When the program is executed it will attempt to load into memory a large embedded module that is decoded with a supplied key. The ServeManager.exe artifact is a 32-bit executable file that is executed using the Microsoft Sysinternals remote administration tool, PsExec.exe. c -> Copy the program to the remote system before executing. This should be -realtime, or run this process before any other process. s -> Run the program with system level privileges. d -> Run psexec.exe without any -> Remotely access this list of hostnames/IP addresses. Psexec.exe -d -s -relatime -c ServeManager.exe -key This utility was used to execute the program ServeManager.exe with the following arguments: This tool is part of Microsoft's Sysinternals tool suite. The PsExec.exe artifact is the legitimate remote administration program. After the files are encrypted, the program will write a ransom note to each folder and directory on the system.ĭetails on the ransomware artifacts are below. The malware also encrypts files in the recovery folder ( Data Encrypted for Impact ).
SOFTPERFECT NETWORK SCANNER COMMAND LINE WINDOWS
To prevent data recovery, FiveHands uses WMI to first enumerate then delete Volume Shadow copies ( Inhibit System Recovery Windows Management Instrumentation ). Note: the NTRUEncrypt public key cryptosystem encryption algorithm (NTRU), is a lattice-based alternative to Rivest-Shamir-Adleman, known as RSA, and Elliptic-curve cryptography, or ECC, and is based on the shortest vector problem in a lattice. FiveHands is a novel ransomware variant that uses a public key encryption scheme called NTRUEncrypt. The malicious cyber actor used PsExec to execute ServeManager.exe, which CISA refers to as FiveHands ransomware ( Execution, System Services: Service Execution, Impact ).
SOFTPERFECT NETWORK SCANNER COMMAND LINE LICENSE
The netscan.lic artifact is the Network Scanner license that was included with this submission.
The utility will generate a report of its findings called netscan.xml. The utility can also be used with Nmap for vulnerability scanning. It also scans for remote services, registry, files and performance counters offers flexible filtering and display options and exports NetScan results to a variety of formats from XML to JSON."
The SoftPerfect website states that the "SoftPerfect Network Scanner can ping computers, scan ports, discover shared folders, and retrieve practically any information about network devices, via Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), Hypertext Transfer Protocol (HTTP), Secure Shell (SSH), and PowerShell. The netscan.exe artifact is a stand-alone version of the SoftPerfect Network Scanner, version 7.2.9 for 64-bit operating systems. The cyber actor used SoftPerfect Network Scanner for Discovery of hostnames and network services ( Network Service Scanning ).ĭetails on the SoftPerfect Network Scanner artifacts are below. Publicly Available Tool: SoftPerfect Network Scanner
Supports Wake-On-LAN, and remote shutdown.Exports results to CSV, HTML, JSON, TXT and XML.Supports remote SSH and PowerShell command execution.Retrieves currently logged-on users, configured user accounts, uptime, etc.Scans for listening TCP ports, some UDP and SNMP services.Detects internal and external IP addresses.Detects writable and hidden shared folders.Detects hardware MAC-addresses, even across routers.Fully supports both IPv4 and IPv6 discovery.Performs ping sweeps and displays live devices.With it, users can ping computers, and are able to scan for listening TCP/UDP ports and discovers shared folders, including system folder and hidden ones. The app has been designed for both system administrators and general users who have an interest in computer security. SoftPerfect Network Scanner is a multi-threaded IPv4/IPv6 scanner that comes with a fresh, modern user interface and numerous advanced features.
0 kommentar(er)
