Overview

overview

8

Static

static

7

SniffX/MSVCR71.dll

windows7-x64

3

SniffX/MSVCR71.dll

windows10-2004-x64

3

SniffX/NPPTools.dll

windows7-x64

3

SniffX/NPPTools.dll

windows10-2004-x64

3

SniffX/npf.sys

windows7-x64

1

SniffX/npf.sys

windows10-2004-x64

1

SniffX/packet.dll

windows7-x64

1

SniffX/packet.dll

windows10-2004-x64

1

SniffX/sc.exe

windows7-x64

4

SniffX/sc.exe

windows10-2004-x64

4

SniffX/sniffx.exe

windows7-x64

8

SniffX/sniffx.exe

windows10-2004-x64

8

SniffX/sof...cn.url

windows7-x64

6

SniffX/sof...cn.url

windows10-2004-x64

3

SniffX/wanpacket.dll

windows7-x64

3

SniffX/wanpacket.dll

windows10-2004-x64

3

SniffX/wpcap.dll

windows7-x64

3

SniffX/wpcap.dll

windows10-2004-x64

3

SniffX/卸...��.bat

windows7-x64

8

SniffX/卸...��.bat

windows10-2004-x64

8

SniffX/手...��.bat

windows7-x64

8

SniffX/手...��.bat

windows10-2004-x64

8

SniffX/新...��.url

windows7-x64

1

SniffX/新...��.url

windows10-2004-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 00:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SniffX/手动安装npf驱动.bat

  • Size

    252B

  • MD5

    67ee57c82088d2bd6203b628039bb855

  • SHA1

    dd08c780d93cd892999eeb53801f192e228d64f1

  • SHA256

    fcef30261f0ffdf3330e4dddd49399892c67eca5fafbd19b1ad6e8d160d4eee6

  • SHA512

    051eb00a293d7fc55c9c90440e72765458fc2a945956b4b326ccaffe6afd3aa5f1ecf14b00337801ca50643195a06808fbe1bbbaedc393a2cc83535f74e7b93b

Score
8/10
executionpersistence

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Drops file in Drivers directory 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\SniffX\手动安装npf驱动.bat"
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Users\Admin\AppData\Local\Temp\SniffX\sc.exe
      sc create npf binpath= system32\drivers\npf.sys type= kernel start= demand
      2⤵
      • Launches sc.exe
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads