Analysis
-
max time kernel
1175s -
max time network
1160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
26/02/2024, 07:27
Static task
static1
Behavioral task
behavioral1
Sample
npp.8.6.3.portable.x64/notepad.exe
Resource
win10v2004-20240221-en
windows10-2004-x64
6 signatures
1200 seconds
General
-
Target
npp.8.6.3.portable.x64/notepad.exe
-
Size
6.9MB
-
MD5
2cd84602fc2428e0db00dbce5e20dc80
-
SHA1
965a62dbba7cbb95b6a7694dc33963ffb105819a
-
SHA256
4e271372528a9b439d99a7376fc1ac9c67884226a2f7bcbe2f68694c80548287
-
SHA512
a6f715224a5e9ffb35833591bdc5cf1b76da479c2a6fd2108d921526708f918e6d5d2e9569c879d1d4c76e4606cdd271364b6f85acd8c811439bd08b61665fd2
-
SSDEEP
98304:QtGdbdZUv5vuLYgtbUK5b8PTnwe65w/mod:Rdbvou8guK52TP6525
Score
10/10
Malware Config
Extracted
Family
wikiloader
C2
https://carritosdelacompra.com/wp-content/themes/twentytwentytwo/nnzknr.php?id=1
https://propertystats.net/wp-content/themes/twentytwentythree/hyhnv3.php?id=1
https://www.erasnetwork.eu/wp-content/themes/twentytwentyfour/dqyzqp.php?id=1
https://www.marioagozzino.it/wp-content/themes/twentytwentyfour/c2hitq.php?id=1
Signatures
-
Wikiloader
Wikiloader is a loader and backdoor written in C++.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1432 notepad.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1432 notepad.exe 1432 notepad.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 3444 Explorer.EXE Token: SeCreatePagefilePrivilege 3444 Explorer.EXE Token: SeShutdownPrivilege 3444 Explorer.EXE Token: SeCreatePagefilePrivilege 3444 Explorer.EXE Token: SeShutdownPrivilege 3444 Explorer.EXE Token: SeCreatePagefilePrivilege 3444 Explorer.EXE Token: SeShutdownPrivilege 3444 Explorer.EXE Token: SeCreatePagefilePrivilege 3444 Explorer.EXE Token: SeShutdownPrivilege 3444 Explorer.EXE Token: SeCreatePagefilePrivilege 3444 Explorer.EXE Token: SeShutdownPrivilege 3444 Explorer.EXE Token: SeCreatePagefilePrivilege 3444 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1432 notepad.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36 PID 1432 wrote to memory of 3444 1432 notepad.exe 36
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\npp.8.6.3.portable.x64\notepad.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.6.3.portable.x64\notepad.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432
-