4552e84edd73799b3a6e8e6d8ad0cb231d44241748ecb072c82ee9211728236c

Resubmissions

26/02/2024, 07:27

240226-jabb1sge2s 10

23/02/2024, 05:04

240223-fqsdpabe3z 6

Analysis

max time kernel
144s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

npp.8.6.3.portable.x64/updater/GUP.exe
Size

818KB
MD5

fabdd8cc1e50874481688659ea63b7ec
SHA1

d498dc918010810822902df29ce54ac1766fb446
SHA256

d056ae6e45a62a86199dcc7d0c696469374253fba05a45c877caf28b0b897df3
SHA512

1bda8cd73f00f0e7fd6a924ad6234dc47a183f3f4c5a40d5ca6cc0cdd116ee07fce7a1b744cba31ab2a491e89b23f653b5d38a74eaf5138e3289c799f99b7450
SSDEEP

12288:PySK0M5qRxaBr5wFNbgpA0WUVzOR63AczZXBS3CNmBDIOh68ADKbp34zZZ6dNNoQ:qqMo2aWqT2KbpIFZ6PNeTwt

Score

6^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	GUP.exe

Executes dropped EXE 1 IoCs

pid	Process
2576	npp.8.6.2.Installer.exe

Loads dropped DLL 4 IoCs

pid	Process
2576	npp.8.6.2.Installer.exe
2576	npp.8.6.2.Installer.exe
2576	npp.8.6.2.Installer.exe
2576	npp.8.6.2.Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4388	GUP.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 2576	4388	GUP.exe	85
PID 4388 wrote to memory of 2576	4388	GUP.exe	85
PID 4388 wrote to memory of 2576	4388	GUP.exe	85

C:\Users\Admin\AppData\Local\Temp\npp.8.6.3.portable.x64\updater\GUP.exe
"C:\Users\Admin\AppData\Local\Temp\npp.8.6.3.portable.x64\updater\GUP.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe

Filesize
1.3MB

MD5
5d32f202faed2c305b83ff9a44dde0f3

SHA1
bfab58de9365dfacc14994de5e7a58b9d8e31c6e

SHA256
b3e8e9f39be8d5d54812dc107fdddbcc4cc46455b9216ab55ad89b0e0f61978f

SHA512
b390e113941e051ed50642d11a32a587fd7005ad9f6fa9a4896b9e46b7743ae27f1ccf3a0eb0c8f536c0c7a1d8133dbe2ac986205e7a7c30a1afef95ece0f0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe

Filesize
4.4MB

MD5
a8b2c315927f86508192decc29a46fe8

SHA1
9904175598ae965e3367b58a45b125dba2d65906

SHA256
a82768b46ecb62232d28f51d987355a76f160682b5e418b3e3ad36813ec6c45c

SHA512
a31d51770faf6610a4ce53e27a380d9473eb57dc48fa8b4d3ae511bcd06bbc2eb545e9f70f8664a0c443897cd08834f6d09afb0c784a30c0f4b99268d85763bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe

Filesize
1.4MB

MD5
db2f0d9aefbd462b9448018d8da96500

SHA1
45ec81670cc844c7f9718d29824d396eaf0b303a

SHA256
2a1f8d5275ac946c4a67d57bf62a9fc0d11490105c1bb5d773636c9c5fcfbbf1

SHA512
afa1bff72c1331979e73a204fa6052ba746505463827766ea58ab3c6ced93a8f2be15e89d21b65d94f346eb3470d2e24588f65cce9b0fb8f0b9afea3e1c82175

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy3526.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy3526.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy3526.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy3526.tmp\ioSpecial.ini

Filesize
1KB

MD5
0a68a248e30d13550e0d1671a7e3dca8

SHA1
2885fa89cb46d462fe328f6c908d50f6057404bb

SHA256
96dc6478079c053abac430d5de83e39427db6a7678d2ee37e818f2deff97ff5a

SHA512
be7859a3d85efea18d5734122daf323a446a869b72dbc227c610abe5158a293f8a0c6e9c7fd93f4e778b40a518ae0aeea20c956cce020cc7206bc1470d069e77

Download Submit