General

  • Target

    NPE.exe

  • Size

    16.2MB

  • Sample

    240222-qfhrlsac22

  • MD5

    ddfc82cf4eab81965e3ec8ca8915b00a

  • SHA1

    1e5b94be6922e6198afe39a7fc695db291bffcf6

  • SHA256

    4819d87fe9d0d0485fe85a3843a3e3ecd61ebe50a115dad01ec10275272be82a

  • SHA512

    ac08fa6aa1e55a653ad48305bf19c346d0a82a30830ae5b8c84d557e44c57511e39c68deb786044481074fb694d3827f66cb66862ac52fb4437663e82d64ba42

  • SSDEEP

    196608:dm9mJUAMfMvgTz2ENNFV8pYrqNpEdYo1NTXPJb:sCMfMQz2Ev8+rqNp1yXPJb

Malware Config

Targets

    • Target

      NPE.exe

    • Size

      16.2MB

    • MD5

      ddfc82cf4eab81965e3ec8ca8915b00a

    • SHA1

      1e5b94be6922e6198afe39a7fc695db291bffcf6

    • SHA256

      4819d87fe9d0d0485fe85a3843a3e3ecd61ebe50a115dad01ec10275272be82a

    • SHA512

      ac08fa6aa1e55a653ad48305bf19c346d0a82a30830ae5b8c84d557e44c57511e39c68deb786044481074fb694d3827f66cb66862ac52fb4437663e82d64ba42

    • SSDEEP

      196608:dm9mJUAMfMvgTz2ENNFV8pYrqNpEdYo1NTXPJb:sCMfMQz2Ev8+rqNp1yXPJb

    • Blocklisted process makes network request

    • Modifies AppInit DLL entries

    • Possible privilege escalation attempt

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies Installed Components in the registry

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks