A security agent detected suspicious software activity on a desktop used by the user 'LYNDONPC2\Jennifer', assessed as a moderate-severity discovery because it behaved like a reconnaissance tool that could map systems. The endpoint is protected and the SOC applied automated containment actions successfully, so the immediate risk is mitigated. Business impact is limited if no additional malicious actions occurred, though such tools can signal attempts to probe the network that warrant attention.
SOC Response Actions Actions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6. ActionStatus
--- --- LyndonPC2, no full disk scan command was sent. Not Configured LyndonPC2, endpoint was not isolated from the network. Not Configured
Recommended Remediation
[Containment] Isolate endpoint 'LyndonPC2' from the network immediately (disconnect Wi-Fi and block external IP 23.24.19.166 at perimeter).
[Eradication] Remove the file '\Device\HarddiskVolume3\Program Files\Angry IP Scanner\ipscan.exe' and uninstall related application 'ipscan-3.9.3-setup.exe' from 'LYNDONPC2' for user 'LYNDONPC2\Jennifer'.
[Eradication] Quarantine and delete file hash '5b576e5f33a3ae019881cb5942218ab0d28539bd42693654d4d2319eb196ece6' from backups and removable media, and ensure no copies remain on shared drives.
[Hardening] Restrict endpoint software installation rights for 'LYNDONPC2\Jennifer' (apply least privilege — remove local admin rights and require admin approval for installs).
[Hardening] Block execution and network access for Angry IP Scanner binaries and related hacktool signatures via endpoint protection and application allowlist policies.
5b576e5f...b196ece6 Malicious File hash detected by 3 security engines. Classified under the meaningful name ipscan.exe. Hybrid-Analysis
5b576e5f...b196ece6 Malicious File hash detected by 3 security engines. Classified under the meaningful name ipscan.exe. Indicators of Compromise
The threat indicator shows that a hacking tool known as 'IPScan' has been detected. This tool is commonly used by attackers to scan networks for devices and vulnerabilities, making it easier for them to exploit weaknesses. The presence of IPScan on a system indicates potential unauthorized activities aimed at gathering sensitive information about the network. It is crucial to take immediate action to investigate and mitigate any risks associated with this tool to ensure the security of the system and its data.
