Resubmissions
31-05-2024 02:35
240531-c2575sdc55 1028-04-2024 02:14
240428-cn9neaed3x 1028-04-2024 02:13
240428-cnrslaed2t 128-04-2024 02:12
240428-cnbrdaea24 126-04-2024 00:04
240426-acp4hsgd2y 826-04-2024 00:01
240426-aavk8agd44 825-04-2024 23:58
240425-3z845agc9v 1025-04-2024 23:54
240425-3x5zpagc8x 10Analysis
-
max time kernel
76s -
max time network
80s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
25-04-2024 23:58
General
-
Target
http://185.215.113.66/npp.exe
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 8 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 4 IoCs
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 51 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://185.215.113.66/npp.exe1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\npp.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\npp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\973616285.exeC:\Users\Admin\AppData\Local\Temp\973616285.exe3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1348521519.exeC:\Users\Admin\AppData\Local\Temp\1348521519.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3299913357.exeC:\Users\Admin\AppData\Local\Temp\3299913357.exe4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2535922855.exeC:\Users\Admin\AppData\Local\Temp\2535922855.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3115514132.exeC:\Users\Admin\AppData\Local\Temp\3115514132.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3143138075.exeC:\Users\Admin\AppData\Local\Temp\3143138075.exe5⤵
- Executes dropped EXE
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnpublishSelect.wvx"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5a8c1598768e7d9a458609bd1c6ab485f
SHA14306953252074a1a99cf14ea66ed0306571fcbf2
SHA256f06a95c7dbcbc0789f4c15d24e15128ee0c939ce963a1e63936d8661a4c0afe6
SHA51281db46e95acfac7fd7b77d3d64fcfaeb0cf3b46be12c36afa04b163c662bdac08d36ff4fe39a84241a1a368e80713da3e878d33e3172f4e5f0cd0723b363682b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5cd61271f8fc7de714cfab5379d9e169c
SHA151fba842b5badff2c0d9cea399bc903d99a1d48d
SHA256bf64de0b2a3d81fb8192e4f8d4a48c59a8d74ca08ad4b9af5c06459aa9a277f1
SHA5125b0623fda2511124cb705e1ba6e05cc734f37366f09586004beb4334c55a346de3a56155e263ac6f3e4e632bf85678d680f153aeb7ac74777e7a97d6adb7dffc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD59ff8f3e9575b2206b5452c13d469337e
SHA11c9a0ca1067483e0878d584eefbcfd1926a85af4
SHA256a507935a699ba6b85ad1b16da7794033bf2783ead2429361b061ea67c6fa2fbb
SHA5121ea695ee319807b176df7ac1f2be750233ed8d7e4fcea4be4aa7bcdd40a8a6bd9845146e8a78b7a53043e1e131b2f2629d5049ed2732ee5af2565bd0e80cd0fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5344a79ef7e1d6c503b7e8e32d0cd543c
SHA1e79c7a5f98f7c0b04cd403b705cea26680dd9fad
SHA2565bf2acd6073d4364a443968ad9f11e824d49a75b24ee3d87d13136e67ac65070
SHA512fda2121573544690d01797a7d43f467da91c1cf3393da84ed415e31384ffde29fdb6b3dac7b7bbf279f15e83acc72178c8315051e010d5c1a3dcc8b508eddbb7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD55de82709c46821edcb7cd09248cc00fe
SHA124f5979b26ea6a062b188cc4db1926323f90f899
SHA256cdac9c8fa9c0e61470494917240041f19e436e05eb6991eac9eb59ba35da1efe
SHA512088792fa8c9aa85d7e5e796253989ede43c5dfa08bd9914f84ad6b7022cafd684e343640adee59bd8b5f39dab8c34cb03afb194f8733c59fb0c230e51864cd83
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5868747cbe10c09251aaef9e68d62fa00
SHA1bc6c99c19620225951fdc198060b1ae8abdb63af
SHA2567a90b966f780c959e54f7a8da149e620f842c0ac15a455274f0ccc52a34ced97
SHA51237f8c4325ca9b4c3966007b431c70624590f5d080b6e7ce95dc815502d3c8e19343053ed5b203dc565e43751b4965416d2c4466b8f1b01d299909b3118238bf3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5b353ebef5509971cff29029098257f60
SHA1b2b6022015baca8ba23fcc9a303ad43920e536e5
SHA25683e00599fe50f58fad71787dd97b0d39eb32e219fc60acb4196a8eb829d86bea
SHA5123f032cf29af36bb2fcd089bfbde6603896b83d316e561c422c6c98b6f0627d13e9cacd591a7b4b969188abef7c40f8e8e3c93ab5924a367c8763688483c9d4fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ee5a06a48c9a2e474238a046d0e03a5f
SHA1e375c9568e661a586da1a55f35a2d82f44e9bee1
SHA256d0d863b7180ac835a2b228a5e643e50075b17cc655d441317aa6410c9c8a14a2
SHA512babe57e9d1f20014c66e5206819544f4f339c26a41702749a758a12f4fd56cc4e520a21b899049514e395f1db3e46ba9353b867a82a3a248333c3374c17517e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD50578329072f9599071424542c9cd0cf2
SHA15092bfc900c678b0790fa6e6935b528a11119158
SHA25650df78ffbb6efabcea223dcf6acdc846e14a81fe27cbfd4faf3cfef8d4be29af
SHA5120f8b39abc3cb7947ec0567e22d22f6064d4939e8b8e810189f35991a090b3606aec784d01519763d5976a47378ec072c35b88eb534a720d126bba8bfd3b82eed
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.datFilesize
5KB
MD547148de793b82b5f9d96eaa95d9b6493
SHA12f5615ae7c6b9b1295f9de629e6d386df5e922f9
SHA256990568ee474fd31df6b201ae8239e1c841f88305bd42aeb3fbfa029b841f16c0
SHA5128a27b69baa2dfbe5c2348c02f681030612a9485235d9db79ed8b2386047110d1100619abbf5766d2ed037c518d9305feb690a919fd1acc6f182b3986ecd11c0f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\_3[1]Filesize
8KB
MD56eacd33bee969b1ca75e7255804819e4
SHA1b89d21fe64f2a36f2022fe905a072bdfe432f392
SHA256b0cd888ec409d1c25055a7f1e9ca5f65309f782557844d245da2b4637f17f41b
SHA5121c126fdcef507f0bfaf4b5dd74594a0be26422cceaea399bf0e411a86157ba8811e8eb4215a0a0a21e55e6b13fc275d62cece9f22cb89dbe4d9cc9638209e674
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\qsml[1].xmlFilesize
514B
MD515f78d673da93352d982b053a3d2e316
SHA120a2ad0a7a2aeb62844b0f7b6d3ec517d0c0cea8
SHA2567506f2f255be383df429b4f0afea6326940791380798c80aaf6959c9b3428587
SHA5120ba001a67ff51c3a841026b348e1842fad434a0420d860b2238266494141f45be58ba5e34d5ccb2091d1ee6fce70051bf677964af04ea180fbf8f1058f52a7f9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\qsml[2].xmlFilesize
530B
MD52ee67a481b23648724d4a3a5b9fa1766
SHA11d484a4526cb4958c7294effa4d8c4c32292f333
SHA2560318840d6e1a58f513867ecc885db8f20097d4b292b2a2b26802d15268a2eb07
SHA512b46f446a94d35ab00df10551802ec0f087c0ed18eb0bd7397c27fcc898ba0dd3b5bef4e5557467336886ba5f690aeb507453f289077514d923e28a2d8c2d6377
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\qsml[3].xmlFilesize
558B
MD59d16e4af0e56e362e191ee2451b24bbc
SHA131f973bf70da2fac659a3fbab0ad4ec48c4c3ce7
SHA2568588afbd7e214c493028cc59214c7382ad26fdf1b175d0c1a9548fef887eb265
SHA51230db4cfc821917604ef0544ce7edb09c386fc726e77324e5010f596c4851f57a0a24ceaa65b97108ce47ffcaad96b7e182f46751f3fac33695fb0042f2fe1bf5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\qsml[4].xmlFilesize
580B
MD5d078ea9919c008dd5c9e5728579c55c6
SHA145fecc2b03c41baa914a60a362d78abb3e2b7cfc
SHA256c9fb515bd1cea741430a4b510c9f60e09b3d40bd97294fe13743d86ef3e098d5
SHA5129423af941f34dc248feda24efa9bf316e3437dc1239431e6432a0015b199a66f09ecf7d336fabd3f51ec41f2c7c26f6e36ba61365f7aac7781ef9dff5bc8885b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\favicon[1].icoFilesize
5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\npp[1].exeFilesize
9KB
MD52ea6c5e97869622dfe70d2b34daf564e
SHA145500603bf8093676b66f056924a71e04793827a
SHA2565f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3
SHA512f8f82b5875e8257206561de22ddbd8b5d9a2393e0da62f57c5a429ca233c7443c34647cc2253cf766bfaaf8177acb5c0627ab2f2418f5968f0a6fdec54244d43
-
C:\Users\Admin\AppData\Local\Temp\Cab9EB0.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Cab9F8F.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\Tar9FB4.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\Temp\~DF074762DF6D2BF454.TMPFilesize
16KB
MD50135896e3340f1366d59032b2d38efd8
SHA1dcd6332aeff23eeb4daa6caed91a9fc6a01339c8
SHA25601bc41e9fa6b2f83bce6a6892829ab87f958359c0cbc73ec5fadee7a2a2b5dd4
SHA512df56b3fb33575a94608161ea1639323dc75be3087bfe093bcc1b72f2bd3557d76311f80bf19122bdcfa82c3fe5f3bf239838a82d52219b5b93337d84b58c34d3
-
\Users\Admin\AppData\Local\Temp\1348521519.exeFilesize
84KB
MD5cd1d9c0ed8763e6bb3ee7efb133dc60e
SHA1f6f3bea085ba7c13a2956fc0810c2034792f2ddf
SHA25619ee79b7852c54de5883404f049f9e85cb0085bae8132ada3e46d6f75b24b100
SHA51277b675fdbfc11bff45e2438cb1bd73b7fbfa03771c600e37171f684141c82f356e392ba2694285390aedbb3ecd3306a3c0f8687d0a1940d8d44cae3a7fc41591
-
\Users\Admin\AppData\Local\Temp\2535922855.exeFilesize
7KB
MD55a3abf2d99e1d6ebace7ae59d286ec17
SHA14fafd267a828ba66bb8ba0ec620b2bfff93f77d1
SHA2563775c7888a3571a039b1415779a915e6dc806eaf0459eb551cbfb9b78c68f9f6
SHA5121775cc5e2f5c8ad36437b086523e191fe31c441c99c39cf21af672e2beaa7987808b24a99960720731749dc33f8cb976e9ef6de5840a7f4e92c02b3c4b073bc1
-
\Users\Admin\AppData\Local\Temp\3299913357.exeFilesize
14KB
MD5d085f41fe497a63dc2a4882b485a2caf
SHA19dc111412129833495f19d7b8a5500cf7284ad68
SHA256fb11b4e2d26812e26ea7428f3b0b9bb8a16814188250fa60697c7aec40a49bd0
SHA512ed4d8e297094248fb536154ed0427f4cc1832f339ce29d0f782971ede42fa2b9e5f953f73e71d0cfc026e5fd2ec0f7062410af359fd940a14f277adca37fc106
-
\Users\Admin\AppData\Local\Temp\973616285.exeFilesize
84KB
MD536010b83bccfcd1032971df9fc5082a1
SHA19967b83065e3ad82cd6c0c3b02cf08ab707fde3e
SHA25699c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98
SHA512c8008923315d86c06b57e47d9bf81cec47cda0dec6d9f8aa57d7b4c57c7138997486a6f60eb0015bc99755afeb3d943bc8d9ba83dbb8c9219fa4990296de1def
-
memory/2252-662-0x000000013FAD0000-0x000000013FBC8000-memory.dmpFilesize
992KB
-
memory/2252-663-0x000007FEF7C30000-0x000007FEF7C64000-memory.dmpFilesize
208KB
-
memory/2252-664-0x000007FEF6220000-0x000007FEF64D4000-memory.dmpFilesize
2.7MB
-
memory/2252-665-0x000007FEF4E00000-0x000007FEF5EAB000-memory.dmpFilesize
16.7MB
-
memory/2252-666-0x000007FEF3D60000-0x000007FEF3E72000-memory.dmpFilesize
1.1MB