analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

npp.7.7.1.Installer.exe

Full analysis: https://app.any.run/tasks/20851705-dc85-4be2-a192-cd46b4a3be8f
Verdict: Malicious activity
Analysis date: September 11, 2019, 02:01:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

A327DD44A4E2F0E35364BDE7C4A59718

SHA1:

071A81782D88810B0084BD2162C67CF0FF3AD13F

SHA256:

6787C524B0AC30A698237FFB035F932D7132343671B8FE8F0388ED380D19A51C

SSDEEP:

98304:LvP59bXolEMWzIcUKUwQOC8bz3JICi29jv:LzXol70/U5wBf3Jli29jv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • notepad++.exe (PID: 3468)
      • notepad++.exe (PID: 408)
      • gup.exe (PID: 3784)
      • notepad++.exe (PID: 3372)
    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 3716)
      • notepad++.exe (PID: 408)
      • notepad++.exe (PID: 3468)
      • npp.7.7.1.Installer.exe (PID: 2624)
      • gup.exe (PID: 3784)
      • explorer.exe (PID: 276)
      • svchost.exe (PID: 852)
    • Registers / Runs the DLL via REGSVR32.EXE

      • npp.7.7.1.Installer.exe (PID: 2624)
  • SUSPICIOUS

    • Creates COM task schedule object

      • regsvr32.exe (PID: 3716)
    • Executed via COM

      • explorer.exe (PID: 3176)
    • Creates files in the user directory

      • npp.7.7.1.Installer.exe (PID: 2624)
      • notepad++.exe (PID: 408)
    • Creates files in the program directory

      • npp.7.7.1.Installer.exe (PID: 2624)
    • Executable content was dropped or overwritten

      • npp.7.7.1.Installer.exe (PID: 2624)
    • Creates a software uninstall entry

      • npp.7.7.1.Installer.exe (PID: 2624)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

ProductVersion: 7.71
ProductName: Notepad++
LegalCopyright: Copyleft 1998-2017 by Don HO
FileVersion: 7.7.1.0
FileDescription: Notepad++ : a free (GNU) source code editor
CompanyName: Don HO [email protected]
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 7.7.1.0
FileVersionNumber: 7.7.1.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x34a5
UninitializedDataSize: 2048
InitializedDataSize: 141824
CodeSize: 26112
LinkerVersion: 6
PEType: PE32
TimeStamp: 2018:12:15 23:24:36+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 15-Dec-2018 22:24:36
Detected languages:
  • English - United States
CompanyName: Don HO [email protected]
FileDescription: Notepad++ : a free (GNU) source code editor
FileVersion: 7.7.1.0
LegalCopyright: Copyleft 1998-2017 by Don HO
ProductName: Notepad++
ProductVersion: 7.71

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 15-Dec-2018 22:24:36
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00006409
0x00006600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.41619
.rdata
0x00008000
0x00001396
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.15491
.data
0x0000A000
0x00020358
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.0044
.ndata
0x0002B000
0x0001A000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00045000
0x000261E0
0x00026200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.73113

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.27873
1260
UNKNOWN
English - United States
RT_MANIFEST
2
7.98841
51130
UNKNOWN
English - United States
RT_ICON
3
4.21656
9640
UNKNOWN
English - United States
RT_ICON
4
4.57578
4264
UNKNOWN
English - United States
RT_ICON
5
5.04764
1128
UNKNOWN
English - United States
RT_ICON
102
2.71813
180
UNKNOWN
English - United States
RT_DIALOG
103
2.67841
76
UNKNOWN
English - United States
RT_GROUP_ICON
104
2.67285
344
UNKNOWN
English - United States
RT_DIALOG
105
2.67385
512
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
11
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start npp.7.7.1.installer.exe no specs npp.7.7.1.installer.exe regsvr32.exe no specs explorer.exe no specs explorer.exe no specs notepad++.exe gup.exe notepad++.exe svchost.exe explorer.exe no specs notepad++.exe

Process information

PID
CMD
Path
Indicators
Parent process
3728"C:\Users\admin\AppData\Local\Temp\npp.7.7.1.Installer.exe" C:\Users\admin\AppData\Local\Temp\npp.7.7.1.Installer.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
3221226540
Version:
7.7.1.0
2624"C:\Users\admin\AppData\Local\Temp\npp.7.7.1.Installer.exe" C:\Users\admin\AppData\Local\Temp\npp.7.7.1.Installer.exe
explorer.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.7.1.0
3716regsvr32 /s "C:\Program Files\Notepad++\NppShell_06.dll"C:\Windows\system32\regsvr32.exenpp.7.7.1.Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2428"C:\Windows\explorer.exe" "C:\Program Files\Notepad++\notepad++.exe"C:\Windows\explorer.exenpp.7.7.1.Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3176C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1073807364
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
408"C:\Program Files\Notepad++\notepad++.exe" C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.71
3784"C:\Program Files\Notepad++\updater\gup.exe" -v7.71C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
WinGup for Notepad++
Exit code:
0
Version:
5.1
3468"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\Notepad++\change.log" C:\Program Files\Notepad++\notepad++.exe
npp.7.7.1.Installer.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.71
852C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
276C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1073807364
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 703
Read events
1 417
Write events
0
Delete events
0

Modification events

No data
Executable files
15
Suspicious files
2
Text files
152
Unknown types
4

Dropped files

PID
Process
Filename
Type
852svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:12B7DAAEAC62822D64B1DC9CF00A1959
SHA256:D0B7F56E9304F87E9F14ABF6C9D4349A9778C2FA788DA8B62B5D31C286CA87A1
2624npp.7.7.1.Installer.exeC:\Users\admin\AppData\Local\Temp\nswA186.tmp\ioSpecial.initext
MD5:CBB9A2BC1EF4DBB61FE57108860B3746
SHA256:9FDB9E92AE8826AA8952CABCFAB5F11219212B8F7220EEEB812D151ADBBA9782
2624npp.7.7.1.Installer.exeC:\Program Files\Notepad++\autoCompletion\cpp.xmlxml
MD5:E60CA42B12A8E816892894D321AB8D00
SHA256:B97FFA556F93EC4C51208B2AEA4F3D69411404C27F6EA12608AE84BEDBD76418
2624npp.7.7.1.Installer.exeC:\Program Files\Notepad++\autoCompletion\cs.xmlxml
MD5:C9BC2ACDE59532D2A9B65E7F9CD55D4F
SHA256:32076A244AFD75A07CD38F1FA27B08EEA3A4A697111CDE8A1CB636C46C708C17
2624npp.7.7.1.Installer.exeC:\Users\admin\AppData\Local\Temp\nswA186.tmp\modern-wizard.bmpimage
MD5:C2CF6928A3AB574A5548B4DC1C38B6C0
SHA256:2125550C12FA512782F2016E802D70BC51F4A06017CFBD4176B4A994EB2542F0
2624npp.7.7.1.Installer.exeC:\Users\admin\AppData\Local\Temp\nswA186.tmp\System.dllexecutable
MD5:0D7AD4F45DC6F5AA87F606D0331C6901
SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
2624npp.7.7.1.Installer.exeC:\Users\admin\AppData\Local\Temp\nswA186.tmp\InstallOptions.dllexecutable
MD5:05BF02DA51E717F79F6B5CBEA7BC0710
SHA256:CA092BA7F275B0C9000098CDD1A9876FE8DC050FCB40A0E8A1AB8335236E9DC5
2624npp.7.7.1.Installer.exeC:\Users\admin\AppData\Local\Temp\nswA186.tmp\LangDLL.dllexecutable
MD5:AB1DB56369412FE8476FEFFFD11E4CC0
SHA256:6F14C8F01F50A30743DAC68C5AC813451463DFB427EB4E35FCDFE2410E1A913B
2624npp.7.7.1.Installer.exeC:\Users\admin\AppData\Local\Temp\nswA186.tmp\modern-header.bmpimage
MD5:56DA15FDB8D96F8F5C649DCB5E79D775
SHA256:BB90D4338D2474138473E6B16E94B0237EE847BEA45019ED0DD4439C71BD233E
2624npp.7.7.1.Installer.exeC:\Program Files\Notepad++\autoCompletion\perl.xmlxml
MD5:244EB5C1E91DC112130252FE58E49B13
SHA256:E38A882B09330B6DBD56A2A4A90882C371A3C3EB7D29CEAE9520A647C185B627
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3784
gup.exe
37.59.28.236:443
notepad-plus-plus.org
OVH SAS
FR
whitelisted

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 37.59.28.236
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe