cade322bf1c5f58f44d8970de70ca83cf53d2d6ab5e43f53a8ed26a343c95309

Resubmissions

17/04/2024, 17:04

240417-vlpvbshe81 10

17/04/2024, 16:36

240417-t384vsfe75 6

Analysis

max time kernel
92s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

npp.8.6.3.portable.x64/updater/GUP.exe
Size

818KB
MD5

fabdd8cc1e50874481688659ea63b7ec
SHA1

d498dc918010810822902df29ce54ac1766fb446
SHA256

d056ae6e45a62a86199dcc7d0c696469374253fba05a45c877caf28b0b897df3
SHA512

1bda8cd73f00f0e7fd6a924ad6234dc47a183f3f4c5a40d5ca6cc0cdd116ee07fce7a1b744cba31ab2a491e89b23f653b5d38a74eaf5138e3289c799f99b7450
SSDEEP

12288:PySK0M5qRxaBr5wFNbgpA0WUVzOR63AczZXBS3CNmBDIOh68ADKbp34zZZ6dNNoQ:qqMo2aWqT2KbpIFZ6PNeTwt

Score

6^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	GUP.exe

Executes dropped EXE 1 IoCs

pid	Process
4948	npp.8.6.5.Installer.exe

Loads dropped DLL 4 IoCs

pid	Process
4948	npp.8.6.5.Installer.exe
4948	npp.8.6.5.Installer.exe
4948	npp.8.6.5.Installer.exe
4948	npp.8.6.5.Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1888	GUP.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 4948	1888	GUP.exe	88
PID 1888 wrote to memory of 4948	1888	GUP.exe	88
PID 1888 wrote to memory of 4948	1888	GUP.exe	88

C:\Users\Admin\AppData\Local\Temp\npp.8.6.3.portable.x64\updater\GUP.exe
"C:\Users\Admin\AppData\Local\Temp\npp.8.6.3.portable.x64\updater\GUP.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\npp.8.6.5.Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\npp.8.6.5.Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\npp.8.6.5.Installer.exe

Filesize
4.5MB

MD5
6f7e2e04a4e06254fd1454515eb0331d

SHA1
ba940c6b526da1ce127f43b835b4d8c9d5c4b59c

SHA256
5180a17f24df75ccc000cdc2904b14c865ccfd7521909bf06cc75189a65c3e2f

SHA512
b230bea0ea463a34c3f01c5714d2dbd8dc9023ac373e46f4ec821fabb876d977fe3f5814740e903650a3d604422fef12bd7bbab7e1b531d9688af8111b30d859

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc5A18.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc5A18.tmp\LangDLL.dll

Filesize
5KB

MD5
50016010fb0d8db2bc4cd258ceb43be5

SHA1
44ba95ee12e69da72478cf358c93533a9c7a01dc

SHA256
32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e

SHA512
ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc5A18.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc5A18.tmp\ioSpecial.ini

Filesize
1KB

MD5
10aef414e2a6432e12c78a074fb5cf85

SHA1
ba2472189bc8bbafa1e692e61c5fb222bc0a6910

SHA256
d75837ac487f07e229f650afab92bf56aad5b8395673c69b4525f82be973f1b2

SHA512
e4c2f8d1951943f9ce150118cbc9f3e26bee3f628921589b04c2b1df5ad1644ad7ae67012ddc26b9627fad38b993908c9422517bab9bd9e60eb2c0a08bb2b011

Download Submit