Overview
overview
6Static
static
1npp.8.6.4....od.exe
windows7-x64
1npp.8.6.4....od.exe
windows10-2004-x64
1npp.8.6.4....ad.exe
windows7-x64
1npp.8.6.4....ad.exe
windows10-2004-x64
1npp.8.6.4....st.dll
windows7-x64
1npp.8.6.4....st.dll
windows10-2004-x64
1npp.8.6.4....er.dll
windows7-x64
1npp.8.6.4....er.dll
windows10-2004-x64
1npp.8.6.4....rt.dll
windows7-x64
1npp.8.6.4....rt.dll
windows10-2004-x64
1npp.8.6.4....ls.dll
windows7-x64
1npp.8.6.4....ls.dll
windows10-2004-x64
1npp.8.6.4....UP.exe
windows7-x64
1npp.8.6.4....UP.exe
windows10-2004-x64
6npp.8.6.4....rl.dll
windows7-x64
1npp.8.6.4....rl.dll
windows10-2004-x64
1Analysis
-
max time kernel
140s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 02:33
Static task
static1
Behavioral task
behavioral1
Sample
npp.8.6.4.portable.x64/langsMod.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
npp.8.6.4.portable.x64/langsMod.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
npp.8.6.4.portable.x64/notepad.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
npp.8.6.4.portable.x64/notepad.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
npp.8.6.4.portable.x64/plugins/Config/nppPluginList.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
npp.8.6.4.portable.x64/plugins/Config/nppPluginList.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
npp.8.6.4.portable.x64/plugins/NppConverter/NppConverter.dll
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
npp.8.6.4.portable.x64/plugins/NppConverter/NppConverter.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
npp.8.6.4.portable.x64/plugins/NppExport/NppExport.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
npp.8.6.4.portable.x64/plugins/NppExport/NppExport.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
npp.8.6.4.portable.x64/plugins/mimeTools/mimeTools.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
npp.8.6.4.portable.x64/plugins/mimeTools/mimeTools.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
npp.8.6.4.portable.x64/updater/GUP.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
npp.8.6.4.portable.x64/updater/GUP.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
npp.8.6.4.portable.x64/updater/libcurl.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
npp.8.6.4.portable.x64/updater/libcurl.dll
Resource
win10v2004-20240226-en
General
-
Target
npp.8.6.4.portable.x64/updater/GUP.exe
-
Size
818KB
-
MD5
7073a8f48d526090a30c5c7e6191ca08
-
SHA1
2908951eb08202ae355a4e5a6f06076725bee725
-
SHA256
35663bf0e84cd3f9ba8949375fae8451263954154274ad4454b86920252424dc
-
SHA512
74705e6275b8a9e9e2eaf99e0c64ef041a52fc78ddf20190cfbe96a2e7412d92a90d912c17b996c3c4f7d5cb4f3f647ccfe4da56a0e592f15e7b86644e319753
-
SSDEEP
12288:ZySK0M5qRxaBr5wFNbgpA0WUVzOR63AczZXBS3CNmBDIOh68ADKbp34zZZ6dNNoJ:QqMo2aWqT2KbpIFZ6PNeTw
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation GUP.exe -
Executes dropped EXE 1 IoCs
pid Process 3584 npp.8.6.Installer.exe -
Loads dropped DLL 4 IoCs
pid Process 3584 npp.8.6.Installer.exe 3584 npp.8.6.Installer.exe 3584 npp.8.6.Installer.exe 3584 npp.8.6.Installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4816 GUP.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4816 wrote to memory of 3584 4816 GUP.exe 100 PID 4816 wrote to memory of 3584 4816 GUP.exe 100 PID 4816 wrote to memory of 3584 4816 GUP.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\npp.8.6.4.portable.x64\updater\GUP.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.6.4.portable.x64\updater\GUP.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\npp.8.6.Installer.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.6.Installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5248 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵PID:2304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD51fa8233c5ffa144344e309f07b709465
SHA1a88a72e4e0072cc0675798c8f279e9fb3f75008f
SHA2565d29ea70261951b73517da6b1e16ba6cde0738e5d1a532fedffacd1125bd6ffa
SHA512725350cd80cd2bcc7896c4dc4d65d45822b9935578a89fed80575cf0f821b6fa9b2bf93538729b68bb60321393543b50d3a2d3059fac8c125c4bf004ce998c70
-
Filesize
2.4MB
MD56c88c0a5159e4bc4cd2dfcd80919cc4b
SHA1e1546878a10a8c4277e9d8e0c70e7e04e3ea5f0a
SHA256ff27d26822f7bd7d2365d75d750d2ace7b112b9a8d1ceb816c0e78ad022cc97e
SHA512a2ac4f537fb9bea207a2c5eb5f9bfe9ecd47b4096826098593bb237529add730710e90c8aeb6b74e73027715cf5dd0fa903edb4b4e23ef56203de78bed662494
-
Filesize
941KB
MD597a17d0a33b672d9b3327df1fff7647f
SHA110f33a071b345871914ec7484e9b0ac3ee108cf8
SHA2560346435527f83392a3cfae38715ad26c3553905794200506b0e11b8d6ff30f93
SHA51252e56af80e5e005bd0408ad129bcc90d8e7a9eaf81ba693446156455d3f79b89b7dc279281cf8d2c4e3df7f5e52200270589ad7673ce9e02a03938aacfdc14d5
-
Filesize
15KB
MD5ece25721125d55aa26cdfe019c871476
SHA1b87685ae482553823bf95e73e790de48dc0c11ba
SHA256c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf
SHA5124e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480
-
Filesize
5KB
MD568b287f4067ba013e34a1339afdb1ea8
SHA145ad585b3cc8e5a6af7b68f5d8269c97992130b3
SHA25618e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
SHA51206c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
1KB
MD5450c18dc83c68bdaec8f0c5bafec02f8
SHA1d06195605a2faf0c5618e5087cfd1c311a10d711
SHA25696d0e583f93bdbb4fb392e6a4801302a621deed7ea2783f2dbe87596c49a09c7
SHA51239c3f44ee1498c77d83834681ad962dbc2b0c75153dfde9ae7617fd63276773695e2839fee9305af1bc1e727688e7db7b99be18aa163376d50b3c501f0c582c6