Overview

overview

7

Static

static

3

npp.8.6.7....64.exe

windows7-x64

5

npp.8.6.7....64.exe

windows10-2004-x64

4

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...al.ini

windows7-x64

1

$PLUGINSDI...al.ini

windows10-2004-x64

1

$PLUGINSDI...er.bmp

windows7-x64

3

$PLUGINSDI...er.bmp

windows10-2004-x64

7

$PLUGINSDI...rd.bmp

windows7-x64

3

$PLUGINSDI...rd.bmp

windows10-2004-x64

7

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02/08/2024, 23:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    npp.8.6.7.Installer.x64.exe

  • Size

    4.6MB

  • MD5

    d401161afb56b8647202e031cec1ae78

  • SHA1

    6eb7ed61ccdb0bd5018271a3ec24b63b913fc281

  • SHA256

    81470eb5917705fa0df03181b8112422671842bdcec5252a7894975b38058c91

  • SHA512

    01df1134b9f4d6bb44a8f23a9ba8191dbfb20ed1eb5f249331000955f6b340b1e3e3a6c0e237456a39a712f77d90fe85fc4b946832c88fe4617e45daea9c966b

  • SSDEEP

    98304:YtvLd2AV2+xDkRCH60uSzAUc8/hx2y5ho31X9pf86Mxxik5WVzZpZvO:YtBTZFET0Jcq2Kho31Xf06MzvAF/ZG

Score
5/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 9 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\npp.8.6.7.Installer.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\npp.8.6.7.Installer.x64.exe"
    1⤵
    • Drops file in Program Files directory
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:316
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files\Notepad++\contextMenu\NppShell.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files\Notepad++\contextMenu\NppShell.dll"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:1956
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" "C:\Program Files\Notepad++\notepad++.exe"
      2⤵
        PID:2932
      • C:\Program Files\Notepad++\notepad++.exe
        "C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\Notepad++\change.log"
        2⤵
        • Executes dropped EXE
        PID:2432
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:444
      • C:\Program Files\Notepad++\notepad++.exe
        "C:\Program Files\Notepad++\notepad++.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:328
        • C:\Program Files\Notepad++\updater\gup.exe
          "C:\Program Files\Notepad++\updater\gup.exe" -v8.67 -px64
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:768

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Notepad++\change.log
            Filesize

            1KB

            MD5

            2070dbf01930ca2668dd4a071d751c4f

            SHA1

            7d9b4252f5a5f70c90c6aed3ce5420cb712fe233

            SHA256

            601fc25d56652661e555eaf263ad7860c75a557fb7d466adc7ad3a1541ccef68

            SHA512

            9d776bc90e2178f4d02d939ddb6a7a0e5907868d51289c25059e005b079f493c114c94a778f1d961665bdf966c1a64304fad434959d71f2e0c4ce5f1696c135d

            Download Submit

          • C:\Program Files\Notepad++\contextMenu\NppShell.dll
            Filesize

            375KB

            MD5

            201c06dc1a485f6a74b21c9b739c2eae

            SHA1

            96c1f31f32804db333148175224b453a28032d9e

            SHA256

            5b2ab24d0f1a1a9691352a467fe4aad18454408b6f7700420c578f30c46d5cbb

            SHA512

            74251b5a6d1474a04b8d85b14a8581670ffc662b6a14d23af84b53ff4bff9cefc7ffe850a4a230ae486dca89fdbe54e91339634917962544a05cbd7e3c7df70a

            Download Submit

          • C:\Program Files\Notepad++\langs.model.xml
            Filesize

            460KB

            MD5

            6dc18e98260a6d648c591200f14c9bf6

            SHA1

            c5d3343d3f91dbfe4db4abfe8ca762104b32b995

            SHA256

            e3c7749a2caf5ed7d5ad3ee5b6e341d1dcd5cbffe56d2ac9c910ee4bf7e8814e

            SHA512

            6c0fa09b4712f6aa2397927a7261a7c06fad4d528d8be1aca94bdb065614b83d070e91b484c1133bb9de9180a2f48724d5108c7e43da0aa65917cd7e543b66db

            Download Submit

          • C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
            Filesize

            208KB

            MD5

            daa999587d75d05f292c3ca30238168e

            SHA1

            3c45d0213bbd7b8e29071d5e0fd5323ee10a14a4

            SHA256

            bfc176fc4b3d1a948020000e63738ba07c75f0f6c82d9d535223f6d546ccd2dc

            SHA512

            0a0ede2687000b1b1512060bde61c26ba1c9f900d4c06df94fd7a43f904a19e521392bbdf2ec2968b281ef6852f0498c8fa3dab5ab49e9bfacbdb25899b7c194

            Download Submit

          • C:\Program Files\Notepad++\plugins\mimeTools\mimeTools.dll
            Filesize

            145KB

            MD5

            8c9d93cbd75e63b81bd0b5c12f68af6d

            SHA1

            3acfeb2e7a7d72c840b0225cf6ae38550610dd02

            SHA256

            a7d6da97ed2b1ec210c9563b94ffa7d12119e9d7074873323068e712c3d36a1e

            SHA512

            db969f4af272e0dc3f6961ff7bc9c8bf3b9f252186b71456702dc582a782a30fc74dc8579554b364d000f026fb74992fd59e8e7e7142ce5ee44eaee1d8e4835e

            Download Submit

          • C:\Program Files\Notepad++\shortcuts.xml
            Filesize

            3KB

            MD5

            fb573784b83033dd4361f52006d02cb8

            SHA1

            0a2923a44ec1bd5e7e8bc7cace15857ae03bf63c

            SHA256

            37a24662cd55b627807bc2bb7cbba5bbf2abaf6da4dd7bbb949bfaa7903eae9c

            SHA512

            753b44b5e8bea858cf5cc5ddfdc38098a2f3f921949cf98706ead95bdfa1de7ab0c115e9d69237623a03c422969480204c69d3ba277141527458c68230d0c67c

            Download Submit

          • C:\Program Files\Notepad++\stylers.model.xml
            Filesize

            190KB

            MD5

            9ff5fb88c47ac8e7c99f9f340f2d909a

            SHA1

            5c4abd414ed87fc4f16eb9f9b39c690f3cd1ca22

            SHA256

            070a560ecd7ab3f787bd7674bdde50aa906e895553f07beb74fd140b193627fb

            SHA512

            8c1af565b19803ee665147ee7d5dab420f591e2faba8d7f6db95e9e9b911bdf9586fca20851f04152fe4f7c98b354e3e16f84140dcab9aac22e0b2233c4cf4fc

            Download Submit

          • C:\Program Files\Notepad++\updater\gup.exe
            Filesize

            789KB

            MD5

            7744ed6fac4775706938298f9cb5ba0d

            SHA1

            2f20777a19b81a4b37de89e4d5a9b8eda21b51a6

            SHA256

            b9c965aa538c21b4702ec7e4f3ac47fc999e1cd505d69e0896a309f7956bb351

            SHA512

            9a6d02f58367c3bb728e81566685b0292232e4cd3e5c6b4eed65928026115e7a1fe20e1248950431a5a9d0b5e477310d756f9a70b9337edebee9b2a9acae47fb

            Download Submit

          • C:\Program Files\Notepad++\updater\gup.xml
            Filesize

            4KB

            MD5

            abde55a0b1cb4a904e622c02f559dcd1

            SHA1

            1662f8445a000bbf7c61c40e39266658f169bf13

            SHA256

            92717951aae89e960b142cef3d273f104051896a3d527a78ca4a88c22b5216a5

            SHA512

            8fe75fb468f87be1153a6a0d70c0583a355f355bfe988027c88d154b500e97f2c5241d9557ebb981067205e2f23ad07b6a49c669cd3e94eaa728201173b235a0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nseEE86.tmp\ioSpecial.ini
            Filesize

            1KB

            MD5

            76e4e423b5f674721c0eb37b6d7cc067

            SHA1

            9a20e3971b41577ceb295dd963168111cd14d501

            SHA256

            2ce22575c95a60bc58c0408f973cd9b30fa2521316685c3f601c8e41a42338c3

            SHA512

            4d3ad5ecf5c3154c95fade071f9bc85db4e18f2f83c0c6d6328120c753b37bac68d48ef0f029f369df6524ba4503f3031c582ff22a471a499b7ac9287f22c61d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nseEE86.tmp\ioSpecial.ini
            Filesize

            1KB

            MD5

            e302db2fd453c0d22d5d11d3540c21ae

            SHA1

            e952d6ecb41cffca8d1e9c178af75e63c5c63502

            SHA256

            82c9c6cffbc83f467df2c25549b5a48f6deba8242bd85267ad021afff00bb284

            SHA512

            51e94d9a185e41565bb06209ed05e5467f3ddc99401222e92cc379b494847edb5a5bd374ead887b2ef7c437cc6472720c4174a24b8703348f75a09cbfa89722f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nseEE86.tmp\ioSpecial.ini
            Filesize

            1KB

            MD5

            5d8163b0a4b8bd6f44b3191115c4f12c

            SHA1

            f4691464c50c8b66c54de1e1b9a27175ab4a43ad

            SHA256

            221e89ccf37abd64189dc5f70ef0e09969abf61166c12b2842f949e051ffa318

            SHA512

            8eec1e748e36d387a45490bec043f36e827630d6ff02ed2d931b5421bafaf8250659309bf517f090560879acf79cdbd395b5cf8c4f3b1291bd0e3d6208fe7afb

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Notepad++\contextMenu.xml
            Filesize

            4KB

            MD5

            fde4cc09d1c18c6cd7c1a4878e89d27e

            SHA1

            22fba21b254fed1a60da5de2b8af3cf6e132b647

            SHA256

            43ac0b7ba9b1f91fd8d4841b8119344e6212b307a1decccf61658f31d38bb425

            SHA512

            fcc87b93cb4dd0949e82edb7d2788d7abd317f9f4c5f046ceba1cd85a64b12b29c6baba3e8646265db02a48a2dc20c3b5e893a1334d9b1e91d26692b4e9c2d29

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Notepad++\plugins\config\converter.ini
            Filesize

            646B

            MD5

            f07150054a6afff4d8e9d58899167722

            SHA1

            e092cd960ab728667d91b37d64a02d7f6821518b

            SHA256

            5b0a08439e8e93817772f84e1098f14152d9da36c2601a0600ddaae6f61359d0

            SHA512

            8c86aa4c058a8ab5fd26f21cacc8ddaffa8ce6012bb329d3c5b817da00b4b43018a575c768d1921c6eeab7537f172c7cb3de658b014365ea52fb3c87547182b9

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Notepad++\toolbarIcons.xml
            Filesize

            2KB

            MD5

            bc4b775a277672fc7edf956120576ecb

            SHA1

            fe7c2db5b4d4c5a3f5603cf56c4d71cc9ee2d71d

            SHA256

            4ec98de37193f41242c1a47507bcc4c1af555e71154f7354272bc3e664e19877

            SHA512

            f87dc3ce52831ee308fbfa2b1b94c07e2811e7028360f046e012f8ea5a8f0ebcd362de7a663dee810c3da0791474c1485b1a2626c7867e76236156b125ff39b2

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Notepad++\userDefineLangs\markdown._preinstalled.udl.xml
            Filesize

            6KB

            MD5

            672e6d5f89887666ec94711e442644e0

            SHA1

            8d069ae93347316eff0dcf7aff4d22da18a62af2

            SHA256

            b34fe6811dacfe49d77d434123867e866daf6e0e27387a0446887dabe8943f04

            SHA512

            8fc5e9bbe027826304fa6f329fb16e4c9e4e7a597d87e9c691ed6a9f505b7bc1967339b43c6426105432a030260b0654468ab8fcbb4312b2fb6ed6c6aa537edc

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Notepad++\userDefineLangs\markdown._preinstalled_DM.udl.xml
            Filesize

            6KB

            MD5

            3690cef1865e32fe6be1b2ec7656539a

            SHA1

            bc043bec63c310a60d9e242810036460c467945d

            SHA256

            e45e49f0895249d951df2c07e0f06ca1242e05c961dd921e5aa2781ae2e7ff25

            SHA512

            c2be869d96baec2018e13dcf5934dd9cf74146541e852cc2eedb4d83a8af23e2577cde7a0158fefaa11056416ff039df3a7725e320620193e9bfe72c8067c051

            Download Submit

          • \Program Files\Notepad++\notepad++.exe
            Filesize

            6.9MB

            MD5

            013dd1c256a30cc3926b828cce0ebcc9

            SHA1

            1bd408453ae299385ab0b09edc84312a8379156a

            SHA256

            86aa89aaf2b85dd3cd9482aa90411fc9176b0dd642c54c13c0e3324518f54574

            SHA512

            83b57663adc290dc97f0939485b0e46f4cb90edc3542a856a394eeaaacd9e7cf66bccdfad2de2ad9bc84954d5229fc052702ca82c29e428f689125adfa196f4f

            Download Submit

          • \Program Files\Notepad++\plugins\NppConverter\NppConverter.dll
            Filesize

            198KB

            MD5

            fe47a5394ad80794d0e5d2f4d35758d5

            SHA1

            f83b072945493899d8280bc962551c24acefd147

            SHA256

            b2a56428cfa2e9ad9f85d6832e2b5b2e1489be66806c3590d42f3d3b7c8edaff

            SHA512

            2e99f823e84945f1a8c6bd33d499d4b1d8ddcf704abf688ce350c4a7caa66608c292c549208a4942d9be7c605bda84e768dd30ee39d751d32cb29a0f490c13d4

            Download Submit

          • \Program Files\Notepad++\plugins\NppExport\NppExport.dll
            Filesize

            153KB

            MD5

            b53f287847b2657b4ab19581821db4d4

            SHA1

            bf0e5307514a29c4d7995cc7087dac83b9e37a24

            SHA256

            e14b00514a4be327622db2097c41dffd94d36f58a923cc604f680b6f7a0df726

            SHA512

            1b1638c5855743c26e7d97680c24b2b8a1d3ad0b99808dda39114a840237780379422c7e6a329135a753125a418ffd4e62d97c0564293aba3f322a2062af2b08

            Download Submit

          • \Program Files\Notepad++\updater\libcurl.dll
            Filesize

            732KB

            MD5

            a4f81a9473e13a636a23b8e84d0c63c1

            SHA1

            675f8077e38a7a72c41871627ed5f003746fb8b1

            SHA256

            eb654233b73a7031fd966068713b5f5d430242ee9c2c3b5a4a6dc0cccbb722be

            SHA512

            325f9a9e7250a42d71ccb736907c8f06774ab7eafe4c89842a585d52faffee95d6e86944c96e9e692446edf0ca17620feb7c16a6cf84af43a19851f171e54694

            Download Submit

          • \Users\Admin\AppData\Local\Temp\nseEE86.tmp\InstallOptions.dll
            Filesize

            15KB

            MD5

            d095b082b7c5ba4665d40d9c5042af6d

            SHA1

            2220277304af105ca6c56219f56f04e894b28d27

            SHA256

            b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

            SHA512

            61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

            Download Submit

          • \Users\Admin\AppData\Local\Temp\nseEE86.tmp\LangDLL.dll
            Filesize

            5KB

            MD5

            50016010fb0d8db2bc4cd258ceb43be5

            SHA1

            44ba95ee12e69da72478cf358c93533a9c7a01dc

            SHA256

            32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e

            SHA512

            ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

            Download Submit

          • \Users\Admin\AppData\Local\Temp\nseEE86.tmp\System.dll
            Filesize

            12KB

            MD5

            4add245d4ba34b04f213409bfe504c07

            SHA1

            ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

            SHA256

            9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

            SHA512

            1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

            Download Submit

          • \Users\Admin\AppData\Local\Temp\nseEE86.tmp\UserInfo.dll
            Filesize

            4KB

            MD5

            d458b8251443536e4a334147e0170e95

            SHA1

            ba8d4d580f1bc0bb2eaa8b9b02ee9e91b8b50fc3

            SHA256

            4913d4cccf84cd0534069107cff3e8e2f427160cad841547db9019310ac86cc7

            SHA512

            6ff523a74c3670b8b5cd92f62dcc6ea50b65a5d0d6e67ee1079bdb8a623b27dd10b9036a41aa8ec928200c85323c1a1f3b5c0948b59c0671de183617b65a96b1

            Download Submit

          • \Users\Admin\AppData\Local\Temp\nseEE86.tmp\nsDialogs.dll
            Filesize

            9KB

            MD5

            1d8f01a83ddd259bc339902c1d33c8f1

            SHA1

            9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

            SHA256

            4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

            SHA512

            28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

            Download Submit