09b5e780227caa97a042be17450ead0242fd7f58f513158e26678c811d67e264

Resubmissions

07/08/2024, 11:52

240807-n1s2zaybqp 5

06/08/2024, 19:50

240806-yj8q7sydpr 7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmpz16y76kd.exe
Size

18.5MB
MD5

4bba5b7d3713e8b9d73ff1955211e971
SHA1

9473104a1aefb0daabe41a92d75705be7e2daaf3
SHA256

09b5e780227caa97a042be17450ead0242fd7f58f513158e26678c811d67e264
SHA512

78e36c1f75de9b33b3216b957b2523e8553bb59db3b0fe407040ba0441700d05476a16a367af12f321a5e9f06634d347732480511e6faca53bb06e78e8286424
SSDEEP

393216:EE2LeetrWJzdiEIMzqD3ZUswv2h/ojcCOvzXr98ASNg+:EE2dtr+dlzqNHZh/ogj8ASq+

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
228	ipscan-3.9.1-setup.exe

Loads dropped DLL 3 IoCs

pid	Process
228	ipscan-3.9.1-setup.exe
228	ipscan-3.9.1-setup.exe
228	ipscan-3.9.1-setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpz16y76kd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipscan-3.9.1-setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 228	1128	tmpz16y76kd.exe	88
PID 1128 wrote to memory of 228	1128	tmpz16y76kd.exe	88
PID 1128 wrote to memory of 228	1128	tmpz16y76kd.exe	88

C:\Users\Admin\AppData\Local\Temp\tmpz16y76kd.exe
"C:\Users\Admin\AppData\Local\Temp\tmpz16y76kd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1128
- C:\ProgramData\Microsoft\WindowsUpdate24\ipscan-3.9.1-setup.exe
  C:\ProgramData\Microsoft\WindowsUpdate24\ipscan-3.9.1-setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\WindowsUpdate24\ipscan-3.9.1-setup.exe

Filesize
17.6MB

MD5
0995262c8adde90ec6d9e039b3d7293d

SHA1
089ff4aee406f894c0ce2166d253c141a4c8fa32

SHA256
223aa5d93a00b41bf92935b00cb94bb2970c681fc44c9c75f245a236d617d9bb

SHA512
bdbf9fb817878295b2105e2eafcd3932680b4fff64825ca4f859ca10def823f89865e735593f7ea138bdc5f09bd913dd0b71f2ca5aff191068ad6538b0a69d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse903C.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse903C.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse903C.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit