Analysis
-
max time kernel
97s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:31
Static task
static1
Behavioral task
behavioral1
Sample
NPK 202020.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NPK 202020.exe
Resource
win10v2004-20220414-en
General
-
Target
NPK 202020.exe
-
Size
816KB
-
MD5
94c64da42cec451a2bd9c6e30d366fa8
-
SHA1
ae5ad76d977bedfaa76632fa32d5678c212daa96
-
SHA256
40b64f01b9da5a5fdafaeae7226eb911ec29c6ecddd24aae32465f0c3b97fac5
-
SHA512
97754440f8ad88d4bc02e57f921461a62176825f615cffbc6ffd35c29404e4301a142e4e4399c835c370e47563c240205ca8985a8f1ef6de1df43dea19dcf86a
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NPK 202020.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation NPK 202020.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
NPK 202020.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NPK 202020.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NPK 202020.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NPK 202020.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NPK 202020.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\Windows Update.exe" NPK 202020.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
NPK 202020.exepid process 1924 NPK 202020.exe 1924 NPK 202020.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NPK 202020.exedescription pid process Token: SeDebugPrivilege 1924 NPK 202020.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
NPK 202020.exedescription pid process target process PID 1924 wrote to memory of 1932 1924 NPK 202020.exe schtasks.exe PID 1924 wrote to memory of 1932 1924 NPK 202020.exe schtasks.exe PID 1924 wrote to memory of 1932 1924 NPK 202020.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
NPK 202020.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NPK 202020.exe -
outlook_win_path 1 IoCs
Processes:
NPK 202020.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NPK 202020.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NPK 202020.exe"C:\Users\Admin\AppData\Local\Temp\NPK 202020.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YHtBDZyNICpYf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB8A6.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB8A6.tmpFilesize
1KB
MD5cdce3418c272d081e64bd022adb68538
SHA1986818b35554e8caa52fe60af68a84f58d0a0f25
SHA2563f59f2ad3befbd20af2c1600986afcc9e528229d3042a79e97388673578be2b4
SHA5122bd161b80b949f3d58bfe95b24112245f8bd4062382cdf9e7d665fe1342009fe52f475113393a0c45030994e05790e4d4466767dbf647054f2d339bc6f4fde84
-
memory/1924-130-0x0000000000CF0000-0x0000000000DC0000-memory.dmpFilesize
832KB
-
memory/1924-131-0x0000000005C60000-0x0000000006204000-memory.dmpFilesize
5.6MB
-
memory/1924-132-0x0000000005750000-0x00000000057E2000-memory.dmpFilesize
584KB
-
memory/1924-133-0x00000000058E0000-0x00000000058EA000-memory.dmpFilesize
40KB
-
memory/1924-134-0x0000000007F80000-0x000000000801C000-memory.dmpFilesize
624KB
-
memory/1924-137-0x0000000008BC0000-0x0000000008C26000-memory.dmpFilesize
408KB
-
memory/1924-138-0x0000000008F80000-0x0000000008FD0000-memory.dmpFilesize
320KB
-
memory/1932-135-0x0000000000000000-mapping.dmp