1ee09b56eb363f46b95737856b82a8fd297c1e488042dd6c1f813cdb616a894e

General

Target

NPK 202020.exe
Size

816KB
MD5

94c64da42cec451a2bd9c6e30d366fa8
SHA1

ae5ad76d977bedfaa76632fa32d5678c212daa96
SHA256

40b64f01b9da5a5fdafaeae7226eb911ec29c6ecddd24aae32465f0c3b97fac5
SHA512

97754440f8ad88d4bc02e57f921461a62176825f615cffbc6ffd35c29404e4301a142e4e4399c835c370e47563c240205ca8985a8f1ef6de1df43dea19dcf86a

Score

7^/10

collection persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NPK 202020.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	NPK 202020.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

NPK 202020.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NPK 202020.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NPK 202020.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NPK 202020.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NPK 202020.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\Windows Update.exe"	NPK 202020.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1932 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

NPK 202020.exe

pid process

1924 NPK 202020.exe
1924 NPK 202020.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NPK 202020.exe

description pid process

Token: SeDebugPrivilege 1924 NPK 202020.exe

pid	process
1932	schtasks.exe

pid	process
1924	NPK 202020.exe
1924	NPK 202020.exe

description	pid	process
Token: SeDebugPrivilege	1924	NPK 202020.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

NPK 202020.exe

description	pid	process	target process
PID 1924 wrote to memory of 1932	1924	NPK 202020.exe	schtasks.exe
PID 1924 wrote to memory of 1932	1924	NPK 202020.exe	schtasks.exe
PID 1924 wrote to memory of 1932	1924	NPK 202020.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

NPK 202020.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NPK 202020.exe

outlook_win_path 1 IoCs

Processes:

NPK 202020.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NPK 202020.exe

C:\Users\Admin\AppData\Local\Temp\NPK 202020.exe
"C:\Users\Admin\AppData\Local\Temp\NPK 202020.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1924

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YHtBDZyNICpYf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB8A6.tmp"
2⤵
- Creates scheduled task(s)
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB8A6.tmp
Filesize
1KB

MD5
cdce3418c272d081e64bd022adb68538

SHA1
986818b35554e8caa52fe60af68a84f58d0a0f25

SHA256
3f59f2ad3befbd20af2c1600986afcc9e528229d3042a79e97388673578be2b4

SHA512
2bd161b80b949f3d58bfe95b24112245f8bd4062382cdf9e7d665fe1342009fe52f475113393a0c45030994e05790e4d4466767dbf647054f2d339bc6f4fde84

Download Submit
memory/1924-130-0x0000000000CF0000-0x0000000000DC0000-memory.dmp

Filesize
832KB

Download
memory/1924-131-0x0000000005C60000-0x0000000006204000-memory.dmp

Filesize
5.6MB

Download
memory/1924-132-0x0000000005750000-0x00000000057E2000-memory.dmp

Filesize
584KB

Download
memory/1924-133-0x00000000058E0000-0x00000000058EA000-memory.dmp

Filesize
40KB

Download
memory/1924-134-0x0000000007F80000-0x000000000801C000-memory.dmp

Filesize
624KB

Download
memory/1924-137-0x0000000008BC0000-0x0000000008C26000-memory.dmp

Filesize
408KB

Download
memory/1924-138-0x0000000008F80000-0x0000000008FD0000-memory.dmp

Filesize
320KB

Download
memory/1932-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads