ed09de323c9ce1e5caec2ab5d3dc03ecc820e5469c5d70c9ffbca3f17678d237

Analysis

max time kernel
121s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15/06/2023, 14:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NPE_server.exe
Size

12.3MB
MD5

913a5aaa55139c5c059a1eadc1b77ef2
SHA1

ddd96cc367e4aec0f5c263173ad43d09f4660eb6
SHA256

ed09de323c9ce1e5caec2ab5d3dc03ecc820e5469c5d70c9ffbca3f17678d237
SHA512

a07c634f70f84c1a2dfe7230341737a1fcbbddaaa18f0250b9a499b641b63a267990a8063f10d3f6902595c995226dd0adcccedbc38b66063f24ae317ddae5f1
SSDEEP

196608:bIz0BLgJqcFf/xF2g2EOS/lJU0V3trh1qLwY4aAXGhJcKZzuUFG2X6:czlqcNJ4U7DtHrhkLi2hJcKtuOG2X6

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
680	NPE_server.exe
680	NPE_server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
680	NPE_server.exe

C:\Users\Admin\AppData\Local\Temp\NPE_server.exe
"C:\Users\Admin\AppData\Local\Temp\NPE_server.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso532.tmp\ioSpecial.ini

Filesize
738B

MD5
4a75f14d62189bcb6af06a0b812643c4

SHA1
5fec3bf4a2250b0ee439aae314d33223b14348a2

SHA256
56c76dfb2be8d27a5707856b0e4208da4476ff0d03df55bdeaa04ee6bb45db02

SHA512
885ee477d8be3b2c9aca22577c2534228346d526e66a222ba39b318d4d7956c0b3d8622e06db88cbdca65bfd25172ffa7a5f6ad3bf96b6eb4b9bf365c694c7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso532.tmp\ioSpecial.ini

Filesize
750B

MD5
9bee6a1c1c6b6078db1306991812ea0d

SHA1
bcffecf70282024759e1c33d9b29e245f4da1710

SHA256
d8088d265bb83e6b7a902dd8273575936f7fe569d8c7504828c1a42109fdb1c1

SHA512
4771289227b4c58df6d7b648e5ba5399bf6f2e9c3fac25f82d93263301d9ba5fb296dc87952f5f49449e07d9a6f38f3fc9935c5ddec575ce2d3232e3f24239b1

Download Submit
\Users\Admin\AppData\Local\Temp\nso532.tmp\InstallOptions.dll

Filesize
14KB

MD5
3e277798b9d8f48806fbb5ebfd4990db

SHA1
d1ab343c5792bc99599ec7acba506e8ba7e05969

SHA256
fe19353288a08a5d2640a9c022424a1d20e4909a351f2114423e087313a40d7c

SHA512
84c9d4e2e6872277bffb0e10b292c8c384d475ad163fd0a47ca924a3c79077dfde880f535a171660f73265792554129161d079a10057d44e28e2d57ebc477e92

Download Submit
\Users\Admin\AppData\Local\Temp\nso532.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit