cd4d052237893068f83ba8d073f95217dbe96c4a0373cf17427203c796cf6565

Analysis

max time kernel
33s
max time network
36s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
20/06/2024, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NPLoader.exe
Size

11.8MB
MD5

97f3bcb4bbe689cf6c389a655fc1dff9
SHA1

496eb7022d33177493a7600c9a2f8ef7ed262081
SHA256

cd4d052237893068f83ba8d073f95217dbe96c4a0373cf17427203c796cf6565
SHA512

7c42cb431b6e9998911070eb606e0d1e9db56b734f10167d72c15c24ec302c7d8d699035885e6b9ddd1592fa3095e16a2594a000b06a636a7e6fe74481b25981
SSDEEP

196608:gLygabBD8w5H2U3TSj/CzFkBdHtIT2qHNzJPKzTdAGebLqMAp0NMS6AXkrL3XnO7:gegabeAmj/CzFkLNIT2clJSzT6G2Lr6V

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2604	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4868	NPLoader.exe
4868	NPLoader.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 4912	4868	NPLoader.exe	77
PID 4868 wrote to memory of 4912	4868	NPLoader.exe	77
PID 4912 wrote to memory of 1464	4912	cmd.exe	78
PID 4912 wrote to memory of 1464	4912	cmd.exe	78
PID 4912 wrote to memory of 348	4912	cmd.exe	79
PID 4912 wrote to memory of 348	4912	cmd.exe	79
PID 4912 wrote to memory of 132	4912	cmd.exe	80
PID 4912 wrote to memory of 132	4912	cmd.exe	80
PID 4868 wrote to memory of 2344	4868	NPLoader.exe	81
PID 4868 wrote to memory of 2344	4868	NPLoader.exe	81
PID 2344 wrote to memory of 4684	2344	cmd.exe	82
PID 2344 wrote to memory of 4684	2344	cmd.exe	82
PID 2344 wrote to memory of 2604	2344	cmd.exe	83
PID 2344 wrote to memory of 2604	2344	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\NPLoader.exe
"C:\Users\Admin\AppData\Local\Temp\NPLoader.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\NPLoader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\NPLoader.exe" MD5
    3⤵
    PID:1464
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:348
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd /C color b && title Error && echo Couldn't resolve host name && timeout /t 5
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\cmd.exe
    cmd /C color b
    3⤵
    PID:4684
- - C:\Windows\system32\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:2604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4868-4-0x00007FF8C48C0000-0x00007FF8C48C2000-memory.dmp

Filesize
8KB

Download
memory/4868-3-0x00007FF785CDD000-0x00007FF78644C000-memory.dmp

Filesize
7.4MB

Download
memory/4868-2-0x00007FF8C48B0000-0x00007FF8C48B2000-memory.dmp

Filesize
8KB

Download
memory/4868-1-0x00007FF8C48A0000-0x00007FF8C48A2000-memory.dmp

Filesize
8KB

Download
memory/4868-0-0x00007FF8C4890000-0x00007FF8C4892000-memory.dmp

Filesize
8KB

Download
memory/4868-5-0x00007FF8C48D0000-0x00007FF8C48D2000-memory.dmp

Filesize
8KB

Download
memory/4868-6-0x00007FF8C48E0000-0x00007FF8C48E2000-memory.dmp

Filesize
8KB

Download
memory/4868-7-0x00007FF8C48F0000-0x00007FF8C48F2000-memory.dmp

Filesize
8KB

Download
memory/4868-8-0x00007FF8C4900000-0x00007FF8C4902000-memory.dmp

Filesize
8KB

Download
memory/4868-9-0x00007FF8C4910000-0x00007FF8C4912000-memory.dmp

Filesize
8KB

Download
memory/4868-10-0x00007FF8C4920000-0x00007FF8C4922000-memory.dmp

Filesize
8KB

Download
memory/4868-11-0x00007FF8C4930000-0x00007FF8C4932000-memory.dmp

Filesize
8KB

Download
memory/4868-12-0x00007FF8C4940000-0x00007FF8C4942000-memory.dmp

Filesize
8KB

Download
memory/4868-13-0x00007FF8C4950000-0x00007FF8C4952000-memory.dmp

Filesize
8KB

Download
memory/4868-14-0x00007FF8C4960000-0x00007FF8C4962000-memory.dmp

Filesize
8KB

Download
memory/4868-15-0x00007FF8C4970000-0x00007FF8C4972000-memory.dmp

Filesize
8KB

Download
memory/4868-16-0x00007FF8C4980000-0x00007FF8C4982000-memory.dmp

Filesize
8KB

Download
memory/4868-17-0x00007FF8C4990000-0x00007FF8C4992000-memory.dmp

Filesize
8KB

Download
memory/4868-18-0x00007FF8C49A0000-0x00007FF8C49A2000-memory.dmp

Filesize
8KB

Download
memory/4868-19-0x00007FF8C49B0000-0x00007FF8C49B2000-memory.dmp

Filesize
8KB

Download
memory/4868-20-0x0000017391500000-0x000001739158E000-memory.dmp

Filesize
568KB

Download
memory/4868-34-0x0000017392D80000-0x0000017392D89000-memory.dmp

Filesize
36KB

Download
memory/4868-33-0x0000017392D50000-0x0000017392D6A000-memory.dmp

Filesize
104KB

Download
memory/4868-37-0x00007FF785C70000-0x00007FF787026000-memory.dmp

Filesize
19.7MB

Download
memory/4868-32-0x0000017391500000-0x000001739158E000-memory.dmp

Filesize
568KB

Download
memory/4868-26-0x0000017392D50000-0x0000017392D6A000-memory.dmp

Filesize
104KB

Download
memory/4868-40-0x00007FF785CDD000-0x00007FF78644C000-memory.dmp

Filesize
7.4MB

Download