Overview
overview
6Static
static
1npp.8.6.3....el.exe
windows7-x64
1npp.8.6.3....el.exe
windows10-2004-x64
1npp.8.6.3....od.exe
windows7-x64
1npp.8.6.3....od.exe
windows10-2004-x64
1npp.8.6.3....ad.exe
windows7-x64
1npp.8.6.3....ad.exe
windows10-2004-x64
1npp.8.6.3....st.dll
windows7-x64
1npp.8.6.3....st.dll
windows10-2004-x64
1npp.8.6.3....er.dll
windows7-x64
1npp.8.6.3....er.dll
windows10-2004-x64
1npp.8.6.3....rt.dll
windows7-x64
1npp.8.6.3....rt.dll
windows10-2004-x64
1npp.8.6.3....ls.dll
windows7-x64
1npp.8.6.3....ls.dll
windows10-2004-x64
1npp.8.6.3....UP.exe
windows7-x64
1npp.8.6.3....UP.exe
windows10-2004-x64
6npp.8.6.3....rl.dll
windows7-x64
1npp.8.6.3....rl.dll
windows10-2004-x64
1Analysis
-
max time kernel
144s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/02/2024, 05:04
Static task
static1
Behavioral task
behavioral1
Sample
npp.8.6.3.portable.x64/contextModel.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
npp.8.6.3.portable.x64/contextModel.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
npp.8.6.3.portable.x64/langsMod.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
npp.8.6.3.portable.x64/langsMod.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral5
Sample
npp.8.6.3.portable.x64/notepad.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
npp.8.6.3.portable.x64/notepad.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral7
Sample
npp.8.6.3.portable.x64/plugins/Config/nppPluginList.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
npp.8.6.3.portable.x64/plugins/Config/nppPluginList.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral9
Sample
npp.8.6.3.portable.x64/plugins/NppConverter/NppConverter.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
npp.8.6.3.portable.x64/plugins/NppConverter/NppConverter.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral11
Sample
npp.8.6.3.portable.x64/plugins/NppExport/NppExport.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
npp.8.6.3.portable.x64/plugins/NppExport/NppExport.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral13
Sample
npp.8.6.3.portable.x64/plugins/mimeTools/mimeTools.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
npp.8.6.3.portable.x64/plugins/mimeTools/mimeTools.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral15
Sample
npp.8.6.3.portable.x64/updater/GUP.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
npp.8.6.3.portable.x64/updater/GUP.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral17
Sample
npp.8.6.3.portable.x64/updater/libcurl.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
npp.8.6.3.portable.x64/updater/libcurl.dll
Resource
win10v2004-20240221-en
General
-
Target
npp.8.6.3.portable.x64/updater/GUP.exe
-
Size
818KB
-
MD5
fabdd8cc1e50874481688659ea63b7ec
-
SHA1
d498dc918010810822902df29ce54ac1766fb446
-
SHA256
d056ae6e45a62a86199dcc7d0c696469374253fba05a45c877caf28b0b897df3
-
SHA512
1bda8cd73f00f0e7fd6a924ad6234dc47a183f3f4c5a40d5ca6cc0cdd116ee07fce7a1b744cba31ab2a491e89b23f653b5d38a74eaf5138e3289c799f99b7450
-
SSDEEP
12288:PySK0M5qRxaBr5wFNbgpA0WUVzOR63AczZXBS3CNmBDIOh68ADKbp34zZZ6dNNoQ:qqMo2aWqT2KbpIFZ6PNeTwt
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation GUP.exe -
Executes dropped EXE 1 IoCs
pid Process 2576 npp.8.6.2.Installer.exe -
Loads dropped DLL 4 IoCs
pid Process 2576 npp.8.6.2.Installer.exe 2576 npp.8.6.2.Installer.exe 2576 npp.8.6.2.Installer.exe 2576 npp.8.6.2.Installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4388 GUP.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4388 wrote to memory of 2576 4388 GUP.exe 85 PID 4388 wrote to memory of 2576 4388 GUP.exe 85 PID 4388 wrote to memory of 2576 4388 GUP.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\npp.8.6.3.portable.x64\updater\GUP.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.6.3.portable.x64\updater\GUP.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD55d32f202faed2c305b83ff9a44dde0f3
SHA1bfab58de9365dfacc14994de5e7a58b9d8e31c6e
SHA256b3e8e9f39be8d5d54812dc107fdddbcc4cc46455b9216ab55ad89b0e0f61978f
SHA512b390e113941e051ed50642d11a32a587fd7005ad9f6fa9a4896b9e46b7743ae27f1ccf3a0eb0c8f536c0c7a1d8133dbe2ac986205e7a7c30a1afef95ece0f0f3
-
Filesize
4.4MB
MD5a8b2c315927f86508192decc29a46fe8
SHA19904175598ae965e3367b58a45b125dba2d65906
SHA256a82768b46ecb62232d28f51d987355a76f160682b5e418b3e3ad36813ec6c45c
SHA512a31d51770faf6610a4ce53e27a380d9473eb57dc48fa8b4d3ae511bcd06bbc2eb545e9f70f8664a0c443897cd08834f6d09afb0c784a30c0f4b99268d85763bf
-
Filesize
1.4MB
MD5db2f0d9aefbd462b9448018d8da96500
SHA145ec81670cc844c7f9718d29824d396eaf0b303a
SHA2562a1f8d5275ac946c4a67d57bf62a9fc0d11490105c1bb5d773636c9c5fcfbbf1
SHA512afa1bff72c1331979e73a204fa6052ba746505463827766ea58ab3c6ced93a8f2be15e89d21b65d94f346eb3470d2e24588f65cce9b0fb8f0b9afea3e1c82175
-
Filesize
15KB
MD5ece25721125d55aa26cdfe019c871476
SHA1b87685ae482553823bf95e73e790de48dc0c11ba
SHA256c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf
SHA5124e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480
-
Filesize
5KB
MD568b287f4067ba013e34a1339afdb1ea8
SHA145ad585b3cc8e5a6af7b68f5d8269c97992130b3
SHA25618e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
SHA51206c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
1KB
MD50a68a248e30d13550e0d1671a7e3dca8
SHA12885fa89cb46d462fe328f6c908d50f6057404bb
SHA25696dc6478079c053abac430d5de83e39427db6a7678d2ee37e818f2deff97ff5a
SHA512be7859a3d85efea18d5734122daf323a446a869b72dbc227c610abe5158a293f8a0c6e9c7fd93f4e778b40a518ae0aeea20c956cce020cc7206bc1470d069e77