Overview
overview
10Static
static
10Full Tool ...PS.zip
windows10-2004-x64
1Hit Sender...ib.dll
windows10-2004-x64
1Hit Sender...ib.dll
windows10-2004-x64
1Hit Sender...er.exe
windows10-2004-x64
10Hit Sender...rp.dll
windows10-2004-x64
1Hit Sender...er.dll
windows10-2004-x64
1IP Scanner...er.exe
windows10-2004-x64
7ScanIP.pyc
windows10-2004-x64
3KPort Scan...V3.exe
windows10-2004-x64
10KPort Scan...e4.dll
windows10-2004-x64
3KPort Scan...i4.dll
windows10-2004-x64
3KPort Scan...k4.dll
windows10-2004-x64
3MassScan/Input.txt
windows10-2004-x64
1MassScan/M...UI.exe
windows10-2004-x64
3MassScan/Packet.dll
windows10-2004-x64
3MassScan/_config.ini
windows10-2004-x64
1MassScan/masscan.exe
windows10-2004-x64
3MassScan/msvcr100.dll
windows10-2004-x64
3MassScan/w....3.exe
windows10-2004-x64
7$PLUGINSDIR/final.ini
windows10-2004-x64
1$PLUGINSDI...ns.ini
windows10-2004-x64
1MassScan/wpcap.dll
windows10-2004-x64
3NL Brute 2...te.exe
windows10-2004-x64
10NL Brute 2...gs.ini
windows10-2004-x64
1NL Brute 2...pu.exe
windows10-2004-x64
10ScanIP.exe
windows10-2004-x64
7ScanIP.pyc
windows10-2004-x64
3UsefulRDPScript.exe
windows10-2004-x64
7nVNC/bin/config.conf
windows10-2004-x64
3nVNC/input...ds.txt
windows10-2004-x64
1nVNC/nvnc.exe
windows10-2004-x64
7password.txt
windows10-2004-x64
1Analysis
-
max time kernel
1701s -
max time network
1152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2024 08:20
Behavioral task
behavioral1
Sample
Full Tool Scan VPS.zip
Resource
win10v2004-20240729-en
Behavioral task
behavioral2
Sample
Hit Sender/AxInterop.MSTSCLib.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Hit Sender/Interop.MSTSCLib.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
Hit Sender/NLBrute Hit Sender-Checker.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
Hit Sender/RestSharp.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral6
Sample
Hit Sender/SkinSoft.VisualStyler.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)/IP Scanner.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral8
Sample
ScanIP.pyc
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
KPort Scaner/KPortScan V3.exe
Resource
win10v2004-20240729-en
Behavioral task
behavioral10
Sample
KPort Scaner/QtCore4.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
KPort Scaner/QtGui4.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral12
Sample
KPort Scaner/QtNetwork4.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
MassScan/Input.txt
Resource
win10v2004-20240709-en
Behavioral task
behavioral14
Sample
MassScan/Massscan_GUI.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
MassScan/Packet.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral16
Sample
MassScan/_config.ini
Resource
win10v2004-20240729-en
Behavioral task
behavioral17
Sample
MassScan/masscan.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral18
Sample
MassScan/msvcr100.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
MassScan/winpcap-4.3.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/final.ini
Resource
win10v2004-20240704-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/options.ini
Resource
win10v2004-20240709-en
Behavioral task
behavioral22
Sample
MassScan/wpcap.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral23
Sample
NL Brute 2/NLBrute.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral24
Sample
NL Brute 2/settings.ini
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
NL Brute 2/tối uu VPS ram cpu.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral26
Sample
ScanIP.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
ScanIP.pyc
Resource
win10v2004-20240709-en
Behavioral task
behavioral28
Sample
UsefulRDPScript.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
nVNC/bin/config.conf
Resource
win10v2004-20240709-en
Behavioral task
behavioral30
Sample
nVNC/input/passwords.txt
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
nVNC/nvnc.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral32
Sample
password.txt
Resource
win10v2004-20240709-en
General
-
Target
nVNC/nvnc.exe
-
Size
3.5MB
-
MD5
97c7721005493d49de6c7e71fd29fb0c
-
SHA1
018d216371afa49370531c003b7196f042fb1bad
-
SHA256
001bbc6b9f01b1f5996eaf2e725ce8d367dc398f90e065848816758b1a2d1256
-
SHA512
335ce1d14621c2df023f87f80b08647bd153a5fd60c9d6bfcb47c40763128963659605dade9a9b9bfb93f74635b95ed3f529f8c7d8bee5f8a90df18fba6b304f
-
SSDEEP
98304:jQl+wlWly+maKZpZGvzydeH9JGPC7o0DtwlLxtPP7+1ug:jQlVxfPqzgMS4o0527Ng
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
Processes:
nvnc.exepid process 400 nvnc.exe 400 nvnc.exe 400 nvnc.exe 400 nvnc.exe 400 nvnc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
nvnc.execmd.exenvnc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvnc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
nvnc.exenvnc.exedescription pid process target process PID 3564 wrote to memory of 400 3564 nvnc.exe nvnc.exe PID 3564 wrote to memory of 400 3564 nvnc.exe nvnc.exe PID 3564 wrote to memory of 400 3564 nvnc.exe nvnc.exe PID 400 wrote to memory of 1768 400 nvnc.exe cmd.exe PID 400 wrote to memory of 1768 400 nvnc.exe cmd.exe PID 400 wrote to memory of 1768 400 nvnc.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe"C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe"C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c CLS3⤵
- System Location Discovery: System Language Discovery
PID:1768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5f9982f8b1176597b81ed1285d1616ce7
SHA17cf74cce8b20adeeff83e29eacc028bdf2d7c18a
SHA256d14315cf03aa7d96b714bfc13f7990ec245d205e4a5f9f002d2805e369199239
SHA512cd3339dc69ff918d3e4db2ae219ff7df58f18a151f088fa051b4cdf48e4cfd6569a9ca9e414708818004de7d0cb3cea64fa2ee4c0a1f6b832d86229446e22153
-
Filesize
40KB
MD507789a8c23bcebe32f8bfd4ce4af5ffb
SHA1132d7ad9d2a7c3ff51b246fd14f0a4f738d68e10
SHA256235cc97584c3d31e5f3146121f64699d30cf372a86868ea755a9a0afa6c56144
SHA512d461d8313c285e568ce44c08d1af7c54aafae0d1e8235109d5d71f6baffe8f677ae3202590cf33ab34625ac87285c7dc4c1df2e2181acd4b998309d23e12fd3e
-
Filesize
705KB
MD512fb0bcc8b79ecadd52ba8d97e08bfed
SHA1b52b26e16841d3b03f36792df7ed1825aa95ee54
SHA256360b506df81ffc0b49ac15924314fa549084227b998b202572eed90b695dfd3a
SHA5123a6e78965cf58bb94efe1802f5fd39b2820935c277fb8773ecc3b4a0608fc444ace952a619dead204476981c78c38992867172bc0584cae01306ef226e5fce21
-
Filesize
471B
MD595b60b99fa7a60b3d17e5a792be83fdd
SHA1672eb0187a961b11c87d5ce82c45a03ba3496b63
SHA25609c7f09d9e15b33ff5e58d6dcf7f31aaf16426fc104377e91e03cff0f1bb941c
SHA51218559064b7f20385a93ac66a2f8c90280aa39767083458dd18fe886f4707c2f3fceb32eb087a3fc703746b0475a9d232195874f75e4059ff7d607a4e893a1c86
-
Filesize
2.2MB
MD57584228b7aa01d99944df388ba62a197
SHA19e3d84241053d0ff82d83104fe9f73b9f02a3b3e
SHA25675e9a929d9f0f4ee2c5164c5829bebc05ea9aca0b664b41bb8e7ff53fbb1bb8e
SHA512217bbd7cf8a27a18c15856e6506f0bbc51b9d22e55ec15339aa53e81e966d65c8af445c55d79f1ff0cf1757e0c3a3da5de9818f00be8bf14f708ff1c5db88165