148676520caaf0baf3e9613465facd01a6f57ed386f3bad87931d8d3329117e4

Analysis

max time kernel
146s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Advanced-IP-Scanner/libEGL32.exe
Size

20.1MB
MD5

5537c708edb9a2c21f88e34e8a0f1744
SHA1

86233a285363c2a6863bf642deab7e20f062b8eb
SHA256

26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b
SHA512

35f44c0df4635a1020f52743d7cf3e4346d1bdf9010161326e572250ac93e0285b202532a07d2db8dbc67f6f0ced864083769e904bd5d82611244339ca8d31a1
SSDEEP

393216:Plu7Txs0NDmNh9D4HaSYz2Kj0Cz1gEVmWdQOjM/y3tFfs5IRRViGmMQZ+Bw5i:A7Th9mT97S7CzNwWCJK05IRTX+Fi

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3776	libEGL32.tmp

Loads dropped DLL 1 IoCs

pid	Process
3776	libEGL32.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	libEGL32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	libEGL32.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5604 wrote to memory of 3776	5604	libEGL32.exe	79
PID 5604 wrote to memory of 3776	5604	libEGL32.exe	79
PID 5604 wrote to memory of 3776	5604	libEGL32.exe	79

C:\Users\Admin\AppData\Local\Temp\Advanced-IP-Scanner\libEGL32.exe
"C:\Users\Admin\AppData\Local\Temp\Advanced-IP-Scanner\libEGL32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5604
- C:\Users\Admin\AppData\Local\Temp\is-TTIRO.tmp\libEGL32.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TTIRO.tmp\libEGL32.tmp" /SL5="$50310,20439558,139776,C:\Users\Admin\AppData\Local\Temp\Advanced-IP-Scanner\libEGL32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3776

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-N7IB4.tmp\aips_is_install_dll.dll

Filesize
149KB

MD5
57e73855fad786a59893d6581e9fb5b9

SHA1
630e52b9e88a05add68401bd62790ed8e2c3282a

SHA256
3a7a8aa906c65124c4ee82aacb81d723ce69864ccaf041f631b8131de59e4a88

SHA512
be0cf0925535dd667488175f2eac660d1ebf8429ce6725252c59fb70b00fc2f21b1e0b7ce632eaa53337ae25e44c641e13a3df0b415724498d30daf00b296f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TTIRO.tmp\libEGL32.tmp

Filesize
1.1MB

MD5
b87639f9a6cf5ba8c9e1f297c5745a67

SHA1
ce4758849b53af582d2d8a1bc0db20683e139fcc

SHA256
ec8252a333f68865160e26dc95607f2c49af00f78c657f7f8417ab9d86e90bf7

SHA512
9626fc4aa4604eee7ededa62b9dc78a3f6fe388eaf1fa6c916a3715b0dff65c417eede156d82398c2400977a36457122565e15e0ed0e435b28cb9f796005c1c0

Download Submit
memory/3776-36-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3776-28-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3776-44-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3776-42-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3776-18-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3776-20-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3776-22-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3776-24-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3776-26-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3776-7-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3776-30-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3776-32-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3776-34-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3776-40-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3776-38-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/5604-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/5604-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5604-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download