Analysis
-
max time kernel
1200s -
max time network
1175s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 09:17
Static task
static1
Behavioral task
behavioral1
Sample
npp.8.6.4.portable.x64/notepad.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
1200 seconds
General
-
Target
npp.8.6.4.portable.x64/notepad.exe
-
Size
6.9MB
-
MD5
8279706ad64d33bf4eceb2c1becef274
-
SHA1
582cd15c2d1bf27da142ced63ffe490818bf4fa7
-
SHA256
712abdd019cd2e4d96cee74d94eafba8f21ffc35c99a656c228a179ba6f5b310
-
SHA512
69d5f5a2ceaa10a822d24af6c0cfba91804886c7fdb634931c2c6149dec29b98a7770fa7e3cb8630a525c088c39a84382ad30556aa9d4092e4b2e356af39cf9d
-
SSDEEP
98304:1UZbk6fd56GkLWD9hWfa3s+wuP8ThKV/mo:ybkRVLUhWUz/PIK55
Score
10/10
Malware Config
Extracted
Family
wikiloader
C2
https://www.alabamacarhorns.com/wp-content/themes/twentytwentyfour/34uo7s.php?id=1
https://13300.org/wp-content/themes/twentytwentythree/t51kkf.php?id=1
https://alternativetracks.com/wp-content/themes/twentytwentyfour/c9wfar.php?id=1
https://www.amysinger.com/wp-content/themes/twentyten/b9un4f.php?id=1
Signatures
-
Wikiloader
Wikiloader is a loader and backdoor written in C++.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2316 notepad.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2316 notepad.exe 2316 notepad.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeShutdownPrivilege 3540 Explorer.EXE Token: SeCreatePagefilePrivilege 3540 Explorer.EXE Token: SeShutdownPrivilege 3540 Explorer.EXE Token: SeCreatePagefilePrivilege 3540 Explorer.EXE Token: SeShutdownPrivilege 3540 Explorer.EXE Token: SeCreatePagefilePrivilege 3540 Explorer.EXE Token: SeShutdownPrivilege 3540 Explorer.EXE Token: SeCreatePagefilePrivilege 3540 Explorer.EXE Token: SeShutdownPrivilege 3540 Explorer.EXE Token: SeCreatePagefilePrivilege 3540 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2316 notepad.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56 PID 2316 wrote to memory of 3540 2316 notepad.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\npp.8.6.4.portable.x64\notepad.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.6.4.portable.x64\notepad.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316
-