Overview
overview
6Static
static
1npp.8.6.3....el.exe
windows7-x64
1npp.8.6.3....el.exe
windows10-2004-x64
1npp.8.6.3....od.exe
windows7-x64
1npp.8.6.3....od.exe
windows10-2004-x64
1npp.8.6.3....ad.exe
windows7-x64
1npp.8.6.3....ad.exe
windows10-2004-x64
1npp.8.6.3....st.dll
windows7-x64
1npp.8.6.3....st.dll
windows10-2004-x64
1npp.8.6.3....er.dll
windows7-x64
1npp.8.6.3....er.dll
windows10-2004-x64
1npp.8.6.3....rt.dll
windows7-x64
1npp.8.6.3....rt.dll
windows10-2004-x64
1npp.8.6.3....ls.dll
windows7-x64
1npp.8.6.3....ls.dll
windows10-2004-x64
1npp.8.6.3....UP.exe
windows7-x64
1npp.8.6.3....UP.exe
windows10-2004-x64
6npp.8.6.3....rl.dll
windows7-x64
1npp.8.6.3....rl.dll
windows10-2004-x64
1Resubmissions
08/03/2024, 07:02
240308-ht7c5aah7z 1008/03/2024, 07:01
240308-hthprsah7v 107/03/2024, 18:00
240307-wlc17shf25 6Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2024, 18:00
Static task
static1
Behavioral task
behavioral1
Sample
npp.8.6.3.portable.x64/contextModel.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
npp.8.6.3.portable.x64/contextModel.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
npp.8.6.3.portable.x64/langsMod.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
npp.8.6.3.portable.x64/langsMod.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
npp.8.6.3.portable.x64/notepad.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
npp.8.6.3.portable.x64/notepad.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
npp.8.6.3.portable.x64/plugins/Config/nppPluginList.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
npp.8.6.3.portable.x64/plugins/Config/nppPluginList.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
npp.8.6.3.portable.x64/plugins/NppConverter/NppConverter.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
npp.8.6.3.portable.x64/plugins/NppConverter/NppConverter.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
npp.8.6.3.portable.x64/plugins/NppExport/NppExport.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
npp.8.6.3.portable.x64/plugins/NppExport/NppExport.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
npp.8.6.3.portable.x64/plugins/mimeTools/mimeTools.dll
Resource
win7-20240215-en
Behavioral task
behavioral14
Sample
npp.8.6.3.portable.x64/plugins/mimeTools/mimeTools.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
npp.8.6.3.portable.x64/updater/GUP.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
npp.8.6.3.portable.x64/updater/GUP.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
npp.8.6.3.portable.x64/updater/libcurl.dll
Resource
win7-20240215-en
Behavioral task
behavioral18
Sample
npp.8.6.3.portable.x64/updater/libcurl.dll
Resource
win10v2004-20240226-en
General
-
Target
npp.8.6.3.portable.x64/updater/GUP.exe
-
Size
818KB
-
MD5
fabdd8cc1e50874481688659ea63b7ec
-
SHA1
d498dc918010810822902df29ce54ac1766fb446
-
SHA256
d056ae6e45a62a86199dcc7d0c696469374253fba05a45c877caf28b0b897df3
-
SHA512
1bda8cd73f00f0e7fd6a924ad6234dc47a183f3f4c5a40d5ca6cc0cdd116ee07fce7a1b744cba31ab2a491e89b23f653b5d38a74eaf5138e3289c799f99b7450
-
SSDEEP
12288:PySK0M5qRxaBr5wFNbgpA0WUVzOR63AczZXBS3CNmBDIOh68ADKbp34zZZ6dNNoQ:qqMo2aWqT2KbpIFZ6PNeTwt
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation GUP.exe -
Executes dropped EXE 1 IoCs
pid Process 2684 npp.8.6.2.Installer.exe -
Loads dropped DLL 4 IoCs
pid Process 2684 npp.8.6.2.Installer.exe 2684 npp.8.6.2.Installer.exe 2684 npp.8.6.2.Installer.exe 2684 npp.8.6.2.Installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3160 GUP.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3160 wrote to memory of 2684 3160 GUP.exe 96 PID 3160 wrote to memory of 2684 3160 GUP.exe 96 PID 3160 wrote to memory of 2684 3160 GUP.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\npp.8.6.3.portable.x64\updater\GUP.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.6.3.portable.x64\updater\GUP.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD5c8cb32063d37894be9ad45bdf57eed0f
SHA155aba5a8c0c574a266ccfe54c3e8ac3ac42531fa
SHA2569126e76c155f2535afbffd10fb2a9109a65c789540c434e03cf3a9c1e7df4833
SHA512c175a94e4c71dd5142b350368f122bee988a6fbeb41d3277f58739a7f0f04544dec24d70dedf1609f15a2df6ac923e2b9d8438f106fdbda820fd3bf90cb6639c
-
Filesize
15KB
MD5ece25721125d55aa26cdfe019c871476
SHA1b87685ae482553823bf95e73e790de48dc0c11ba
SHA256c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf
SHA5124e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480
-
Filesize
5KB
MD568b287f4067ba013e34a1339afdb1ea8
SHA145ad585b3cc8e5a6af7b68f5d8269c97992130b3
SHA25618e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
SHA51206c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
1KB
MD5a036c33deb74510626de054828441472
SHA1b9fd343918a1e0f8ec9b81ddecff0c8cc5fe95a3
SHA256ec727ca99c8e6cf8b25a3c6688bb1d1ddb7ca1c900a7737e3d37687532217d4b
SHA5122f08913b16292f7ba1153e256f0e9c5ceb959b95f23705f74fd76560d96907e15a9dc1ec5f146836631546e31fcd06020731af491b70e12b3b180ea213e7c007