Overview
overview
10Static
static
10Full Tool ...PS.zip
windows10-2004-x64
1Hit Sender...ib.dll
windows10-2004-x64
1Hit Sender...ib.dll
windows10-2004-x64
1Hit Sender...er.exe
windows10-2004-x64
10Hit Sender...rp.dll
windows10-2004-x64
1Hit Sender...er.dll
windows10-2004-x64
1IP Scanner...er.exe
windows10-2004-x64
7ScanIP.pyc
windows10-2004-x64
3KPort Scan...V3.exe
windows10-2004-x64
10KPort Scan...e4.dll
windows10-2004-x64
3KPort Scan...i4.dll
windows10-2004-x64
3KPort Scan...k4.dll
windows10-2004-x64
3MassScan/Input.txt
windows10-2004-x64
1MassScan/M...UI.exe
windows10-2004-x64
3MassScan/Packet.dll
windows10-2004-x64
3MassScan/_config.ini
windows10-2004-x64
1MassScan/masscan.exe
windows10-2004-x64
3MassScan/msvcr100.dll
windows10-2004-x64
3MassScan/w....3.exe
windows10-2004-x64
7$PLUGINSDIR/final.ini
windows10-2004-x64
1$PLUGINSDI...ns.ini
windows10-2004-x64
1MassScan/wpcap.dll
windows10-2004-x64
3NL Brute 2...te.exe
windows10-2004-x64
10NL Brute 2...gs.ini
windows10-2004-x64
1NL Brute 2...pu.exe
windows10-2004-x64
10ScanIP.exe
windows10-2004-x64
7ScanIP.pyc
windows10-2004-x64
3UsefulRDPScript.exe
windows10-2004-x64
7nVNC/bin/config.conf
windows10-2004-x64
3nVNC/input...ds.txt
windows10-2004-x64
1nVNC/nvnc.exe
windows10-2004-x64
7password.txt
windows10-2004-x64
1Analysis
-
max time kernel
1326s -
max time network
1150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240729-en -
resource tags
arch:x64arch:x86image:win10v2004-20240729-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2024 08:20
Behavioral task
behavioral1
Sample
Full Tool Scan VPS.zip
Resource
win10v2004-20240729-en
Behavioral task
behavioral2
Sample
Hit Sender/AxInterop.MSTSCLib.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Hit Sender/Interop.MSTSCLib.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
Hit Sender/NLBrute Hit Sender-Checker.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
Hit Sender/RestSharp.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral6
Sample
Hit Sender/SkinSoft.VisualStyler.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)/IP Scanner.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral8
Sample
ScanIP.pyc
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
KPort Scaner/KPortScan V3.exe
Resource
win10v2004-20240729-en
Behavioral task
behavioral10
Sample
KPort Scaner/QtCore4.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
KPort Scaner/QtGui4.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral12
Sample
KPort Scaner/QtNetwork4.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
MassScan/Input.txt
Resource
win10v2004-20240709-en
Behavioral task
behavioral14
Sample
MassScan/Massscan_GUI.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
MassScan/Packet.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral16
Sample
MassScan/_config.ini
Resource
win10v2004-20240729-en
Behavioral task
behavioral17
Sample
MassScan/masscan.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral18
Sample
MassScan/msvcr100.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
MassScan/winpcap-4.3.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/final.ini
Resource
win10v2004-20240704-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/options.ini
Resource
win10v2004-20240709-en
Behavioral task
behavioral22
Sample
MassScan/wpcap.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral23
Sample
NL Brute 2/NLBrute.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral24
Sample
NL Brute 2/settings.ini
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
NL Brute 2/tối uu VPS ram cpu.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral26
Sample
ScanIP.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
ScanIP.pyc
Resource
win10v2004-20240709-en
Behavioral task
behavioral28
Sample
UsefulRDPScript.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
nVNC/bin/config.conf
Resource
win10v2004-20240709-en
Behavioral task
behavioral30
Sample
nVNC/input/passwords.txt
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
nVNC/nvnc.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral32
Sample
password.txt
Resource
win10v2004-20240709-en
General
-
Target
KPort Scaner/KPortScan V3.exe
-
Size
232KB
-
MD5
9e474178aff71d68f7b72fb186d6d763
-
SHA1
5eb3a66848515aed1cd9bb235dcb452e7470e5a2
-
SHA256
16c1e3fea0b086044036f402b5e00af9efd689417fe98fed51884539a4ad44bd
-
SHA512
ae41194fa85b4c5bb63f21e3218e62aa482d09b9fe3b4a3ea449c76d5d140abd232519abb563c70df3191d4be18b820af91c33842e1ed3459687fc2edb1593f2
-
SSDEEP
6144:k997OTkNPTqLIOt6r+9dEPlUIbrMOFTfM0OZhErjie0KK3m+nak:FTkNLlE3m+n
Malware Config
Signatures
-
Detect Neshta payload 4 IoCs
Processes:
resource yara_rule C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE family_neshta behavioral9/memory/4796-115-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral9/memory/4796-116-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral9/memory/4796-118-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
KPortScan V3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\International\Geo\Nation KPortScan V3.exe -
Executes dropped EXE 1 IoCs
Processes:
KPortScan V3.exepid process 1628 KPortScan V3.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
KPortScan V3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" KPortScan V3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
KPortScan V3.exedescription ioc process File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\COOKIE~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~4.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe KPortScan V3.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\ELEVAT~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\MSEDGE~2.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\MSEDGE~3.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MIA062~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13195~1.15\MICROS~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\NOTIFI~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MI9C33~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe KPortScan V3.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\IDENTI~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\msedge.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~3.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe KPortScan V3.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe KPortScan V3.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE KPortScan V3.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE KPortScan V3.exe -
Drops file in Windows directory 1 IoCs
Processes:
KPortScan V3.exedescription ioc process File opened for modification C:\Windows\svchost.com KPortScan V3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
KPortScan V3.exeKPortScan V3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KPortScan V3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KPortScan V3.exe -
Modifies registry class 1 IoCs
Processes:
KPortScan V3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" KPortScan V3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
KPortScan V3.exepid process 1628 KPortScan V3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
KPortScan V3.exedescription pid process target process PID 4796 wrote to memory of 1628 4796 KPortScan V3.exe KPortScan V3.exe PID 4796 wrote to memory of 1628 4796 KPortScan V3.exe KPortScan V3.exe PID 4796 wrote to memory of 1628 4796 KPortScan V3.exe KPortScan V3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe"C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
Filesize
191KB
MD5c0a8af17a2912a08a20d65fe85191c28
SHA10fbc897bf6046718524d05b6bc144c3785224802
SHA256080c6108c3bd0f8a43d5647db36dc434032842339f0ba38ad1ff62f72999c4e5
SHA512bd6b67a2f285a5634c5d38f742d5528a661414d3fb88f8065433f6a6a1a3a3f707dede9be7bda9bac9327240422c2314081d0a9eb9b6bc61687465ac96868ef9