Overview

overview

7

Static

static

1

npp.8.5.2....64.exe

windows7-x64

7

npp.8.5.2....64.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    45s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    15-04-2023 17:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    npp.8.5.2.Installer.x64.exe

  • Size

    4.4MB

  • MD5

    9175a2bfef2c9ef58ba90f8aece50eb2

  • SHA1

    264629fa382bdc08f219d58c425ff0213ec426f4

  • SHA256

    572811bf01a9112c7414b783861da34b2b93f3de298e8455dafb484d19b11f4b

  • SHA512

    69fcdaca03eee403e10828d8b0830850844493f1c05136e1d25417c9f1f4d8d8d61461aae59fb3eec1af90d913a9386cc76d2abf236b5d5088db91a5e56acd6b

  • SSDEEP

    98304:otv9tSmFt6r/e7CBYmH22Fl6unhC17DQwz3OBWQGk413Oy:otltSA6De+B9XdnIHQNA5

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Loads dropped DLL 9 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 9 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\npp.8.5.2.Installer.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\npp.8.5.2.Installer.x64.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files\Notepad++\contextMenu\NppShell.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files\Notepad++\contextMenu\NppShell.dll"
        3⤵
        • Loads dropped DLL
        • Registers COM server for autorun
        • Modifies registry class
        PID:1004

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Notepad++\contextMenu\NppShell.dll
    Filesize

    252KB

    MD5

    347ebefb78f865aa13f191103df9ee88

    SHA1

    451858991354d2678e8391fc70394a00e47ebde3

    SHA256

    670ec2031eecdbd49e79cc08e361f2f8f9679eec22d70b7c2158f91aa5e7c60f

    SHA512

    e9d73800a9c0c986f64962b40d4e96feed745e1ce2536ddfece5be74dd0c54352ed9377b954fca74a4ac7271812efa7533a11c1f96b296262d368d25065c580f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst3047.tmp\InstallOptions.dll
    Filesize

    15KB

    MD5

    ece25721125d55aa26cdfe019c871476

    SHA1

    b87685ae482553823bf95e73e790de48dc0c11ba

    SHA256

    c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

    SHA512

    4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst3047.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    0f685145f8b78cd378acf8e1bbbb2290

    SHA1

    ecd36f0a0d7cadcdc3756cefad7e721c0898edd4

    SHA256

    805d5c8e5b7bfc5e684988a8f974d5dd1ad16d7f1f26973b0b73c50bb902a0ca

    SHA512

    ce104d2dc937464a0bc71b3119bd7c78b88b7f06c865139b1ff80a12a8dbf9c76cd107d644e413c3245f5449d60c378e5ca94b22a8c351289a03a1718f5fd120

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst3047.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    35ef438b799c8aaf525b21998e135a12

    SHA1

    0193d1dc624967540c56e8d233521cc6136a9a17

    SHA256

    1210a01b16b4a810aa37d532fdce3919a0578077cd34b08cfa78ba936efd9a5b

    SHA512

    3d096b29a2f957e2de7e99aea246e40402c02b34bba66bb373f4a2f78010c553fc6830c2e9f4e7ed6db83e6935b54c78fee41b1d8e1ef22c68ab79642a7d2c03

    Download Submit

  • \Program Files\Notepad++\contextMenu\NppShell.dll
    Filesize

    252KB

    MD5

    347ebefb78f865aa13f191103df9ee88

    SHA1

    451858991354d2678e8391fc70394a00e47ebde3

    SHA256

    670ec2031eecdbd49e79cc08e361f2f8f9679eec22d70b7c2158f91aa5e7c60f

    SHA512

    e9d73800a9c0c986f64962b40d4e96feed745e1ce2536ddfece5be74dd0c54352ed9377b954fca74a4ac7271812efa7533a11c1f96b296262d368d25065c580f

    Download Submit

  • \Program Files\Notepad++\contextMenu\NppShell.dll
    Filesize

    252KB

    MD5

    347ebefb78f865aa13f191103df9ee88

    SHA1

    451858991354d2678e8391fc70394a00e47ebde3

    SHA256

    670ec2031eecdbd49e79cc08e361f2f8f9679eec22d70b7c2158f91aa5e7c60f

    SHA512

    e9d73800a9c0c986f64962b40d4e96feed745e1ce2536ddfece5be74dd0c54352ed9377b954fca74a4ac7271812efa7533a11c1f96b296262d368d25065c580f

    Download Submit

  • \Program Files\Notepad++\notepad++.exe
    Filesize

    6.3MB

    MD5

    2eaf48c0835a05b81e918b882f161abc

    SHA1

    76394bbc329a3fcf4f390cd51e5b7b1d03b97bf0

    SHA256

    a559ec6a8b7951551b1e10943326a9a7c585181acf91cf4ef267b2bde9b8173c

    SHA512

    b482c58c4d4f2760729c62d52a29f12ff66ad0841e44abdfbb7414c586e5dce6fb8eddb868ac9c38f2fb94d29d8da927cff7220119ca60d4a4c8b6a77a8ee4d1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst3047.tmp\InstallOptions.dll
    Filesize

    15KB

    MD5

    ece25721125d55aa26cdfe019c871476

    SHA1

    b87685ae482553823bf95e73e790de48dc0c11ba

    SHA256

    c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

    SHA512

    4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst3047.tmp\InstallOptions.dll
    Filesize

    15KB

    MD5

    ece25721125d55aa26cdfe019c871476

    SHA1

    b87685ae482553823bf95e73e790de48dc0c11ba

    SHA256

    c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

    SHA512

    4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst3047.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    68b287f4067ba013e34a1339afdb1ea8

    SHA1

    45ad585b3cc8e5a6af7b68f5d8269c97992130b3

    SHA256

    18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

    SHA512

    06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst3047.tmp\System.dll
    Filesize

    12KB

    MD5

    cff85c549d536f651d4fb8387f1976f2

    SHA1

    d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    SHA256

    8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    SHA512

    531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst3047.tmp\UserInfo.dll
    Filesize

    4KB

    MD5

    2f69afa9d17a5245ec9b5bb03d56f63c

    SHA1

    e0a133222136b3d4783e965513a690c23826aec9

    SHA256

    e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

    SHA512

    bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst3047.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    6c3f8c94d0727894d706940a8a980543

    SHA1

    0d1bcad901be377f38d579aafc0c41c0ef8dcefd

    SHA256

    56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

    SHA512

    2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

    Download Submit