Overview
overview
6Static
static
1npp.8.6.4....od.exe
windows7-x64
1npp.8.6.4....od.exe
windows10-2004-x64
1npp.8.6.4....ad.exe
windows7-x64
1npp.8.6.4....ad.exe
windows10-2004-x64
1npp.8.6.4....st.dll
windows7-x64
1npp.8.6.4....st.dll
windows10-2004-x64
1npp.8.6.4....er.dll
windows7-x64
1npp.8.6.4....er.dll
windows10-2004-x64
1npp.8.6.4....rt.dll
windows7-x64
1npp.8.6.4....rt.dll
windows10-2004-x64
1npp.8.6.4....ls.dll
windows7-x64
1npp.8.6.4....ls.dll
windows10-2004-x64
1npp.8.6.4....UP.exe
windows7-x64
1npp.8.6.4....UP.exe
windows10-2004-x64
6npp.8.6.4....rl.dll
windows7-x64
1npp.8.6.4....rl.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21/03/2024, 02:23
Static task
static1
Behavioral task
behavioral1
Sample
npp.8.6.4.portable.x64/langsMod.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
npp.8.6.4.portable.x64/langsMod.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
npp.8.6.4.portable.x64/notepad.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
npp.8.6.4.portable.x64/notepad.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
npp.8.6.4.portable.x64/plugins/Config/nppPluginList.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
npp.8.6.4.portable.x64/plugins/Config/nppPluginList.dll
Resource
win10v2004-20240319-en
Behavioral task
behavioral7
Sample
npp.8.6.4.portable.x64/plugins/NppConverter/NppConverter.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
npp.8.6.4.portable.x64/plugins/NppConverter/NppConverter.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
npp.8.6.4.portable.x64/plugins/NppExport/NppExport.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
npp.8.6.4.portable.x64/plugins/NppExport/NppExport.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
npp.8.6.4.portable.x64/plugins/mimeTools/mimeTools.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
npp.8.6.4.portable.x64/plugins/mimeTools/mimeTools.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
npp.8.6.4.portable.x64/updater/GUP.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
npp.8.6.4.portable.x64/updater/GUP.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
npp.8.6.4.portable.x64/updater/libcurl.dll
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
npp.8.6.4.portable.x64/updater/libcurl.dll
Resource
win10v2004-20240226-en
General
-
Target
npp.8.6.4.portable.x64/updater/GUP.exe
-
Size
818KB
-
MD5
7073a8f48d526090a30c5c7e6191ca08
-
SHA1
2908951eb08202ae355a4e5a6f06076725bee725
-
SHA256
35663bf0e84cd3f9ba8949375fae8451263954154274ad4454b86920252424dc
-
SHA512
74705e6275b8a9e9e2eaf99e0c64ef041a52fc78ddf20190cfbe96a2e7412d92a90d912c17b996c3c4f7d5cb4f3f647ccfe4da56a0e592f15e7b86644e319753
-
SSDEEP
12288:ZySK0M5qRxaBr5wFNbgpA0WUVzOR63AczZXBS3CNmBDIOh68ADKbp34zZZ6dNNoJ:QqMo2aWqT2KbpIFZ6PNeTw
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation GUP.exe -
Executes dropped EXE 1 IoCs
pid Process 4928 npp.8.6.2.Installer.exe -
Loads dropped DLL 4 IoCs
pid Process 4928 npp.8.6.2.Installer.exe 4928 npp.8.6.2.Installer.exe 4928 npp.8.6.2.Installer.exe 4928 npp.8.6.2.Installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5200 GUP.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5200 wrote to memory of 4928 5200 GUP.exe 102 PID 5200 wrote to memory of 4928 5200 GUP.exe 102 PID 5200 wrote to memory of 4928 5200 GUP.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\npp.8.6.4.portable.x64\updater\GUP.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.6.4.portable.x64\updater\GUP.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5200 -
C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5c3c0014c37640a975044af858f64f813
SHA1e806a5549fe24c779a0f6b38b7c95a2894d481e5
SHA2561baa84aa5075334799b3776fea8bb59ed81c1dbca04a9db7e0a88be0b0de58ad
SHA5123e78cb83d227340ccbc589a6bb8ca91f4fb391ac350cd4b9037ff98c53a80d8ec64b7ead8b769569e47c1c3e103f98ec121b276528a8cc123d297633a4e46f2e
-
Filesize
304KB
MD505a2544594323bb48bd850f8a567126c
SHA13807e56cc3e374e9e76700a9faa1b28a6f050269
SHA25683ceeb403d45fcbd4c0063c8981a052c9dac16a5bfd0cda446e90da3796d61ed
SHA51269003b0e0e9b356531cc7968ffe072a817d0db0935c66acb6cd122836154e2e4b94a4da78d87f8c5712ac2f4466553880de477e340944cf93c54ac42fb4d38f6
-
Filesize
249KB
MD5fe5f6278ee60f7397560dea68766ce73
SHA110f6f47f23c3503f1c3b28b2f63deeaed4ef9143
SHA256e41ee3b65b7a5344c2a03ad1375195e482185ce6930866cde1de80fa95fce5cb
SHA51275366fc5e30ead091bedf51543516c1a64ab4ac5facf6cb4d2ab037ceda3204bca94bc34fa6a78fa695af5fc71ff3857936e5d024f14b4ebbf946bcef4f065b2
-
Filesize
15KB
MD5ece25721125d55aa26cdfe019c871476
SHA1b87685ae482553823bf95e73e790de48dc0c11ba
SHA256c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf
SHA5124e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480
-
Filesize
5KB
MD568b287f4067ba013e34a1339afdb1ea8
SHA145ad585b3cc8e5a6af7b68f5d8269c97992130b3
SHA25618e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
SHA51206c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
1KB
MD5eb09bf1300dd73c7308f43474220c733
SHA1693623a467a2fa166eff7fb0c46de0d1eb0afc55
SHA256db3a7afd5255065de3bbf3e8139861167f603f402b0723a16242fc4cc6842ff3
SHA51271d2f151e61e9575a392bd492c5ae3624f921883b1cb4a4cbaac59e4a8ca7cbb2463fda462d2cea37c400c72618b876827a0ee23ce93117ebebd02990feb8121