5af95489c5c3c6e2643a4218543e6e39b62ed6c5b4c97cef9c812ba913d4f7f2

Resubmissions

21/03/2024, 12:27

240321-pm75eada4v 10

21/03/2024, 02:23

240321-cvlj6ahf67 6

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

npp.8.6.4.portable.x64/updater/GUP.exe
Size

818KB
MD5

7073a8f48d526090a30c5c7e6191ca08
SHA1

2908951eb08202ae355a4e5a6f06076725bee725
SHA256

35663bf0e84cd3f9ba8949375fae8451263954154274ad4454b86920252424dc
SHA512

74705e6275b8a9e9e2eaf99e0c64ef041a52fc78ddf20190cfbe96a2e7412d92a90d912c17b996c3c4f7d5cb4f3f647ccfe4da56a0e592f15e7b86644e319753
SSDEEP

12288:ZySK0M5qRxaBr5wFNbgpA0WUVzOR63AczZXBS3CNmBDIOh68ADKbp34zZZ6dNNoJ:QqMo2aWqT2KbpIFZ6PNeTw

Score

6^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	GUP.exe

Executes dropped EXE 1 IoCs

pid	Process
4928	npp.8.6.2.Installer.exe

Loads dropped DLL 4 IoCs

pid	Process
4928	npp.8.6.2.Installer.exe
4928	npp.8.6.2.Installer.exe
4928	npp.8.6.2.Installer.exe
4928	npp.8.6.2.Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5200	GUP.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5200 wrote to memory of 4928	5200	GUP.exe	102
PID 5200 wrote to memory of 4928	5200	GUP.exe	102
PID 5200 wrote to memory of 4928	5200	GUP.exe	102

C:\Users\Admin\AppData\Local\Temp\npp.8.6.4.portable.x64\updater\GUP.exe
"C:\Users\Admin\AppData\Local\Temp\npp.8.6.4.portable.x64\updater\GUP.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5200
- C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe

Filesize
168KB

MD5
c3c0014c37640a975044af858f64f813

SHA1
e806a5549fe24c779a0f6b38b7c95a2894d481e5

SHA256
1baa84aa5075334799b3776fea8bb59ed81c1dbca04a9db7e0a88be0b0de58ad

SHA512
3e78cb83d227340ccbc589a6bb8ca91f4fb391ac350cd4b9037ff98c53a80d8ec64b7ead8b769569e47c1c3e103f98ec121b276528a8cc123d297633a4e46f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe

Filesize
304KB

MD5
05a2544594323bb48bd850f8a567126c

SHA1
3807e56cc3e374e9e76700a9faa1b28a6f050269

SHA256
83ceeb403d45fcbd4c0063c8981a052c9dac16a5bfd0cda446e90da3796d61ed

SHA512
69003b0e0e9b356531cc7968ffe072a817d0db0935c66acb6cd122836154e2e4b94a4da78d87f8c5712ac2f4466553880de477e340944cf93c54ac42fb4d38f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\npp.8.6.2.Installer.exe

Filesize
249KB

MD5
fe5f6278ee60f7397560dea68766ce73

SHA1
10f6f47f23c3503f1c3b28b2f63deeaed4ef9143

SHA256
e41ee3b65b7a5344c2a03ad1375195e482185ce6930866cde1de80fa95fce5cb

SHA512
75366fc5e30ead091bedf51543516c1a64ab4ac5facf6cb4d2ab037ceda3204bca94bc34fa6a78fa695af5fc71ff3857936e5d024f14b4ebbf946bcef4f065b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB807.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB807.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB807.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB807.tmp\ioSpecial.ini

Filesize
1KB

MD5
eb09bf1300dd73c7308f43474220c733

SHA1
693623a467a2fa166eff7fb0c46de0d1eb0afc55

SHA256
db3a7afd5255065de3bbf3e8139861167f603f402b0723a16242fc4cc6842ff3

SHA512
71d2f151e61e9575a392bd492c5ae3624f921883b1cb4a4cbaac59e4a8ca7cbb2463fda462d2cea37c400c72618b876827a0ee23ce93117ebebd02990feb8121

Download Submit