Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

npp.8.5.2....64.exe

windows7-x64

7

npp.8.5.2....64.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    56s
  • max time network
    57s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/04/2023, 17:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    npp.8.5.2.Installer.x64.exe

  • Size

    4.4MB

  • MD5

    9175a2bfef2c9ef58ba90f8aece50eb2

  • SHA1

    264629fa382bdc08f219d58c425ff0213ec426f4

  • SHA256

    572811bf01a9112c7414b783861da34b2b93f3de298e8455dafb484d19b11f4b

  • SHA512

    69fcdaca03eee403e10828d8b0830850844493f1c05136e1d25417c9f1f4d8d8d61461aae59fb3eec1af90d913a9386cc76d2abf236b5d5088db91a5e56acd6b

  • SSDEEP

    98304:otv9tSmFt6r/e7CBYmH22Fl6unhC17DQwz3OBWQGk413Oy:otltSA6De+B9XdnIHQNA5

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Loads dropped DLL 8 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 9 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\npp.8.5.2.Installer.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\npp.8.5.2.Installer.x64.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4072
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files\Notepad++\contextMenu\NppShell.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:648
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files\Notepad++\contextMenu\NppShell.dll"
        3⤵
        • Loads dropped DLL
        • Registers COM server for autorun
        • Modifies registry class
        PID:2084

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Notepad++\contextMenu\NppShell.dll
    Filesize

    252KB

    MD5

    347ebefb78f865aa13f191103df9ee88

    SHA1

    451858991354d2678e8391fc70394a00e47ebde3

    SHA256

    670ec2031eecdbd49e79cc08e361f2f8f9679eec22d70b7c2158f91aa5e7c60f

    SHA512

    e9d73800a9c0c986f64962b40d4e96feed745e1ce2536ddfece5be74dd0c54352ed9377b954fca74a4ac7271812efa7533a11c1f96b296262d368d25065c580f

    Download Submit

  • C:\Program Files\Notepad++\contextMenu\NppShell.dll
    Filesize

    252KB

    MD5

    347ebefb78f865aa13f191103df9ee88

    SHA1

    451858991354d2678e8391fc70394a00e47ebde3

    SHA256

    670ec2031eecdbd49e79cc08e361f2f8f9679eec22d70b7c2158f91aa5e7c60f

    SHA512

    e9d73800a9c0c986f64962b40d4e96feed745e1ce2536ddfece5be74dd0c54352ed9377b954fca74a4ac7271812efa7533a11c1f96b296262d368d25065c580f

    Download Submit

  • C:\Program Files\Notepad++\contextMenu\NppShell.dll
    Filesize

    252KB

    MD5

    347ebefb78f865aa13f191103df9ee88

    SHA1

    451858991354d2678e8391fc70394a00e47ebde3

    SHA256

    670ec2031eecdbd49e79cc08e361f2f8f9679eec22d70b7c2158f91aa5e7c60f

    SHA512

    e9d73800a9c0c986f64962b40d4e96feed745e1ce2536ddfece5be74dd0c54352ed9377b954fca74a4ac7271812efa7533a11c1f96b296262d368d25065c580f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst8515.tmp\InstallOptions.dll
    Filesize

    15KB

    MD5

    ece25721125d55aa26cdfe019c871476

    SHA1

    b87685ae482553823bf95e73e790de48dc0c11ba

    SHA256

    c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

    SHA512

    4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst8515.tmp\InstallOptions.dll
    Filesize

    15KB

    MD5

    ece25721125d55aa26cdfe019c871476

    SHA1

    b87685ae482553823bf95e73e790de48dc0c11ba

    SHA256

    c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

    SHA512

    4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst8515.tmp\InstallOptions.dll
    Filesize

    15KB

    MD5

    ece25721125d55aa26cdfe019c871476

    SHA1

    b87685ae482553823bf95e73e790de48dc0c11ba

    SHA256

    c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

    SHA512

    4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst8515.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    68b287f4067ba013e34a1339afdb1ea8

    SHA1

    45ad585b3cc8e5a6af7b68f5d8269c97992130b3

    SHA256

    18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

    SHA512

    06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst8515.tmp\System.dll
    Filesize

    12KB

    MD5

    cff85c549d536f651d4fb8387f1976f2

    SHA1

    d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    SHA256

    8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    SHA512

    531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst8515.tmp\UserInfo.dll
    Filesize

    4KB

    MD5

    2f69afa9d17a5245ec9b5bb03d56f63c

    SHA1

    e0a133222136b3d4783e965513a690c23826aec9

    SHA256

    e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

    SHA512

    bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst8515.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    b9c14af9fdc61992f15f64037125e346

    SHA1

    11bc3a674ac336f63394e8fbc3233eb6e3e58dab

    SHA256

    5b18c32380e98c747816975c40934607c7bbc1414a63992254ba3d1434a41cee

    SHA512

    42f210c6124a97b2a8f96b1ed3f508cbe6ec913573e61833632c35c3269469f9ba1841a3059c289468064a51b18c87510b449a7864172ebb4dacb7c1fc732f6a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst8515.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    5c1cd370fa07772e676e8100294ba9bd

    SHA1

    12d807b3aeda657d1f7d0a7a1e6d938d20bfcb85

    SHA256

    c3cc565aa6cdaaa31e95cd2fad64e1d75a06d99e31e1fd8535f9769af0ba085d

    SHA512

    735776d19b7c7d2ad4d32039a580fcc4437ffdfed8b28c379a4f3765ca5ae6f64cb4d2d69ad4033fccd109a029c58842682e11c0f3ce0c6c3b792883e77a38a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst8515.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    6c3f8c94d0727894d706940a8a980543

    SHA1

    0d1bcad901be377f38d579aafc0c41c0ef8dcefd

    SHA256

    56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

    SHA512

    2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

    Download Submit