cd4d052237893068f83ba8d073f95217dbe96c4a0373cf17427203c796cf6565

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NPLoader.exe
Size

11.8MB
MD5

97f3bcb4bbe689cf6c389a655fc1dff9
SHA1

496eb7022d33177493a7600c9a2f8ef7ed262081
SHA256

cd4d052237893068f83ba8d073f95217dbe96c4a0373cf17427203c796cf6565
SHA512

7c42cb431b6e9998911070eb606e0d1e9db56b734f10167d72c15c24ec302c7d8d699035885e6b9ddd1592fa3095e16a2594a000b06a636a7e6fe74481b25981
SSDEEP

196608:gLygabBD8w5H2U3TSj/CzFkBdHtIT2qHNzJPKzTdAGebLqMAp0NMS6AXkrL3XnO7:gegabeAmj/CzFkLNIT2clJSzT6G2Lr6V

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1192	NPLoader.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1192	NPLoader.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1972	1192	NPLoader.exe	29
PID 1192 wrote to memory of 1972	1192	NPLoader.exe	29
PID 1192 wrote to memory of 1972	1192	NPLoader.exe	29
PID 1972 wrote to memory of 2936	1972	cmd.exe	30
PID 1972 wrote to memory of 2936	1972	cmd.exe	30
PID 1972 wrote to memory of 2936	1972	cmd.exe	30
PID 1972 wrote to memory of 2548	1972	cmd.exe	31
PID 1972 wrote to memory of 2548	1972	cmd.exe	31
PID 1972 wrote to memory of 2548	1972	cmd.exe	31
PID 1972 wrote to memory of 2092	1972	cmd.exe	32
PID 1972 wrote to memory of 2092	1972	cmd.exe	32
PID 1972 wrote to memory of 2092	1972	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\NPLoader.exe
"C:\Users\Admin\AppData\Local\Temp\NPLoader.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\NPLoader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\NPLoader.exe" MD5
    3⤵
    PID:2936
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2548
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-60-0x0000000077880000-0x0000000077882000-memory.dmp

Filesize
8KB

Download
memory/1192-58-0x0000000077880000-0x0000000077882000-memory.dmp

Filesize
8KB

Download
memory/1192-56-0x0000000077880000-0x0000000077882000-memory.dmp

Filesize
8KB

Download
memory/1192-55-0x0000000077870000-0x0000000077872000-memory.dmp

Filesize
8KB

Download
memory/1192-53-0x0000000077870000-0x0000000077872000-memory.dmp

Filesize
8KB

Download
memory/1192-51-0x0000000077870000-0x0000000077872000-memory.dmp

Filesize
8KB

Download
memory/1192-50-0x0000000077860000-0x0000000077862000-memory.dmp

Filesize
8KB

Download
memory/1192-48-0x0000000077860000-0x0000000077862000-memory.dmp

Filesize
8KB

Download
memory/1192-46-0x0000000077860000-0x0000000077862000-memory.dmp

Filesize
8KB

Download
memory/1192-45-0x0000000077850000-0x0000000077852000-memory.dmp

Filesize
8KB

Download
memory/1192-43-0x0000000077850000-0x0000000077852000-memory.dmp

Filesize
8KB

Download
memory/1192-41-0x0000000077850000-0x0000000077852000-memory.dmp

Filesize
8KB

Download
memory/1192-40-0x000000013FEFD000-0x000000014066C000-memory.dmp

Filesize
7.4MB

Download
memory/1192-39-0x0000000077840000-0x0000000077842000-memory.dmp

Filesize
8KB

Download
memory/1192-37-0x0000000077840000-0x0000000077842000-memory.dmp

Filesize
8KB

Download
memory/1192-35-0x0000000077840000-0x0000000077842000-memory.dmp

Filesize
8KB

Download
memory/1192-34-0x0000000077830000-0x0000000077832000-memory.dmp

Filesize
8KB

Download
memory/1192-32-0x0000000077830000-0x0000000077832000-memory.dmp

Filesize
8KB

Download
memory/1192-30-0x0000000077830000-0x0000000077832000-memory.dmp

Filesize
8KB

Download
memory/1192-29-0x0000000077820000-0x0000000077822000-memory.dmp

Filesize
8KB

Download
memory/1192-27-0x0000000077820000-0x0000000077822000-memory.dmp

Filesize
8KB

Download
memory/1192-25-0x0000000077820000-0x0000000077822000-memory.dmp

Filesize
8KB

Download
memory/1192-24-0x0000000077810000-0x0000000077812000-memory.dmp

Filesize
8KB

Download
memory/1192-22-0x0000000077810000-0x0000000077812000-memory.dmp

Filesize
8KB

Download
memory/1192-20-0x0000000077810000-0x0000000077812000-memory.dmp

Filesize
8KB

Download
memory/1192-19-0x0000000077800000-0x0000000077802000-memory.dmp

Filesize
8KB

Download
memory/1192-17-0x0000000077800000-0x0000000077802000-memory.dmp

Filesize
8KB

Download
memory/1192-15-0x0000000077800000-0x0000000077802000-memory.dmp

Filesize
8KB

Download
memory/1192-14-0x00000000777F0000-0x00000000777F2000-memory.dmp

Filesize
8KB

Download
memory/1192-12-0x00000000777F0000-0x00000000777F2000-memory.dmp

Filesize
8KB

Download
memory/1192-10-0x00000000777F0000-0x00000000777F2000-memory.dmp

Filesize
8KB

Download
memory/1192-9-0x00000000777E0000-0x00000000777E2000-memory.dmp

Filesize
8KB

Download
memory/1192-7-0x00000000777E0000-0x00000000777E2000-memory.dmp

Filesize
8KB

Download
memory/1192-5-0x00000000777E0000-0x00000000777E2000-memory.dmp

Filesize
8KB

Download
memory/1192-4-0x00000000777D0000-0x00000000777D2000-memory.dmp

Filesize
8KB

Download
memory/1192-2-0x00000000777D0000-0x00000000777D2000-memory.dmp

Filesize
8KB

Download
memory/1192-0-0x00000000777D0000-0x00000000777D2000-memory.dmp

Filesize
8KB

Download
memory/1192-63-0x0000000077890000-0x0000000077892000-memory.dmp

Filesize
8KB

Download
memory/1192-61-0x0000000077890000-0x0000000077892000-memory.dmp

Filesize
8KB

Download
memory/1192-101-0x000000013FE90000-0x0000000141246000-memory.dmp

Filesize
19.7MB

Download
memory/1192-102-0x000000013FE90000-0x0000000141246000-memory.dmp

Filesize
19.7MB

Download