Analysis

  • max time kernel
    122s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-09-2024 12:09

General

  • Target

    $PLUGINSDIR/npcap-1.79.exe

  • Size

    1.1MB

  • MD5

    a4d7e47df742f62080bf845d606045b4

  • SHA1

    723743dc9fa4a190452a7ffc971adfaac91606fa

  • SHA256

    a95577ebbc67fc45b319e2ef3a55f4e9b211fe82ed4cb9d8be6b1a9e2425ce53

  • SHA512

    8582b51b5fea23de43803fa925d13f1eb6d91b708be133be745d7d6155082cd131c9b62dc6a08b77f419a239efe6eb55a98f02f5783c7cd46e284ec3241fc2ee

  • SSDEEP

    24576:q7INqm36s9R26Vhund3idw1/fayC9nHgeFhPuKX+dXlVp0WgB4:v13TR2ChAdLpfaVgUuZXlVpk4

Score
4/10

Malware Config

Signatures

  • Drops file in Program Files directory 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\npcap-1.79.exe
    "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\npcap-1.79.exe"
    1⤵
    • Drops file in Program Files directory
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\SysWOW64\cmd.exe
      cmd /Q /C "%SYSTEMROOT%\System32\wbem\wmic.exe qfe get hotfixid | %SYSTEMROOT%\System32\findstr.exe "^KB4474419""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\SysWOW64\wbem\WMIC.exe
        C:\Windows\System32\wbem\wmic.exe qfe get hotfixid
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2704
      • C:\Windows\SysWOW64\findstr.exe
        C:\Windows\System32\findstr.exe "^KB4474419"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nst8E9B.tmp\InstallOptions.dll

    Filesize

    22KB

    MD5

    170c17ac80215d0a377b42557252ae10

    SHA1

    4cbab6cc189d02170dd3ba7c25aa492031679411

    SHA256

    61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

    SHA512

    0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

  • \Users\Admin\AppData\Local\Temp\nst8E9B.tmp\System.dll

    Filesize

    19KB

    MD5

    f020a8d9ede1fb2af3651ad6e0ac9cb1

    SHA1

    341f9345d669432b2a51d107cbd101e8b82e37b1

    SHA256

    7efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0

    SHA512

    408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4

  • \Users\Admin\AppData\Local\Temp\nst8E9B.tmp\nsExec.dll

    Filesize

    14KB

    MD5

    f9e61a25016dcb49867477c1e71a704e

    SHA1

    c01dc1fa7475e4812d158d6c00533410c597b5d9

    SHA256

    274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

    SHA512

    b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8