9af7cff793aa9a53b890331046d268e3627bb2a6b5613cdb49619c07412ccc03

Resubmissions

27/03/2024, 09:17

240327-k82gjacb8v 10

27/03/2024, 02:33

240327-c2b93aag24 6

Analysis

max time kernel
140s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

npp.8.6.4.portable.x64/updater/GUP.exe
Size

818KB
MD5

7073a8f48d526090a30c5c7e6191ca08
SHA1

2908951eb08202ae355a4e5a6f06076725bee725
SHA256

35663bf0e84cd3f9ba8949375fae8451263954154274ad4454b86920252424dc
SHA512

74705e6275b8a9e9e2eaf99e0c64ef041a52fc78ddf20190cfbe96a2e7412d92a90d912c17b996c3c4f7d5cb4f3f647ccfe4da56a0e592f15e7b86644e319753
SSDEEP

12288:ZySK0M5qRxaBr5wFNbgpA0WUVzOR63AczZXBS3CNmBDIOh68ADKbp34zZZ6dNNoJ:QqMo2aWqT2KbpIFZ6PNeTw

Score

6^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	GUP.exe

Executes dropped EXE 1 IoCs

pid	Process
3584	npp.8.6.Installer.exe

Loads dropped DLL 4 IoCs

pid	Process
3584	npp.8.6.Installer.exe
3584	npp.8.6.Installer.exe
3584	npp.8.6.Installer.exe
3584	npp.8.6.Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4816	GUP.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 3584	4816	GUP.exe	100
PID 4816 wrote to memory of 3584	4816	GUP.exe	100
PID 4816 wrote to memory of 3584	4816	GUP.exe	100

C:\Users\Admin\AppData\Local\Temp\npp.8.6.4.portable.x64\updater\GUP.exe
"C:\Users\Admin\AppData\Local\Temp\npp.8.6.4.portable.x64\updater\GUP.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\npp.8.6.Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\npp.8.6.Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5248 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\npp.8.6.Installer.exe

Filesize
1.5MB

MD5
1fa8233c5ffa144344e309f07b709465

SHA1
a88a72e4e0072cc0675798c8f279e9fb3f75008f

SHA256
5d29ea70261951b73517da6b1e16ba6cde0738e5d1a532fedffacd1125bd6ffa

SHA512
725350cd80cd2bcc7896c4dc4d65d45822b9935578a89fed80575cf0f821b6fa9b2bf93538729b68bb60321393543b50d3a2d3059fac8c125c4bf004ce998c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\npp.8.6.Installer.exe

Filesize
2.4MB

MD5
6c88c0a5159e4bc4cd2dfcd80919cc4b

SHA1
e1546878a10a8c4277e9d8e0c70e7e04e3ea5f0a

SHA256
ff27d26822f7bd7d2365d75d750d2ace7b112b9a8d1ceb816c0e78ad022cc97e

SHA512
a2ac4f537fb9bea207a2c5eb5f9bfe9ecd47b4096826098593bb237529add730710e90c8aeb6b74e73027715cf5dd0fa903edb4b4e23ef56203de78bed662494

Download Submit
C:\Users\Admin\AppData\Local\Temp\npp.8.6.Installer.exe

Filesize
941KB

MD5
97a17d0a33b672d9b3327df1fff7647f

SHA1
10f33a071b345871914ec7484e9b0ac3ee108cf8

SHA256
0346435527f83392a3cfae38715ad26c3553905794200506b0e11b8d6ff30f93

SHA512
52e56af80e5e005bd0408ad129bcc90d8e7a9eaf81ba693446156455d3f79b89b7dc279281cf8d2c4e3df7f5e52200270589ad7673ce9e02a03938aacfdc14d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn724F.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn724F.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn724F.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn724F.tmp\ioSpecial.ini

Filesize
1KB

MD5
450c18dc83c68bdaec8f0c5bafec02f8

SHA1
d06195605a2faf0c5618e5087cfd1c311a10d711

SHA256
96d0e583f93bdbb4fb392e6a4801302a621deed7ea2783f2dbe87596c49a09c7

SHA512
39c3f44ee1498c77d83834681ad962dbc2b0c75153dfde9ae7617fd63276773695e2839fee9305af1bc1e727688e7db7b99be18aa163376d50b3c501f0c582c6

Download Submit