Edit tour
Windows
Analysis Report
npp.8.6.7.Installer.x64.exe
Overview
General Information
Detection
Score: | 26 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 20% |
Compliance
Score: | 37 |
Range: | 0 - 100 |
Signatures
Malicious sample detected (through community Yara rule)
Found API chain indicative of debugger detection
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
EXE planting / hijacking vulnerabilities found
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Explorer Process Tree Break
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- npp.8.6.7.Installer.x64.exe (PID: 6288 cmdline:
"C:\Users\ user\Deskt op\npp.8.6 .7.Install er.x64.exe " MD5: D401161AFB56B8647202E031CEC1AE78) - regsvr32.exe (PID: 6864 cmdline:
regsvr32 / s "C:\Prog ram Files\ Notepad++\ contextMen u\NppShell .dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 1508 cmdline:
/s "C:\Pr ogram File s\Notepad+ +\contextM enu\NppShe ll.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - explorer.exe (PID: 5576 cmdline:
"C:\Window s\explorer .exe" "C:\ Program Fi les\Notepa d++\notepa d++.exe" MD5: 662F4F92FDE3557E86D110526BB578D5) - notepad++.exe (PID: 4488 cmdline:
"C:\Progra m Files\No tepad++\no tepad++.ex e" "C:\Pro gram Files \Notepad++ \change.lo g" MD5: 013DD1C256A30CC3926B828CCE0EBCC9)
- explorer.exe (PID: 2212 cmdline:
C:\Windows \explorer. exe /facto ry,{75dff2 b7-6936-4c 06-a8bb-67 6a7b00b24b } -Embeddi ng MD5: 662F4F92FDE3557E86D110526BB578D5) - notepad++.exe (PID: 6976 cmdline:
"C:\Progra m Files\No tepad++\no tepad++.ex e" MD5: 013DD1C256A30CC3926B828CCE0EBCC9) - GUP.exe (PID: 1364 cmdline:
"C:\Progra m Files\No tepad++\up dater\gup. exe" -v8.6 7 -px64 MD5: 7744ED6FAC4775706938298F9CB5BA0D) - npp.8.7.Installer.x64.exe (PID: 6072 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\npp.8. 7.Installe r.x64.exe" MD5: AA25B8D9BF2D7095F76D0BA6568785B1) - npp.8.7.Installer.x64.exe (PID: 4416 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\npp.8. 7.Installe r.x64.exe" MD5: AA25B8D9BF2D7095F76D0BA6568785B1) - rundll32.exe (PID: 1404 cmdline:
rundll32.e xe "C:\Pro gram Files \Notepad++ \contextme nu\NppShel l.dll",Cle anupDll MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 3468 cmdline:
rundll32.e xe "C:\Pro gram Files \Notepad++ \contextme nu\NppShel l.dll",Cle anupDll MD5: EF3179D498793BF4234F708D3BE28633) - regsvr32.exe (PID: 1456 cmdline:
regsvr32 / s "C:\Prog ram Files\ Notepad++\ contextMen u\NppShell .dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 3652 cmdline:
/s "C:\Pr ogram File s\Notepad+ +\contextM enu\NppShe ll.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - explorer.exe (PID: 6856 cmdline:
"C:\Window s\explorer .exe" "C:\ Program Fi les\Notepa d++\notepa d++.exe" MD5: 662F4F92FDE3557E86D110526BB578D5) - notepad++.exe (PID: 5688 cmdline:
"C:\Progra m Files\No tepad++\no tepad++.ex e" "C:\Pro gram Files \Notepad++ \change.lo g" MD5: 47F3922D5A017C971D39814E512EB57A) - WerFault.exe (PID: 6312 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 976 -s 125 2 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- explorer.exe (PID: 4308 cmdline:
C:\Windows \explorer. exe /facto ry,{75dff2 b7-6936-4c 06-a8bb-67 6a7b00b24b } -Embeddi ng MD5: 662F4F92FDE3557E86D110526BB578D5) - notepad++.exe (PID: 2228 cmdline:
"C:\Progra m Files\No tepad++\no tepad++.ex e" MD5: 47F3922D5A017C971D39814E512EB57A)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen |
| |
MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber: |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Code function: | 10_2_00007FFE004E9AD0 | |
Source: | Code function: | 10_2_00007FFE004E9CA0 | |
Source: | Code function: | 10_2_00007FFE00507D76 | |
Source: | Code function: | 10_2_00007FFE0050A140 | |
Source: | Code function: | 10_2_00007FFE004DC2E0 | |
Source: | Code function: | 10_2_00007FFE004DC410 | |
Source: | Code function: | 10_2_00007FFE004DC490 | |
Source: | Code function: | 10_2_00007FFE004DC4A0 | |
Source: | Code function: | 10_2_00007FFE0050A560 | |
Source: | Code function: | 10_2_00007FFE0050AA80 | |
Source: | Code function: | 10_2_00007FFE004EECD0 | |
Source: | Code function: | 10_2_00007FFE004EED50 | |
Source: | Code function: | 10_2_00007FFE004EEDE0 | |
Source: | Code function: | 10_2_00007FFE004BF3B0 | |
Source: | Code function: | 10_2_00007FFE00507B10 |
Source: | Binary or memory string: | memstr_f17e4f4d-7 |
Source: | Code function: | 10_2_00007FFE004F0430 |
Source: | EXE: | Jump to behavior |
Compliance |
---|
Source: | EXE: | Jump to behavior |
Source: | Static PE information: |
Source: | Window detected: |