| File name: | netscan_setup.exe |
| Full analysis: | https://app.any.run/tasks/9d107394-4bbd-4177-b8c4-7f93910e2796 |
| Verdict: | Malicious activity |
| Analysis date: | February 17, 2024, 05:44:27 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 7E7CD290A2DC611F9F9E1F1C6CCD13E2 |
| SHA1: | CF2FF8A280F6ECAE47BC2085E952601D159C6385 |
| SHA256: | BC1982BC3A3EAF71C123D30FE650CE0694DE10345F275BF8BC02297604F88FBE |
| SSDEEP: | 98304:Z+cD4dnBU4/vZ/G4KvUSD5Ijd8gl1jwLXUGVPCdfthKPcq5u8SGV8Qk/kfU4HQc+:JKb63/dSM+EE7RwoTG2MnlWYw |
MALICIOUS
Drops the executable file immediately after the start
- netscan_setup.exe (PID: 2472)
- netscan_setup.tmp (PID: 3228)
- netscan_setup.exe (PID: 3944)
SUSPICIOUS
Executable content was dropped or overwritten
- netscan_setup.exe (PID: 2472)
- netscan_setup.exe (PID: 3944)
- netscan_setup.tmp (PID: 3228)
Reads the Windows owner or organization settings
- netscan_setup.tmp (PID: 3228)
Reads the Internet Settings
- CompMgmtLauncher.exe (PID: 4000)
Process uses IPCONFIG to get network configuration information
- cmd.exe (PID: 2584)
INFO
Checks supported languages
- netscan_setup.exe (PID: 2472)
- netscan_setup.tmp (PID: 3228)
- netscan_setup.tmp (PID: 2160)
- netscan_setup.exe (PID: 3944)
- netscan.exe (PID: 1888)
Create files in a temporary directory
- netscan_setup.exe (PID: 3944)
- netscan_setup.exe (PID: 2472)
Creates files in the program directory
- netscan_setup.tmp (PID: 3228)
- netscan.exe (PID: 1888)
- mmc.exe (PID: 2756)
Reads the computer name
- netscan_setup.tmp (PID: 2160)
- netscan_setup.tmp (PID: 3228)
- netscan.exe (PID: 1888)
Manual execution by a user
- CompMgmtLauncher.exe (PID: 4000)
- CompMgmtLauncher.exe (PID: 2444)
- verclsid.exe (PID: 2888)
- cmd.exe (PID: 2584)
Creates a software uninstall entry
- netscan_setup.tmp (PID: 3228)
Creates files or folders in the user directory
- netscan_setup.tmp (PID: 3228)
- netscan.exe (PID: 1888)
Reads security settings of Internet Explorer
- CompMgmtLauncher.exe (PID: 4000)
Reads the machine GUID from the registry
- netscan.exe (PID: 1888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (53.5) |
|---|---|---|
| .exe | | | InstallShield setup (21) |
| .exe | | | Win32 EXE PECompact compressed (generic) (20.2) |
| .exe | | | Win32 Executable (generic) (2.1) |
| .exe | | | Win16/32 Executable Delphi generic (1) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:02:15 14:54:16+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 741888 |
| InitializedDataSize: | 89600 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xb5eec |
| OSVersion: | 6.1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 8.2.0.0 |
| ProductVersionNumber: | 8.2.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | SoftPerfect Pty Ltd |
| FileDescription: | SoftPerfect Network Scanner |
| FileVersion: | 8.2 |
| LegalCopyright: | 2003-2024 SoftPerfect Pty Ltd |
| OriginalFileName: | |
| ProductName: | SoftPerfect Network Scanner |
| ProductVersion: | 8.2 |
Total processes
54
Monitored processes
11
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1888 | "C:\Program Files\SoftPerfect Network Scanner\netscan.exe" | C:\Program Files\SoftPerfect Network Scanner\netscan.exe | netscan_setup.tmp | ||||||||||||
User: admin Company: SoftPerfect Pty Ltd Integrity Level: MEDIUM Description: Application for scanning networks Exit code: 0 Version: 8.2.0.0 Modules
| |||||||||||||||
| 2068 | ipconfig | C:\Windows\System32\ipconfig.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2160 | "C:\Users\admin\AppData\Local\Temp\is-FM3LR.tmp\netscan_setup.tmp" /SL5="$E0170,11997596,832512,C:\Users\admin\AppData\Local\Temp\netscan_setup.exe" | C:\Users\admin\AppData\Local\Temp\is-FM3LR.tmp\netscan_setup.tmp | — | netscan_setup.exe | |||||||||||
User: admin Company: SoftPerfect Pty Ltd Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 2444 | "C:\Windows\system32\CompMgmtLauncher.exe" | C:\Windows\System32\CompMgmtLauncher.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Computer Management Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2472 | "C:\Users\admin\AppData\Local\Temp\netscan_setup.exe" | C:\Users\admin\AppData\Local\Temp\netscan_setup.exe | explorer.exe | ||||||||||||
User: admin Company: SoftPerfect Pty Ltd Integrity Level: MEDIUM Description: SoftPerfect Network Scanner Exit code: 0 Version: 8.2 Modules
| |||||||||||||||
| 2584 | "C:\Windows\system32\cmd.exe" | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2756 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s | C:\Windows\System32\mmc.exe | CompMgmtLauncher.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2888 | "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401 | C:\Windows\System32\verclsid.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extension CLSID Verification Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3228 | "C:\Users\admin\AppData\Local\Temp\is-060A0.tmp\netscan_setup.tmp" /SL5="$100130,11997596,832512,C:\Users\admin\AppData\Local\Temp\netscan_setup.exe" /SPAWNWND=$18013E /NOTIFYWND=$E0170 | C:\Users\admin\AppData\Local\Temp\is-060A0.tmp\netscan_setup.tmp | netscan_setup.exe | ||||||||||||
User: admin Company: SoftPerfect Pty Ltd Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 3944 | "C:\Users\admin\AppData\Local\Temp\netscan_setup.exe" /SPAWNWND=$18013E /NOTIFYWND=$E0170 | C:\Users\admin\AppData\Local\Temp\netscan_setup.exe | netscan_setup.tmp | ||||||||||||
User: admin Company: SoftPerfect Pty Ltd Integrity Level: HIGH Description: SoftPerfect Network Scanner Exit code: 0 Version: 8.2 Modules
| |||||||||||||||
Total events
13 595
Read events
13 286
Write events
300
Delete events
9
Modification events
| (PID) Process: | (3228) netscan_setup.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: 9C0C0000341B9E666461DA01 | |||
| (PID) Process: | (3228) netscan_setup.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: DBA8D8F688351389AFB5C96B6FC7579554425EEA4FBC92FDA027E4AB3A0DCBA3 | |||
| (PID) Process: | (3228) netscan_setup.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (3228) netscan_setup.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFiles0000 |
Value: C:\Program Files\SoftPerfect Network Scanner\netscan.exe | |||
| (PID) Process: | (3228) netscan_setup.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFilesHash |
Value: 8E32AA413203216A07BF3DB3EFBBD2A22FD88E89B200065CAF2C790241AE511A | |||
| (PID) Process: | (3228) netscan_setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8083C3D9-F400-48FA-B060-CF55F25E2D4B}_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 6.2.2 | |||
| (PID) Process: | (3228) netscan_setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8083C3D9-F400-48FA-B060-CF55F25E2D4B}_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Program Files\SoftPerfect Network Scanner | |||
| (PID) Process: | (3228) netscan_setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8083C3D9-F400-48FA-B060-CF55F25E2D4B}_is1 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Program Files\SoftPerfect Network Scanner\ | |||
| (PID) Process: | (3228) netscan_setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8083C3D9-F400-48FA-B060-CF55F25E2D4B}_is1 |
| Operation: | write | Name: | Inno Setup: Icon Group |
Value: SoftPerfect Network Scanner | |||
| (PID) Process: | (3228) netscan_setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8083C3D9-F400-48FA-B060-CF55F25E2D4B}_is1 |
| Operation: | write | Name: | Inno Setup: User |
Value: admin | |||
Executable files
10
Suspicious files
4
Text files
683
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3228 | netscan_setup.tmp | C:\Users\admin\AppData\Roaming\SoftPerfect Network Scanner\Mibs\ADSL-LINE-EXT-MIB | text | |
MD5:62317CE9EFF85065D1828F8BFD8B8165 | SHA256:38227DA168C76CC0B23730A33F4C90698CCE1F3A2E2FB6C8AFACE396AC8CC564 | |||
| 3228 | netscan_setup.tmp | C:\Users\admin\AppData\Roaming\SoftPerfect Network Scanner\Mibs\ADSL2-LINE-MIB | text | |
MD5:5DDDCC925D0AF9E3AC7542ACE919817C | SHA256:7ACA55BAA4470867172F702382C4E798C9F75B688B56AA8964D8B7A12BB3E20A | |||
| 3228 | netscan_setup.tmp | C:\Users\admin\AppData\Roaming\SoftPerfect Network Scanner\Mibs\ACCOUNTING-CONTROL-MIB | text | |
MD5:B3D5843D270546D9D304BA2F5BA03DE4 | SHA256:2E476CE697C592E4F39A0E43EB51E4EBD8977C41D7FDA287C9DE7B98CFA6F1CA | |||
| 3228 | netscan_setup.tmp | C:\Users\admin\AppData\Roaming\SoftPerfect Network Scanner\Mibs\ADSL-TC-MIB | text | |
MD5:709E812E12B30DE1DD12EF2277211606 | SHA256:DDC83B4986834FB091559886C410BD3862BF8981C847322F4C9558CC2D0000F2 | |||
| 3228 | netscan_setup.tmp | C:\Users\admin\AppData\Roaming\SoftPerfect Network Scanner\Mibs\is-H5OK8.tmp | text | |
MD5:0F5E93840F554BC192069F9D556B98B9 | SHA256:D45B578B3A21E40AA165C58CDA8A86E402B1C9556FF461D4F22A185EDA74A81A | |||
| 3228 | netscan_setup.tmp | C:\Users\admin\AppData\Roaming\SoftPerfect Network Scanner\Mibs\is-DVS1F.tmp | text | |
MD5:94895CA7AFCF9B9501E6EEFE5D684CA3 | SHA256:0DE89F0BD22C373072A1525EA219C9403FF0642D31C25C27ED66C35456C8C3F1 | |||
| 3228 | netscan_setup.tmp | C:\Users\admin\AppData\Roaming\SoftPerfect Network Scanner\Mibs\ACCOUNTING-FRAMEWORK-PIB | text | |
MD5:3BCBD550C01F34F323BED1E4EA7083BD | SHA256:84E202C003BFB45B14212F3880DD4FF6E7CF1825E8935A08086F144155EF1202 | |||
| 3228 | netscan_setup.tmp | C:\Program Files\SoftPerfect Network Scanner\unins000.exe | executable | |
MD5:1563B5B340C2B5E1BC63B9F00DC935A5 | SHA256:CAD2DB58EC3DE552936B78B9825AAFEAD5A45D5A363FF1A47B6DDA2A5CCA8739 | |||
| 2472 | netscan_setup.exe | C:\Users\admin\AppData\Local\Temp\is-FM3LR.tmp\netscan_setup.tmp | executable | |
MD5:82F3762F55F71DBEC839AD0F95E5A19C | SHA256:76F05F84FB5D333A430A1D2C90C52541B037BF237145197D117B188CAAC835EB | |||
| 3228 | netscan_setup.tmp | C:\Users\admin\AppData\Roaming\SoftPerfect Network Scanner\Mibs\ACCESSBIND-PIB | text | |
MD5:0F5E93840F554BC192069F9D556B98B9 | SHA256:D45B578B3A21E40AA165C58CDA8A86E402B1C9556FF461D4F22A185EDA74A81A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
26
DNS requests
2
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1888 | netscan.exe | 192.168.100.255:67 | — | — | — | whitelisted |
4 | System | 192.168.100.1:137 | — | — | — | unknown |
4 | System | 192.168.100.2:137 | — | — | — | whitelisted |
1888 | netscan.exe | 192.168.100.1:137 | — | — | — | unknown |
1888 | netscan.exe | 192.168.100.2:137 | — | — | — | whitelisted |
1888 | netscan.exe | 192.168.100.2:445 | — | — | — | whitelisted |
1888 | netscan.exe | 192.168.100.2:161 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
2.100.168.192.in-addr.arpa |
| unknown |
1.100.168.192.in-addr.arpa |
| unknown |
Threats
Process | Message |
|---|---|
mmc.exe | ViewerViewsFolderPath = 'C:\ProgramData\Microsoft\Event Viewer\Views': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
|
mmc.exe | ViewerAdminViewsPath = 'C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
|
mmc.exe | ViewerExternalLogsPath = 'C:\ProgramData\Microsoft\Event Viewer\ExternalLogs': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
|
mmc.exe | ViewerConfigPath = 'C:\ProgramData\Microsoft\Event Viewer': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerExtension
|
mmc.exe | Failed to get ChannelConfigOwningPublisher -122-The data area passed to a system call is too small
|
mmc.exe | Getting next publisher from enum failed-259-No more data is available
|
mmc.exe | Failed to get ChannelConfigOwningPublisher -122-The data area passed to a system call is too small
|
mmc.exe | ExpandNode:After EventsNode:InsertChildren CountOfChildren = 5
|
mmc.exe | ExpandNode:After EventsNode:InsertChildren CountOfChildren = 0
|