Overview
overview
4Static
static
3nmap-7.95-setup.exe
windows7-x64
4nmap-7.95-setup.exe
windows10-2004-x64
4$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...79.exe
windows7-x64
4$PLUGINSDI...79.exe
windows10-2004-x64
4$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...ll.exe
windows7-x64
4$PLUGINSDI...ll.exe
windows10-2004-x64
4$PLUGINSDI...re.dll
windows7-x64
3$PLUGINSDI...re.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3NPFInstall.exe
windows7-x64
4NPFInstall.exe
windows10-2004-x64
4x64/NPFInstall.exe
windows7-x64
4x64/NPFInstall.exe
windows10-2004-x64
4$PLUGINSDI...86.exe
windows7-x64
4$PLUGINSDI...86.exe
windows10-2004-x64
4Uninstall.exe
windows7-x64
4Uninstall.exe
windows10-2004-x64
4libcrypto-3.dll
windows7-x64
3libcrypto-3.dll
windows10-2004-x64
3libssh2.dll
windows7-x64
3libssh2.dll
windows10-2004-x64
3libssl-3.dll
windows7-x64
3libssl-3.dll
windows10-2004-x64
3ncat.exe
windows7-x64
3ncat.exe
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-09-2024 12:09
Static task
static1
Behavioral task
behavioral1
Sample
nmap-7.95-setup.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
nmap-7.95-setup.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/npcap-1.79.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/npcap-1.79.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/NPFInstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/NPFInstall.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/SysRestore.dll
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/SysRestore.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
NPFInstall.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
NPFInstall.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
x64/NPFInstall.exe
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
x64/NPFInstall.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/vc_redist.x86.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/vc_redist.x86.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
Uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
Uninstall.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
libcrypto-3.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
libcrypto-3.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
libssh2.dll
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
libssh2.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
libssl-3.dll
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
libssl-3.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
ncat.exe
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
ncat.exe
Resource
win10v2004-20240802-en
General
-
Target
$PLUGINSDIR/npcap-1.79.exe
-
Size
1.1MB
-
MD5
a4d7e47df742f62080bf845d606045b4
-
SHA1
723743dc9fa4a190452a7ffc971adfaac91606fa
-
SHA256
a95577ebbc67fc45b319e2ef3a55f4e9b211fe82ed4cb9d8be6b1a9e2425ce53
-
SHA512
8582b51b5fea23de43803fa925d13f1eb6d91b708be133be745d7d6155082cd131c9b62dc6a08b77f419a239efe6eb55a98f02f5783c7cd46e284ec3241fc2ee
-
SSDEEP
24576:q7INqm36s9R26Vhund3idw1/fayC9nHgeFhPuKX+dXlVp0WgB4:v13TR2ChAdLpfaVgUuZXlVpk4
Malware Config
Signatures
-
Drops file in Program Files directory 1 IoCs
Processes:
npcap-1.79.exedescription ioc process File opened for modification C:\Program Files\Npcap\install.log npcap-1.79.exe -
Loads dropped DLL 4 IoCs
Processes:
npcap-1.79.exepid process 2684 npcap-1.79.exe 2684 npcap-1.79.exe 2684 npcap-1.79.exe 2684 npcap-1.79.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
npcap-1.79.execmd.exeWMIC.exefindstr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcap-1.79.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
npcap-1.79.exepid process 2684 npcap-1.79.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2704 WMIC.exe Token: SeSecurityPrivilege 2704 WMIC.exe Token: SeTakeOwnershipPrivilege 2704 WMIC.exe Token: SeLoadDriverPrivilege 2704 WMIC.exe Token: SeSystemProfilePrivilege 2704 WMIC.exe Token: SeSystemtimePrivilege 2704 WMIC.exe Token: SeProfSingleProcessPrivilege 2704 WMIC.exe Token: SeIncBasePriorityPrivilege 2704 WMIC.exe Token: SeCreatePagefilePrivilege 2704 WMIC.exe Token: SeBackupPrivilege 2704 WMIC.exe Token: SeRestorePrivilege 2704 WMIC.exe Token: SeShutdownPrivilege 2704 WMIC.exe Token: SeDebugPrivilege 2704 WMIC.exe Token: SeSystemEnvironmentPrivilege 2704 WMIC.exe Token: SeRemoteShutdownPrivilege 2704 WMIC.exe Token: SeUndockPrivilege 2704 WMIC.exe Token: SeManageVolumePrivilege 2704 WMIC.exe Token: 33 2704 WMIC.exe Token: 34 2704 WMIC.exe Token: 35 2704 WMIC.exe Token: SeIncreaseQuotaPrivilege 2704 WMIC.exe Token: SeSecurityPrivilege 2704 WMIC.exe Token: SeTakeOwnershipPrivilege 2704 WMIC.exe Token: SeLoadDriverPrivilege 2704 WMIC.exe Token: SeSystemProfilePrivilege 2704 WMIC.exe Token: SeSystemtimePrivilege 2704 WMIC.exe Token: SeProfSingleProcessPrivilege 2704 WMIC.exe Token: SeIncBasePriorityPrivilege 2704 WMIC.exe Token: SeCreatePagefilePrivilege 2704 WMIC.exe Token: SeBackupPrivilege 2704 WMIC.exe Token: SeRestorePrivilege 2704 WMIC.exe Token: SeShutdownPrivilege 2704 WMIC.exe Token: SeDebugPrivilege 2704 WMIC.exe Token: SeSystemEnvironmentPrivilege 2704 WMIC.exe Token: SeRemoteShutdownPrivilege 2704 WMIC.exe Token: SeUndockPrivilege 2704 WMIC.exe Token: SeManageVolumePrivilege 2704 WMIC.exe Token: 33 2704 WMIC.exe Token: 34 2704 WMIC.exe Token: 35 2704 WMIC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
npcap-1.79.execmd.exedescription pid process target process PID 2684 wrote to memory of 2708 2684 npcap-1.79.exe cmd.exe PID 2684 wrote to memory of 2708 2684 npcap-1.79.exe cmd.exe PID 2684 wrote to memory of 2708 2684 npcap-1.79.exe cmd.exe PID 2684 wrote to memory of 2708 2684 npcap-1.79.exe cmd.exe PID 2708 wrote to memory of 2704 2708 cmd.exe WMIC.exe PID 2708 wrote to memory of 2704 2708 cmd.exe WMIC.exe PID 2708 wrote to memory of 2704 2708 cmd.exe WMIC.exe PID 2708 wrote to memory of 2704 2708 cmd.exe WMIC.exe PID 2708 wrote to memory of 2800 2708 cmd.exe findstr.exe PID 2708 wrote to memory of 2800 2708 cmd.exe findstr.exe PID 2708 wrote to memory of 2800 2708 cmd.exe findstr.exe PID 2708 wrote to memory of 2800 2708 cmd.exe findstr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\npcap-1.79.exe"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\npcap-1.79.exe"1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\cmd.execmd /Q /C "%SYSTEMROOT%\System32\wbem\wmic.exe qfe get hotfixid | %SYSTEMROOT%\System32\findstr.exe "^KB4474419""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\wmic.exe qfe get hotfixid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\SysWOW64\findstr.exeC:\Windows\System32\findstr.exe "^KB4474419"3⤵
- System Location Discovery: System Language Discovery
PID:2800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD5170c17ac80215d0a377b42557252ae10
SHA14cbab6cc189d02170dd3ba7c25aa492031679411
SHA25661ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d
SHA5120fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f
-
Filesize
19KB
MD5f020a8d9ede1fb2af3651ad6e0ac9cb1
SHA1341f9345d669432b2a51d107cbd101e8b82e37b1
SHA2567efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0
SHA512408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4
-
Filesize
14KB
MD5f9e61a25016dcb49867477c1e71a704e
SHA1c01dc1fa7475e4812d158d6c00533410c597b5d9
SHA256274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d
SHA512b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8