc6bb9d

SHA512
042b96bc2c0e6d8b6e2730426938eb7400fd833be8a108a4942f559fedefabc35fd5dcb7ea1898d377b4382c0a9af8eeeebd663a4c852c706e3bd168c1f1f62f

Download Submit
\Users\Admin\AppData\Local\Temp\nso7927.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
\Users\Admin\AppData\Local\Temp\nso7927.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\nso7927.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nso7927.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
memory/2260-137-0x0000000000C00000-0x0000000000C16000-memory.dmp

Filesize
88KB

Download