c9fa12f510e3c6db27b932b9bef09ea59d7db0c276a937b23d33ceb3f0973dbf

Analysis

max time kernel
63s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2023, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

toponoesis.exe
Size

27.0MB
MD5

b840e7e147e1c0ce75397d893c23c7bf
SHA1

29d60d23d8f527cc6819624feef9502f79c78e50
SHA256

c9fa12f510e3c6db27b932b9bef09ea59d7db0c276a937b23d33ceb3f0973dbf
SHA512

6f44bd044773fb10649a129f94c73f196f86e788d27204903fbc4afb9dff15208554d973dd2db313f6efb8eb5d9dcfeae2fbbeb778049ddd5614e9f225032e8f
SSDEEP

393216:VGkUehdTfTZq5lJqWDMOadpOCewQ9hApI6WCocWj9Bzqct+xOJ9zfJ/Sg/jLcfTd:VjUehBTulJqkOQXApIxCq952Ozzggf0h

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2084	toponoesis.tmp
2724	TopoNoesisZwcad2023.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\is-ITV31.tmp	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\System.ValueTuple.dll	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\is-CKSVD.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x64\is-26L9V.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x86\plugins\is-9BPE8.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\cui\is-VS0DG.tmp	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\TopoNoesis.dll	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x64\plugins\gdal_MrSID.dll	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\is-NTKNG.tmp	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\BruTile.MbTiles.dll	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal_csharp.dll	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\is-5LRQO.tmp	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\Geonoesis.Maps.Grids.dll	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x86\plugins\cfitsio.dll	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\ja\Npgsql.resources.dll	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\is-25RLS.tmp	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\gdal_csharp.dll	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\is-5QQA2.tmp	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x86\msvcp100.dll	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\ogr_csharp.dll	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\is-VL3GH.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x86\is-D2GQP.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x86\plugins\is-QK12P.tmp	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\BruTile.Desktop.dll	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x86\plugins\is-ORJJ2.tmp	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\de\Npgsql.resources.dll	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\is-VV8B3.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\is-BIBKM.tmp	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\Mono.Security.dll	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\data\is-6CP9Q.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x64\is-PQPBF.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x64\is-IDA96.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\data\is-PAGV9.tmp	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x64\plugins\ogr_OCI.dll	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\is-9A10J.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\is-JKHU1.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\cui\is-LPTU6.tmp	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\Geonoesis.LiveLocker2.dll	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\de\Npgsql.resources.dll	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\is-SOQL8.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\data\is-M7C9E.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\cui\is-2T4V8.tmp	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\BruTile.dll	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x64\plugins\gdal_netCDF.dll	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x86\plugins\gdal_ECW_JP2ECW.dll	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\is-JGF5O.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\is-O18HV.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\data\is-JFBTP.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x64\is-DB4C3.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x86\is-GP6IS.tmp	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x64\gdalconst_wrap.dll	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x86\zlib1.dll	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\data\is-NQ5V0.tmp	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\Geonoesis.Maps.Transforms.dll	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\NetTopologySuite.IO.GeoTools.dll	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\is-972RV.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x64\plugins\is-HL3DD.tmp	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\BruTile.MbTiles.dll	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\is-CG5HA.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\data\is-9VP4T.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x86\is-TE7HM.tmp	toponoesis.tmp
File created	C:\Program Files (x86)\TopoNoesis\Zwcad\cui\is-JQDJ1.tmp	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\SharpMap.Extensions.dll	toponoesis.tmp
File opened for modification	C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\BruTile.dll	toponoesis.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2084	toponoesis.tmp
2084	toponoesis.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2084	toponoesis.tmp

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 984 wrote to memory of 2084	984	toponoesis.exe	89
PID 984 wrote to memory of 2084	984	toponoesis.exe	89
PID 984 wrote to memory of 2084	984	toponoesis.exe	89
PID 2084 wrote to memory of 2724	2084	toponoesis.tmp	102
PID 2084 wrote to memory of 2724	2084	toponoesis.tmp	102

C:\Users\Admin\AppData\Local\Temp\toponoesis.exe
"C:\Users\Admin\AppData\Local\Temp\toponoesis.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:984
- C:\Users\Admin\AppData\Local\Temp\is-UJE4M.tmp\toponoesis.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UJE4M.tmp\toponoesis.tmp" /SL5="$40226,27454993,832512,C:\Users\Admin\AppData\Local\Temp\toponoesis.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\TopoNoesisZwcad2023.exe
    "C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\TopoNoesisZwcad2023.exe" I
    3⤵
    - Executes dropped EXE
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\data\is-SVJG0.tmp

Filesize
36KB

MD5
edfb1b9ee89ef9a96b37670f686599b4

SHA1
e98872255c4f6d568be92d19f62db348d0bbbaf5

SHA256
3db620638da4f6aa8c4e4faa125369d12aef0deeba084efaf9a848d2b3a2e1c8

SHA512
af6476ac6e62e02c7aac19d53de5a54c91bf6db1a583a0d78a442f7b7e7aec7d0a67b7b6b6df532fc37b576842385988e16b6e846c3c1f2fdc9969e7fe07fb3f

Download Submit
C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x64\plugins\is-1E1DN.tmp

Filesize
105KB

MD5
c550dc29f8a127e104d5368d1c09ea13

SHA1
0ee4a028f2bf2eeb15c26503530a516e3624f565

SHA256
9e013b91f6d4f99d90b31f34220b37eb17900bfa2237c0bf06dc55e5a97292b1

SHA512
2a7239683eb3a3d3b96735debdbd4ed542817599e67e307d5c4439f602a7147ff117346aebd08d1ebde5f141aac47416f2bb7dc00525c368a7ef3dd70846f3a3

Download Submit
C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GdalExternal\gdal\x86\plugins\is-LSDBB.tmp

Filesize
88KB

MD5
5fbdbaa0834c12b54e1db670853fe707

SHA1
e466730689e43f63b120af10ccea74bf6227ec8b

SHA256
3a8d8ed2243393b741102b0fe05f1d4d6f970cd241b3bc182cc2958889805b91

SHA512
9d8e0f55148358b59c7d66dabc209e56bcc11f532f46a68d12e1c1ef43076a04af9f009292526417391b49abc01aba2b94550a63dd2a6fae15dcdd150f519670

Download Submit
C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\GeonoesisCadLoader.exe

Filesize
33KB

MD5
16d4501f29db9ae6ddc49df80365cd20

SHA1
30b6eeabcee953bf0e005d0f3f1d5e1a8cf27c4f

SHA256
78c93fb8d4576c54d045920183f20b58ebf6f5bc8e81628dca260f55cc7c7ed0

SHA512
52c793a82f9356893d6556e35b73502fd1a365477b21be71f1ee4e564c4447370c249fe39469184c49d3f5e8b04ea5e12e8722d1265f2a65e37e718075e8714a

Download Submit
C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\Newtonsoft.Json.dll

Filesize
382KB

MD5
8611795b70cd1f321cb5cb5aad95ff7b

SHA1
3adf7d5b701c2ee4af9faa79c36fc724a73a1427

SHA256
cfc2edd8ee6a9e91719e493a8ee26938b59d8a2485d8bd4841fa34e9d6fef573

SHA512
1658d0dec157dcbb008bda2bc3db227d605c4ad56b853f81a8d8571bb49e8d56780c994447cbd6fa88a2bbae9985ddcb43f8bce032010674eeb78a1f1e7d9486

Download Submit
C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\TopoNoesisZwcad2023.exe

Filesize
33KB

MD5
16d4501f29db9ae6ddc49df80365cd20

SHA1
30b6eeabcee953bf0e005d0f3f1d5e1a8cf27c4f

SHA256
78c93fb8d4576c54d045920183f20b58ebf6f5bc8e81628dca260f55cc7c7ed0

SHA512
52c793a82f9356893d6556e35b73502fd1a365477b21be71f1ee4e564c4447370c249fe39469184c49d3f5e8b04ea5e12e8722d1265f2a65e37e718075e8714a

Download Submit
C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\TopoNoesisZwcad2023.exe

Filesize
33KB

MD5
16d4501f29db9ae6ddc49df80365cd20

SHA1
30b6eeabcee953bf0e005d0f3f1d5e1a8cf27c4f

SHA256
78c93fb8d4576c54d045920183f20b58ebf6f5bc8e81628dca260f55cc7c7ed0

SHA512
52c793a82f9356893d6556e35b73502fd1a365477b21be71f1ee4e564c4447370c249fe39469184c49d3f5e8b04ea5e12e8722d1265f2a65e37e718075e8714a

Download Submit
C:\Program Files (x86)\TopoNoesis\Zwcad\Zwcad\installation_app_data.json

Filesize
300B

MD5
80166a2c803de67e03ed8b1b07d143bc

SHA1
90c53d8ebc82056641aeed9340485639176785c1

SHA256
db5cceb429ab10ef963e7f35246c18a08ab14635d84d60ccc562095bbd1792d4

SHA512
9f63c120a23e699377f29d6d85253f7c733a8dde2820b6dfeafbf87a2a417e48da886577d51ece8f29f0ab1003bdad245bee0d470485f6d82b511b68fcf26d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UJE4M.tmp\toponoesis.tmp

Filesize
3.0MB

MD5
389875fc9f5ada5df2241ecbaa7303de

SHA1
2a781cc327dc2632e3f6e94ff68eaa3c89875bd6

SHA256
e4b9ff6083398c232179d68be40494c3ee643183a352b86f9d2333da82791245

SHA512
565fc620326ca69278fe41ea4455bea7c31b6c1294eb765ce4a024505aecb12b72a995f16f7e95d0238769392540caede8bdaaac2c224fb90aead98ac9e4d714

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UJE4M.tmp\toponoesis.tmp

Filesize
3.0MB

MD5
389875fc9f5ada5df2241ecbaa7303de

SHA1
2a781cc327dc2632e3f6e94ff68eaa3c89875bd6

SHA256
e4b9ff6083398c232179d68be40494c3ee643183a352b86f9d2333da82791245

SHA512
565fc620326ca69278fe41ea4455bea7c31b6c1294eb765ce4a024505aecb12b72a995f16f7e95d0238769392540caede8bdaaac2c224fb90aead98ac9e4d714

Download Submit
memory/984-8-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/984-673-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/984-1-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2084-6-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2084-9-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2084-502-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2084-672-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2084-10-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2724-662-0x00000000000D0000-0x00000000000DE000-memory.dmp

Filesize
56KB

Download
memory/2724-664-0x000000001AC30000-0x000000001AC96000-memory.dmp

Filesize
408KB

Download
memory/2724-666-0x00000000008C0000-0x00000000008E0000-memory.dmp

Filesize
128KB

Download
memory/2724-667-0x00007FFCD73D0000-0x00007FFCD7E91000-memory.dmp

Filesize
10.8MB

Download
memory/2724-668-0x000000001ADC0000-0x000000001ADD0000-memory.dmp

Filesize
64KB

Download
memory/2724-670-0x00007FFCD73D0000-0x00007FFCD7E91000-memory.dmp

Filesize
10.8MB

Download