Resubmissions
08/02/2024, 09:22
240208-lcd7ssdd32 1008/02/2024, 02:25
240208-cwq62adgdl 607/02/2024, 17:55
240207-whf9fsac74 6Analysis
-
max time kernel
111s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
08/02/2024, 02:25
General
-
Target
npp.8.6.portable.x64/updater/GUP.exe
-
Size
818KB
-
MD5
e9be0bc06725c372140838245805dc66
-
SHA1
6eafbbefe6d2b5b6c8fc39dac54881b5f2e61735
-
SHA256
8038960c66ec29e9ee0f027491c8349a158025faee39d069219b5a3297134197
-
SHA512
14831f538f5afd80689db24f7536ef725b75ce235a1ccb7f6795440819461d038cede5beeebd28ffbf9618ae984a0f347a9ffe4c0c10da7b914022174a1688e2
-
SSDEEP
12288:KySK0M5qRxaBr5wFNbgpA0WUVzOR63AczZXBS3CNmBDIOh68ADKbp34zZZ6dNNoq:7qMo2aWqT2KbpIFZ6PNeTw
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 15 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\npp.8.6.portable.x64\updater\GUP.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.6.portable.x64\updater\GUP.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Program Files (x86)\Notepad++\contextMenu\NppShell.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\Notepad++\contextMenu\NppShell.dll"4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" "C:\Program Files (x86)\Notepad++\notepad++.exe"3⤵
-
-
C:\Program Files (x86)\Notepad++\notepad++.exe"C:\Program Files (x86)\Notepad++\notepad++.exe" "C:\Program Files (x86)\Notepad++\change.log"3⤵
- Executes dropped EXE
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Notepad++\notepad++.exe"C:\Program Files (x86)\Notepad++\notepad++.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Notepad++\updater\gup.exe"C:\Program Files (x86)\Notepad++\updater\gup.exe" -v8.623⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD549289d54ac50144085f380ce7d6002a8
SHA16b18c63177c482ffe34f542e13b62632712dccdd
SHA256c6462ec921d8aa721999a75022891c0bf8e12e75941a59808cd7cb6a7b30a0ef
SHA512199d817633cf056c43dd23ab9450dc336486635e9beba584c01e8a4481300da036be6cb0caa079d1679528100ea9a891601e0aaa9b7ca8c364fc622cc84c2cb3
-
Filesize
388KB
MD5a3f7ba2ee563b50dcd411376f66c8d02
SHA1b865b1e878b3a68538c5ebe0aeffc98ff617736d
SHA25642272408ffb295313636f3f3b19947079339e32b43368d6c379fd8c911ec5122
SHA51240b69e2dca62984d4e28d9db822961ffd41df5911ed83b5e826668d5aafeb0ff101139dcfb7c51f96b7f9ee417155cf421ad7a743159b722bb2841729f4a7193
-
Filesize
451KB
MD5e2720d29d41e4373d807701e8c7e74f7
SHA142f6abe22a32bc4a3e389205bb1e82f6685f81a0
SHA256b21447e1d7fa8e21a8641638701e18a30ebf491766b8f2071aa12c5595b4b1e8
SHA5124cacc1190641f4de8523751183f4edfc0042dad415a7963fe221e2186aad4759c4831b61fb77e27ee8bc1cb16c876e04288be00c972f6326821ef516336bbf99
-
Filesize
4.8MB
MD5c228674b5664a5100be55de1f47b058d
SHA1a8786b1367edb2561fa79df50672b7b802436d6a
SHA256cb765d7cd249becf12688ec0d41e2523050f7aa7f83513f8dcdcc38facc31e3c
SHA512b2e7d5663b30ed57ba343e2bdd7badf7ac50308abd7eba9ed1beebff2b93ee3b153a6707fa90d643c6402c81825146f73c4e95b4ac2f6adfe7de2d430dcd1b8d
-
Filesize
2.4MB
MD5906cefaa78fb8dc03a1506bdc8591867
SHA15ebb30e7d8e5df505003d25ea4fcbd8530f12334
SHA25651c8e4185cb3cae05c7a8604894c5303a82a9accd39844c8c8bfdb31b97518b3
SHA5128c20cde55f3f601112aabedb1d1f17e3b5f988b51cd81f706c45226a70a37ffaf9acd93b917e20b178105e381d02df9c889cf4efc0144138c2041ff06bea8b92
-
Filesize
197KB
MD5ea2b7e8cd059a1eee860ae70af6f769b
SHA105871eaac63683cdd10f1f311787978a18fb315a
SHA25666b746d566c29cd733fb24e89b5b0e4a4dc6feba5f887f03cd8b382f1f56d2ce
SHA51230d528768f0a470e10816330c479f2fca12656bbeca3702b5888f486dc633f687e583829381d44a6c578d112a2c2f19eadf6be9d769c6f9d349efa27cb7de0ff
-
Filesize
148KB
MD5532cbccda275f7b3333d30326a42d6eb
SHA1b39224d768d4becf7120c253a96a8668767144fa
SHA25658a31039809436c27753d99d43cfd1fbe9886345149c47c62a3783144a15c563
SHA5125b35d8fd27908cda6daeb86f94bf218e2129efd96c49bad45a97b0faf382d834791dada82841b1245744f69f738ee67ed95975c1cfb443a7df14fa4fb3b286d8
-
Filesize
127KB
MD5d3867eb3f4d3f9534ea3e832e622ef88
SHA19ea739460c7bf09537e7fd215bdeba65535e4937
SHA25609a940ca8da5dbc060d683512a1f9bdfd1c0bbfb2d2b39194fee35eb25ad936a
SHA5124007b0fdb9a85701fcb2dead193cc4dd49f67558b9fd9252e577965683cdbd422cb99fd63564d8a37dce886656c5a8dffb1c9fe0738e400167d28dd67f15222c
-
Filesize
106KB
MD50f31257b9c5bf79ad59fa8246db36860
SHA1c34d6675a90ebfede48a75d64f9183a91aeca6d4
SHA2560060921bce80b61461bff5919b9c211bd92ec70ccac18ebc33881e20bd71bcba
SHA51254891a90b68374bf29b3c3d39f35d6712884d16d4827a6ea246da86aee3f6f3fa780971a503aedb92761db3f7051e6128d663136da0d3e3bf9f28396ff1db59b
-
Filesize
3KB
MD5fb573784b83033dd4361f52006d02cb8
SHA10a2923a44ec1bd5e7e8bc7cace15857ae03bf63c
SHA25637a24662cd55b627807bc2bb7cbba5bbf2abaf6da4dd7bbb949bfaa7903eae9c
SHA512753b44b5e8bea858cf5cc5ddfdc38098a2f3f921949cf98706ead95bdfa1de7ab0c115e9d69237623a03c422969480204c69d3ba277141527458c68230d0c67c
-
Filesize
182KB
MD5343b8f55f376e88674733286d027f834
SHA1466886054d5c2641ba6058f58a7a84053aa4696e
SHA256f002b36e70f0fb159885c21fa6e6395176cd50a254201a94cbed756d9843fa9a
SHA512ef6643badbb87739f0ae847d201651f8d3e677c54ca2aa3f81277b053355772f71d9b0f490617c104ce861a29e2b283fe6d82faf4cfe8f10bfc571d683cfea8e
-
Filesize
576KB
MD56add21e522b9929a11e65d54c0e75f87
SHA1a82be9dff368713c7cee84d691acd1dedd158ce0
SHA256e27b722b249bb4ec766679a246a2bbcbc5464e11888a2fd57b2610d34b1aa84a
SHA512380f03bc7b058bbc1b2cf30b9011610b6b34ae3d800206e83e3aeb98c0c6a187573290805282b97db6f10517e9e74401bf06d680e2bdcbb2091068e6d13518cf
-
Filesize
631KB
MD50f0afe416e942dba4fdb99eb2107d959
SHA13afeb8ed3c9406e0295963fcaee85b7e3cf678b9
SHA2567404decb346a83ed4d87ca0bfdc855ed0c640e54f58dc1f69c9b68951a2e19a6
SHA5128e74262d7f29b1a01831fa8576e135cffaf46d996d712c409b4cb5ef1de73a5c48e1e40624ec428f0fc80434f52034626b0b430ba89503afee2431347e4f69ec
-
Filesize
4KB
MD5abde55a0b1cb4a904e622c02f559dcd1
SHA11662f8445a000bbf7c61c40e39266658f169bf13
SHA25692717951aae89e960b142cef3d273f104051896a3d527a78ca4a88c22b5216a5
SHA5128fe75fb468f87be1153a6a0d70c0583a355f355bfe988027c88d154b500e97f2c5241d9557ebb981067205e2f23ad07b6a49c669cd3e94eaa728201173b235a0
-
Filesize
414KB
MD5b195dae7f310208f76100c5c439684da
SHA1ab3c4d70b851a33ac81ad0061d73b189cbc51aa7
SHA25686d29dfabf8a123f465dd1a3b01f4cb12da03430647f2278323e930f89197e37
SHA5127ef390e17bc68ec949777771f25535de6c17cf008652e079e7cbfb9c7b76eb37f439caf7dac31d1896c910b7aae1fe230a51c5b49fbbda3f5bcc5b7bf39d706e
-
Filesize
619KB
MD5ac283c4f55be7359e962dad6dc1a0b4e
SHA198f36c06e4a37423536e20cc570d61ac283818c0
SHA2567064bfa364769a9fbbba5c4881654012c7dbf830bb664acb8891c1c89e24bcd7
SHA5123ae7d044e40e268ce098566d238d1de4f0bfe10cb1d68429aa5496fa8e87a4286105719e5f26ae3e5fdec46a0fbe19337feba111d5313e9e470a65d86c7fa0d0
-
Filesize
4.5MB
MD5c8cb32063d37894be9ad45bdf57eed0f
SHA155aba5a8c0c574a266ccfe54c3e8ac3ac42531fa
SHA2569126e76c155f2535afbffd10fb2a9109a65c789540c434e03cf3a9c1e7df4833
SHA512c175a94e4c71dd5142b350368f122bee988a6fbeb41d3277f58739a7f0f04544dec24d70dedf1609f15a2df6ac923e2b9d8438f106fdbda820fd3bf90cb6639c
-
Filesize
15KB
MD5ece25721125d55aa26cdfe019c871476
SHA1b87685ae482553823bf95e73e790de48dc0c11ba
SHA256c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf
SHA5124e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480
-
Filesize
5KB
MD568b287f4067ba013e34a1339afdb1ea8
SHA145ad585b3cc8e5a6af7b68f5d8269c97992130b3
SHA25618e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
SHA51206c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
4KB
MD52f69afa9d17a5245ec9b5bb03d56f63c
SHA1e0a133222136b3d4783e965513a690c23826aec9
SHA256e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0
SHA512bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926
-
Filesize
1KB
MD5c255967d9e51d1f3c7ec082ef3a911aa
SHA1c023ded36ac86c48180574dc0c5c3e6d4ed3d353
SHA2560a193cf0e1667768c2ab383d1946a88724e35789ae11a86d7f06d4b16c2956ff
SHA512d03a60427c47b068884b58b3a508ce5e4bd21f40c4c68ea4e79cdc66715f6e9ad9a4eda7ef5000ee9ff6201bc6fbed74f069fc7fbcbdc9a5ce442e0e97768229
-
Filesize
1KB
MD5b2b06f987c21b85b92253cd180819c62
SHA16f761c0a37ea8738824833be6abf1c2cd00eb96e
SHA2565d5e3317a47c7768c15d2c155de98254322f4b0299f028e00b36e9d68e4ef1ec
SHA512062d130ba49ebf88c611766e7b918b85c4e663ba43ebc0a7b7ed59dea93448262502f0f89b4ac22975b993bea4c5439f2279444b2be766c81c6bc47151422bf1
-
Filesize
1KB
MD529d39069de0b0e8c95160807fc70d4d9
SHA1a9cebc4416f025f50b6501dfdaa56a8687f03cd6
SHA2564d0cc3b439bad2502d3887a2d13b840adc464acd18da46ce0023419b8c2f2e2d
SHA512541b645c717ee74e2eff3c74a6ae265f3dc749dcc02b07cd5b41b63c1ceaddb2ac5663129d5937478c73d3510a560b8c12a31bcff570a1806edb7e62c04099b9
-
Filesize
9KB
MD56c3f8c94d0727894d706940a8a980543
SHA10d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA25656b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA5122094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355
-
Filesize
4KB
MD5fde4cc09d1c18c6cd7c1a4878e89d27e
SHA122fba21b254fed1a60da5de2b8af3cf6e132b647
SHA25643ac0b7ba9b1f91fd8d4841b8119344e6212b307a1decccf61658f31d38bb425
SHA512fcc87b93cb4dd0949e82edb7d2788d7abd317f9f4c5f046ceba1cd85a64b12b29c6baba3e8646265db02a48a2dc20c3b5e893a1334d9b1e91d26692b4e9c2d29
-
Filesize
644B
MD5f70f579156c93b097e656caba577a5c9
SHA18abfdad2ac85b7433318952b7a7e385a8c18674c
SHA256b926498a19ca95dc28964b7336e5847107dd3c0f52c85195c135d9dd6ca402d4
SHA5121e79b8e6df1ac158317d4670a01d5fb811470ace0f1f0f547ae979b3eff9bfee65770ad8134a6bddf2e871dc8fa553e146c7d7d94d2c3e139ae4b4942562b5fe
-
Filesize
2KB
MD5bc4b775a277672fc7edf956120576ecb
SHA1fe7c2db5b4d4c5a3f5603cf56c4d71cc9ee2d71d
SHA2564ec98de37193f41242c1a47507bcc4c1af555e71154f7354272bc3e664e19877
SHA512f87dc3ce52831ee308fbfa2b1b94c07e2811e7028360f046e012f8ea5a8f0ebcd362de7a663dee810c3da0791474c1485b1a2626c7867e76236156b125ff39b2
-
Filesize
6KB
MD5672e6d5f89887666ec94711e442644e0
SHA18d069ae93347316eff0dcf7aff4d22da18a62af2
SHA256b34fe6811dacfe49d77d434123867e866daf6e0e27387a0446887dabe8943f04
SHA5128fc5e9bbe027826304fa6f329fb16e4c9e4e7a597d87e9c691ed6a9f505b7bc1967339b43c6426105432a030260b0654468ab8fcbb4312b2fb6ed6c6aa537edc
-
Filesize
6KB
MD53690cef1865e32fe6be1b2ec7656539a
SHA1bc043bec63c310a60d9e242810036460c467945d
SHA256e45e49f0895249d951df2c07e0f06ca1242e05c961dd921e5aa2781ae2e7ff25
SHA512c2be869d96baec2018e13dcf5934dd9cf74146541e852cc2eedb4d83a8af23e2577cde7a0158fefaa11056416ff039df3a7725e320620193e9bfe72c8067c051