e3dcd71e32b11ca32c66e5187c2d4191401f885afbe068163ad8b054da362de3

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2023, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

updater/GUP.exe
Size

798KB
MD5

e24cddedd2508dd360f6ee23e3a2f36f
SHA1

41868d05991493f219b66d1bef5672ed17163a0f
SHA256

7078642857d0023449d93acf50b4799a7e71ea7850e6095c941cc036e294a99c
SHA512

4003686aaf444e20ee85ca6d5c88bf0087e9428a0e4f85c0d267505afeb5b582c0fe619b3c64b1118a543ba2eef24ba4464c25cc1c45832666cfefce87688eaf
SSDEEP

12288:LT1cES2JH4oKgAGtMr5DR+W7AyfuKY0dsr0uiKnHowsT0CSm4:Vh2DR+Cu6dsr0uiKnHqT0v

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	GUP.exe

Executes dropped EXE 1 IoCs

pid	Process
112	npp.8.5.4.Installer.exe

Loads dropped DLL 4 IoCs

pid	Process
112	npp.8.5.4.Installer.exe
112	npp.8.5.4.Installer.exe
112	npp.8.5.4.Installer.exe
112	npp.8.5.4.Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4232	GUP.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 112	4232	GUP.exe	90
PID 4232 wrote to memory of 112	4232	GUP.exe	90
PID 4232 wrote to memory of 112	4232	GUP.exe	90

C:\Users\Admin\AppData\Local\Temp\updater\GUP.exe
"C:\Users\Admin\AppData\Local\Temp\updater\GUP.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\npp.8.5.4.Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\npp.8.5.4.Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\npp.8.5.4.Installer.exe

Filesize
4.2MB

MD5
e48e79c943a953041bd809376e2fead5

SHA1
4b4cc296693cfe19e0d25664e20f5f89df24313c

SHA256
5a3b915f1619c671699d08528fe23466cabfcc63d787c44586bc096d8536268f

SHA512
3f34a225bdef4c331026f800b7afee147bdf8dcb3d3afa826cf4eeb174942edbe36ee13d1d1e5703e52fcccaac9d233a30c890f5c416b757ee7442ea6f551717

Download Submit
C:\Users\Admin\AppData\Local\Temp\npp.8.5.4.Installer.exe

Filesize
4.2MB

MD5
e48e79c943a953041bd809376e2fead5

SHA1
4b4cc296693cfe19e0d25664e20f5f89df24313c

SHA256
5a3b915f1619c671699d08528fe23466cabfcc63d787c44586bc096d8536268f

SHA512
3f34a225bdef4c331026f800b7afee147bdf8dcb3d3afa826cf4eeb174942edbe36ee13d1d1e5703e52fcccaac9d233a30c890f5c416b757ee7442ea6f551717

Download Submit
C:\Users\Admin\AppData\Local\Temp\npp.8.5.4.Installer.exe

Filesize
4.2MB

MD5
e48e79c943a953041bd809376e2fead5

SHA1
4b4cc296693cfe19e0d25664e20f5f89df24313c

SHA256
5a3b915f1619c671699d08528fe23466cabfcc63d787c44586bc096d8536268f

SHA512
3f34a225bdef4c331026f800b7afee147bdf8dcb3d3afa826cf4eeb174942edbe36ee13d1d1e5703e52fcccaac9d233a30c890f5c416b757ee7442ea6f551717

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv8743.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv8743.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv8743.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv8743.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv8743.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv8743.tmp\ioSpecial.ini

Filesize
1KB

MD5
e07c988bc67ba2b577281cc550adadcd

SHA1
7a6f009cb101e6a746d1016f5375ac1c442e9fe7

SHA256
0867615146347f0094c7195bb1893ec9a8ce519f18148f061a481a6b089f3e5b

SHA512
a499b7873c087e2b57cca8018693a818355a92bc99bd68a3c2e05335ba3c654f56451db0deacccaa33afd282f7f24c9f3c28b8cc4d63d60891e6a2df89e66025

Download Submit