4e3997e7eeb20c295d81a754744405ec169dcbfeba8e0adf7629976047f1c472

General

Target

portscan/VIP网络端口扫描.exe
Size

233KB
MD5

0c3f0786e4352a906929826b9a6972ad
SHA1

b80fc668a22a51fb0f6322376de72963fa83e94f
SHA256

7c81086ccc149053da52a981ece40b5a89e6f855d197e4f6970019f4b0a69027
SHA512

1a6b199169f905312f46b35c001ba68fab60c94f901fd850f358f1de382cd889111fe7e9ce3c6110a2e75292b4824bc9febc2a24e0395634f98f38c39ba22f9c
SSDEEP

6144:PwD2mIZbQhEdvymKUwLml+VRE+fWQ4PInO:O2mBhEdv5KpLml2Fc

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	VIP网络端口扫描.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	VIP网络端口扫描.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	VIP网络端口扫描.exe
File created	C:\Windows\assembly\Desktop.ini	VIP网络端口扫描.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	VIP网络端口扫描.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VIP网络端口扫描.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 2040	4588	VIP网络端口扫描.exe	86
PID 4588 wrote to memory of 2040	4588	VIP网络端口扫描.exe	86
PID 4588 wrote to memory of 2040	4588	VIP网络端口扫描.exe	86
PID 2040 wrote to memory of 1988	2040	csc.exe	88
PID 2040 wrote to memory of 1988	2040	csc.exe	88
PID 2040 wrote to memory of 1988	2040	csc.exe	88

C:\Users\Admin\AppData\Local\Temp\portscan\VIP网络端口扫描.exe
"C:\Users\Admin\AppData\Local\Temp\portscan\VIP网络端口扫描.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hokjcyqr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF98.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBF97.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBF98.tmp

Filesize
1KB

MD5
72c9192f8aae6eb53d436a5d80d76885

SHA1
644d9ce578f3ac705b6fe0d286622b87ea517dbd

SHA256
9ffdc423e3221fb71fb15497b4d06a0059a162305f6002746e19083943103b79

SHA512
6e0c38ce0c670180675a4956e30680a9181756ed4231952c64e1191ac881fbca51b907c4aec61ca8b96c8b7e3ca708de3676256f407876ddae23b26dfdea0bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\hokjcyqr.dll

Filesize
18KB

MD5
08ff6e4ac56c568094669eed8bf65e21

SHA1
26410a4ccb287cf59d7f3c59d8f8cd05aede01e4

SHA256
04285440091f73c40d54d5d1955a64345805495bbbd19039b3360fd69f971389

SHA512
90c17b7ec6b811b3f781949ef765813b5ed7513406a68c541c3b9204eddb4baa64957f7e6ec522ee1646b24a701bddb4088e0ce6253d2510cd52f41df5b96a80

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBF97.tmp

Filesize
700B

MD5
45b2589f3d3881e99a01986c246400c4

SHA1
709f6bc8dd9775b5dc8941a1ec4954f0368549b1

SHA256
f6c89f3444dd3c49cb119bc7f5cd3cd72fe76675c5aeccf315a45d4ae0ec5d15

SHA512
190d4a5360d7134324ab7c9414ce6db25f41095ee826a3e928547cee33bc090587bd5f45638007378fc55363b08bda2f2f9de4da24014ae688ea1f59726c33ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hokjcyqr.0.cs

Filesize
35KB

MD5
87bc51248de71d3d4751bcc6c95384e3

SHA1
b01ed474029f1a694358add062a081221e57e0f2

SHA256
d31ea78633f5bd7f9b121a43b59c3aaddb9c6557d37906d3909b2d99fa8427b3

SHA512
a6762b017119038a01a52c40280c407b387bcfead2da45fe104f64e8fc09a4bc75aee9c408614e50bb1c2d99fdba778651b85d5fc69842e7f3e6554444384bc9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hokjcyqr.cmdline

Filesize
529B

MD5
5364d30c5a472a7f5eaf33b099bc4393

SHA1
162109d969a94fee93c0c4141bc268864c522135

SHA256
cc5e76f2965174c60fbdeb0b6f4d074cd235d21692aac4e7299d12cd1567aa3e

SHA512
6383062293557f125c32d4ee14821df9772efab6a63a79ab2ee1a24dcff01a17a6d9c471a12fb8ec82a9c336f0020d83a38d7966df8ba5053c31e10123f3da25

Download Submit
memory/2040-21-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/2040-14-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/4588-0-0x0000000075042000-0x0000000075043000-memory.dmp

Filesize
4KB

Download
memory/4588-6-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/4588-7-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/4588-3-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/4588-2-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/4588-8-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/4588-1-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/4588-24-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/4588-25-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/4588-26-0x0000000075042000-0x0000000075043000-memory.dmp

Filesize
4KB

Download
memory/4588-27-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/4588-28-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing