Resubmissions

27/03/2024, 09:17

240327-k82gjacb8v 10

27/03/2024, 02:33

240327-c2b93aag24 6

Analysis

  • max time kernel
    140s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2024, 02:33

General

  • Target

    npp.8.6.4.portable.x64/updater/GUP.exe

  • Size

    818KB

  • MD5

    7073a8f48d526090a30c5c7e6191ca08

  • SHA1

    2908951eb08202ae355a4e5a6f06076725bee725

  • SHA256

    35663bf0e84cd3f9ba8949375fae8451263954154274ad4454b86920252424dc

  • SHA512

    74705e6275b8a9e9e2eaf99e0c64ef041a52fc78ddf20190cfbe96a2e7412d92a90d912c17b996c3c4f7d5cb4f3f647ccfe4da56a0e592f15e7b86644e319753

  • SSDEEP

    12288:ZySK0M5qRxaBr5wFNbgpA0WUVzOR63AczZXBS3CNmBDIOh68ADKbp34zZZ6dNNoJ:QqMo2aWqT2KbpIFZ6PNeTw

Score
6/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\npp.8.6.4.portable.x64\updater\GUP.exe
    "C:\Users\Admin\AppData\Local\Temp\npp.8.6.4.portable.x64\updater\GUP.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Users\Admin\AppData\Local\Temp\npp.8.6.Installer.exe
      "C:\Users\Admin\AppData\Local\Temp\npp.8.6.Installer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:3584
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5248 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2304

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\npp.8.6.Installer.exe

      Filesize

      1.5MB

      MD5

      1fa8233c5ffa144344e309f07b709465

      SHA1

      a88a72e4e0072cc0675798c8f279e9fb3f75008f

      SHA256

      5d29ea70261951b73517da6b1e16ba6cde0738e5d1a532fedffacd1125bd6ffa

      SHA512

      725350cd80cd2bcc7896c4dc4d65d45822b9935578a89fed80575cf0f821b6fa9b2bf93538729b68bb60321393543b50d3a2d3059fac8c125c4bf004ce998c70

    • C:\Users\Admin\AppData\Local\Temp\npp.8.6.Installer.exe

      Filesize

      2.4MB

      MD5

      6c88c0a5159e4bc4cd2dfcd80919cc4b

      SHA1

      e1546878a10a8c4277e9d8e0c70e7e04e3ea5f0a

      SHA256

      ff27d26822f7bd7d2365d75d750d2ace7b112b9a8d1ceb816c0e78ad022cc97e

      SHA512

      a2ac4f537fb9bea207a2c5eb5f9bfe9ecd47b4096826098593bb237529add730710e90c8aeb6b74e73027715cf5dd0fa903edb4b4e23ef56203de78bed662494

    • C:\Users\Admin\AppData\Local\Temp\npp.8.6.Installer.exe

      Filesize

      941KB

      MD5

      97a17d0a33b672d9b3327df1fff7647f

      SHA1

      10f33a071b345871914ec7484e9b0ac3ee108cf8

      SHA256

      0346435527f83392a3cfae38715ad26c3553905794200506b0e11b8d6ff30f93

      SHA512

      52e56af80e5e005bd0408ad129bcc90d8e7a9eaf81ba693446156455d3f79b89b7dc279281cf8d2c4e3df7f5e52200270589ad7673ce9e02a03938aacfdc14d5

    • C:\Users\Admin\AppData\Local\Temp\nsn724F.tmp\InstallOptions.dll

      Filesize

      15KB

      MD5

      ece25721125d55aa26cdfe019c871476

      SHA1

      b87685ae482553823bf95e73e790de48dc0c11ba

      SHA256

      c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

      SHA512

      4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

    • C:\Users\Admin\AppData\Local\Temp\nsn724F.tmp\LangDLL.dll

      Filesize

      5KB

      MD5

      68b287f4067ba013e34a1339afdb1ea8

      SHA1

      45ad585b3cc8e5a6af7b68f5d8269c97992130b3

      SHA256

      18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

      SHA512

      06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

    • C:\Users\Admin\AppData\Local\Temp\nsn724F.tmp\System.dll

      Filesize

      12KB

      MD5

      cff85c549d536f651d4fb8387f1976f2

      SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

      SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

      SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    • C:\Users\Admin\AppData\Local\Temp\nsn724F.tmp\ioSpecial.ini

      Filesize

      1KB

      MD5

      450c18dc83c68bdaec8f0c5bafec02f8

      SHA1

      d06195605a2faf0c5618e5087cfd1c311a10d711

      SHA256

      96d0e583f93bdbb4fb392e6a4801302a621deed7ea2783f2dbe87596c49a09c7

      SHA512

      39c3f44ee1498c77d83834681ad962dbc2b0c75153dfde9ae7617fd63276773695e2839fee9305af1bc1e727688e7db7b99be18aa163376d50b3c501f0c582c6