a3a267aa6f5b0ade2e4829ba18a1baa5bf9a622b49767c1f849090d9263ff68d

Resubmissions

08/02/2024, 09:22

240208-lcd7ssdd32 10

08/02/2024, 02:25

240208-cwq62adgdl 6

07/02/2024, 17:55

240207-whf9fsac74 6

Analysis

max time kernel
92s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/02/2024, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

npp.8.6.portable.x64/updater/GUP.exe
Size

818KB
MD5

e9be0bc06725c372140838245805dc66
SHA1

6eafbbefe6d2b5b6c8fc39dac54881b5f2e61735
SHA256

8038960c66ec29e9ee0f027491c8349a158025faee39d069219b5a3297134197
SHA512

14831f538f5afd80689db24f7536ef725b75ce235a1ccb7f6795440819461d038cede5beeebd28ffbf9618ae984a0f347a9ffe4c0c10da7b914022174a1688e2
SSDEEP

12288:KySK0M5qRxaBr5wFNbgpA0WUVzOR63AczZXBS3CNmBDIOh68ADKbp34zZZ6dNNoq:7qMo2aWqT2KbpIFZ6PNeTw

Score

6^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	GUP.exe

Executes dropped EXE 1 IoCs

pid	Process
3668	npp.8.6.2.Installer.exe

Loads dropped DLL 4 IoCs

pid	Process
3668	npp.8.6.2.Installer.exe
3668	npp.8.6.2.Installer.exe
3668	npp.8.6.2.Installer.exe
3668	npp.8.6.2.Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4724	GUP.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 3668	4724	GUP.exe	84
PID 4724 wrote to memory of 3668	4724	GUP.exe	84
PID 4724 wrote to memory of 3668	4724	GUP.exe	84

C:\Users\Admin\AppData\Local\Temp\npp.8.6.portable.x64\updater\GUP.exe
"C:\Users\Admin\AppData\Local\Temp\npp.8.6.portable.x64\updater\GUP.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe

Filesize
4.5MB

MD5
c8cb32063d37894be9ad45bdf57eed0f

SHA1
55aba5a8c0c574a266ccfe54c3e8ac3ac42531fa

SHA256
9126e76c155f2535afbffd10fb2a9109a65c789540c434e03cf3a9c1e7df4833

SHA512
c175a94e4c71dd5142b350368f122bee988a6fbeb41d3277f58739a7f0f04544dec24d70dedf1609f15a2df6ac923e2b9d8438f106fdbda820fd3bf90cb6639c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh64C7.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh64C7.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh64C7.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh64C7.tmp\ioSpecial.ini

Filesize
1KB

MD5
c28c0031dc52f9abf71399ad3f5aae90

SHA1
8e69b61d3bce08416049b6d2b24e7eae2a54b294

SHA256
5f7694f74b4148dc45a5c9862d4fea6abbcd6c788b755157c8e6ac3ab0edc8d6

SHA512
21d0d1d71dd27117bbde03c75215754f8a6a4f85c5975066a3ca301b789bf0d75ff32d1180ba7366d05f9767ec082423096b7a14b43c5dee210521259b6250d1

Download Submit