c59b51d15b5965f27db4c5bbd21793ad6b492c8c751836ba8bd43829d791146e

Analysis

max time kernel
122s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/npcap-1.79.exe
Size

1.1MB
MD5

a4d7e47df742f62080bf845d606045b4
SHA1

723743dc9fa4a190452a7ffc971adfaac91606fa
SHA256

a95577ebbc67fc45b319e2ef3a55f4e9b211fe82ed4cb9d8be6b1a9e2425ce53
SHA512

8582b51b5fea23de43803fa925d13f1eb6d91b708be133be745d7d6155082cd131c9b62dc6a08b77f419a239efe6eb55a98f02f5783c7cd46e284ec3241fc2ee
SSDEEP

24576:q7INqm36s9R26Vhund3idw1/fayC9nHgeFhPuKX+dXlVp0WgB4:v13TR2ChAdLpfaVgUuZXlVpk4

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

Processes:

npcap-1.79.exe

description ioc process

File opened for modification C:\Program Files\Npcap\install.log npcap-1.79.exe
Loads dropped DLL 4 IoCs

Processes:

npcap-1.79.exe

pid process

2684 npcap-1.79.exe
2684 npcap-1.79.exe
2684 npcap-1.79.exe
2684 npcap-1.79.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files\Npcap\install.log	npcap-1.79.exe

pid	process
2684	npcap-1.79.exe
2684	npcap-1.79.exe
2684	npcap-1.79.exe
2684	npcap-1.79.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

npcap-1.79.execmd.exeWMIC.exefindstr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npcap-1.79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

npcap-1.79.exe

pid process

2684 npcap-1.79.exe

pid	process
2684	npcap-1.79.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2704	WMIC.exe
Token: SeSecurityPrivilege	2704	WMIC.exe
Token: SeTakeOwnershipPrivilege	2704	WMIC.exe
Token: SeLoadDriverPrivilege	2704	WMIC.exe
Token: SeSystemProfilePrivilege	2704	WMIC.exe
Token: SeSystemtimePrivilege	2704	WMIC.exe
Token: SeProfSingleProcessPrivilege	2704	WMIC.exe
Token: SeIncBasePriorityPrivilege	2704	WMIC.exe
Token: SeCreatePagefilePrivilege	2704	WMIC.exe
Token: SeBackupPrivilege	2704	WMIC.exe
Token: SeRestorePrivilege	2704	WMIC.exe
Token: SeShutdownPrivilege	2704	WMIC.exe
Token: SeDebugPrivilege	2704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2704	WMIC.exe
Token: SeRemoteShutdownPrivilege	2704	WMIC.exe
Token: SeUndockPrivilege	2704	WMIC.exe
Token: SeManageVolumePrivilege	2704	WMIC.exe
Token: 33	2704	WMIC.exe
Token: 34	2704	WMIC.exe
Token: 35	2704	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2704	WMIC.exe
Token: SeSecurityPrivilege	2704	WMIC.exe
Token: SeTakeOwnershipPrivilege	2704	WMIC.exe
Token: SeLoadDriverPrivilege	2704	WMIC.exe
Token: SeSystemProfilePrivilege	2704	WMIC.exe
Token: SeSystemtimePrivilege	2704	WMIC.exe
Token: SeProfSingleProcessPrivilege	2704	WMIC.exe
Token: SeIncBasePriorityPrivilege	2704	WMIC.exe
Token: SeCreatePagefilePrivilege	2704	WMIC.exe
Token: SeBackupPrivilege	2704	WMIC.exe
Token: SeRestorePrivilege	2704	WMIC.exe
Token: SeShutdownPrivilege	2704	WMIC.exe
Token: SeDebugPrivilege	2704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2704	WMIC.exe
Token: SeRemoteShutdownPrivilege	2704	WMIC.exe
Token: SeUndockPrivilege	2704	WMIC.exe
Token: SeManageVolumePrivilege	2704	WMIC.exe
Token: 33	2704	WMIC.exe
Token: 34	2704	WMIC.exe
Token: 35	2704	WMIC.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

npcap-1.79.execmd.exe

description	pid	process	target process
PID 2684 wrote to memory of 2708	2684	npcap-1.79.exe	cmd.exe
PID 2684 wrote to memory of 2708	2684	npcap-1.79.exe	cmd.exe
PID 2684 wrote to memory of 2708	2684	npcap-1.79.exe	cmd.exe
PID 2684 wrote to memory of 2708	2684	npcap-1.79.exe	cmd.exe
PID 2708 wrote to memory of 2704	2708	cmd.exe	WMIC.exe
PID 2708 wrote to memory of 2704	2708	cmd.exe	WMIC.exe
PID 2708 wrote to memory of 2704	2708	cmd.exe	WMIC.exe
PID 2708 wrote to memory of 2704	2708	cmd.exe	WMIC.exe
PID 2708 wrote to memory of 2800	2708	cmd.exe	findstr.exe
PID 2708 wrote to memory of 2800	2708	cmd.exe	findstr.exe
PID 2708 wrote to memory of 2800	2708	cmd.exe	findstr.exe
PID 2708 wrote to memory of 2800	2708	cmd.exe	findstr.exe

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\npcap-1.79.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\npcap-1.79.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /Q /C "%SYSTEMROOT%\System32\wbem\wmic.exe qfe get hotfixid | %SYSTEMROOT%\System32\findstr.exe "^KB4474419""
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe qfe get hotfixid
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\SysWOW64\findstr.exe
C:\Windows\System32\findstr.exe "^KB4474419"
3⤵
- System Location Discovery: System Language Discovery
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst8E9B.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
\Users\Admin\AppData\Local\Temp\nst8E9B.tmp\System.dll

Filesize
19KB

MD5
f020a8d9ede1fb2af3651ad6e0ac9cb1

SHA1
341f9345d669432b2a51d107cbd101e8b82e37b1

SHA256
7efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0

SHA512
408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4

Download Submit
\Users\Admin\AppData\Local\Temp\nst8E9B.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit