121dec5bd279daf16e683e472949a269bb9751d6ceae4274875e36abe8871946

General

Target

boost-fps.exe
Size

1.3MB
MD5

92fc1129af30ba08a79113624f51bcb7
SHA1

b68388c46a78d262fcdedbaea09372785fb6786c
SHA256

121dec5bd279daf16e683e472949a269bb9751d6ceae4274875e36abe8871946
SHA512

3c1b7f326e717e0ed6cc435647598ec37ce0c2b90a942317f8d4b2c2ac8d3bd4f6c94ec86ad5af4ded8bf31a25485590b03549e0cd5e3509308e04e066efc12c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Idle.exeIdle.exe

pid process

1836 Idle.exe
1636 Idle.exe
Loads dropped DLL 1 IoCs

Processes:

boost-fps.exe

pid process

1560 boost-fps.exe

pid	process
1836	Idle.exe
1636	Idle.exe

pid	process
1560	boost-fps.exe

Drops file in System32 directory 9 IoCs

Processes:

boost-fps.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\hnetmon\lsm.exe	boost-fps.exe
File created	C:\Windows\SysWOW64\hnetmon\101b941d020240259ca4912829b53995ad543df6	boost-fps.exe
File created	C:\Windows\SysWOW64\VBICodec\wininit.exe	boost-fps.exe
File created	C:\Windows\SysWOW64\UIRibbonRes\spoolsv.exe	boost-fps.exe
File created	C:\Windows\SysWOW64\mobsync\886983d96e3d3e31032c679b2d4ea91b6c05afef	boost-fps.exe
File created	C:\Windows\SysWOW64\hnetmon\lsm.exe	boost-fps.exe
File created	C:\Windows\SysWOW64\VBICodec\560854153607923c4c5f107085a7db67be01f252	boost-fps.exe
File created	C:\Windows\SysWOW64\UIRibbonRes\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	boost-fps.exe
File created	C:\Windows\SysWOW64\mobsync\csrss.exe	boost-fps.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

boost-fps.exeIdle.exe

description	pid	process	target process
PID 368 set thread context of 1560	368	boost-fps.exe	boost-fps.exe
PID 1836 set thread context of 1636	1836	Idle.exe	Idle.exe

Drops file in Program Files directory 4 IoCs

Processes:

boost-fps.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\services.exe	boost-fps.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	boost-fps.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\Idle.exe	boost-fps.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\6ccacd8608530fba3a93e87ae2225c7032aa18c1	boost-fps.exe

Drops file in Windows directory 2 IoCs

Processes:

boost-fps.exe

description	ioc	process
File created	C:\Windows\setupact\explorer.exe	boost-fps.exe
File created	C:\Windows\setupact\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	boost-fps.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
920	schtasks.exe
2036	schtasks.exe
1692	schtasks.exe
1972	schtasks.exe
1168	schtasks.exe
1876	schtasks.exe
1688	schtasks.exe
1832	schtasks.exe
2044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

boost-fps.exeIdle.exe

pid process

1560 boost-fps.exe
1636 Idle.exe

pid	process
1560	boost-fps.exe
1636	Idle.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

boost-fps.exeIdle.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1560	boost-fps.exe
Token: SeDebugPrivilege	1636	Idle.exe
Token: 33	1084	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1084	AUDIODG.EXE
Token: 33	1084	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1084	AUDIODG.EXE

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

boost-fps.exeboost-fps.exeIdle.exe

description	pid	process	target process
PID 368 wrote to memory of 1560	368	boost-fps.exe	boost-fps.exe
PID 368 wrote to memory of 1560	368	boost-fps.exe	boost-fps.exe
PID 368 wrote to memory of 1560	368	boost-fps.exe	boost-fps.exe
PID 368 wrote to memory of 1560	368	boost-fps.exe	boost-fps.exe
PID 368 wrote to memory of 1560	368	boost-fps.exe	boost-fps.exe
PID 368 wrote to memory of 1560	368	boost-fps.exe	boost-fps.exe
PID 368 wrote to memory of 1560	368	boost-fps.exe	boost-fps.exe
PID 368 wrote to memory of 1560	368	boost-fps.exe	boost-fps.exe
PID 368 wrote to memory of 1560	368	boost-fps.exe	boost-fps.exe
PID 1560 wrote to memory of 1832	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1832	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1832	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1832	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 2044	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 2044	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 2044	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 2044	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1168	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1168	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1168	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1168	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1692	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1692	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1692	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1692	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1972	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1972	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1972	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1972	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1876	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1876	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1876	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1876	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 920	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 920	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 920	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 920	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 2036	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 2036	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 2036	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 2036	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1688	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1688	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1688	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1688	1560	boost-fps.exe	schtasks.exe
PID 1560 wrote to memory of 1836	1560	boost-fps.exe	Idle.exe
PID 1560 wrote to memory of 1836	1560	boost-fps.exe	Idle.exe
PID 1560 wrote to memory of 1836	1560	boost-fps.exe	Idle.exe
PID 1560 wrote to memory of 1836	1560	boost-fps.exe	Idle.exe
PID 1836 wrote to memory of 1636	1836	Idle.exe	Idle.exe
PID 1836 wrote to memory of 1636	1836	Idle.exe	Idle.exe
PID 1836 wrote to memory of 1636	1836	Idle.exe	Idle.exe
PID 1836 wrote to memory of 1636	1836	Idle.exe	Idle.exe
PID 1836 wrote to memory of 1636	1836	Idle.exe	Idle.exe
PID 1836 wrote to memory of 1636	1836	Idle.exe	Idle.exe
PID 1836 wrote to memory of 1636	1836	Idle.exe	Idle.exe
PID 1836 wrote to memory of 1636	1836	Idle.exe	Idle.exe
PID 1836 wrote to memory of 1636	1836	Idle.exe	Idle.exe

C:\Users\Admin\AppData\Local\Temp\boost-fps.exe
"C:\Users\Admin\AppData\Local\Temp\boost-fps.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\boost-fps.exe
"{path}"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\hnetmon\lsm.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1832

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "boost-fps" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\boost-fps.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2044

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\VBICodec\wininit.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1168

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\UIRibbonRes\spoolsv.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1692

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\mobsync\csrss.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1972

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\services.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1876

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\ProgramData\Desktop\lsm.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:920

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\setupact\explorer.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2036

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\Idle.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1688

C:\Program Files\Windows Photo Viewer\en-US\Idle.exe
"C:\Program Files\Windows Photo Viewer\en-US\Idle.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1836

C:\Program Files\Windows Photo Viewer\en-US\Idle.exe
"{path}"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x594
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Photo Viewer\en-US\Idle.exe
MD5
92fc1129af30ba08a79113624f51bcb7

SHA1
b68388c46a78d262fcdedbaea09372785fb6786c

SHA256
121dec5bd279daf16e683e472949a269bb9751d6ceae4274875e36abe8871946

SHA512
3c1b7f326e717e0ed6cc435647598ec37ce0c2b90a942317f8d4b2c2ac8d3bd4f6c94ec86ad5af4ded8bf31a25485590b03549e0cd5e3509308e04e066efc12c

Download Submit
C:\Program Files\Windows Photo Viewer\en-US\Idle.exe
MD5
92fc1129af30ba08a79113624f51bcb7

SHA1
b68388c46a78d262fcdedbaea09372785fb6786c

SHA256
121dec5bd279daf16e683e472949a269bb9751d6ceae4274875e36abe8871946

SHA512
3c1b7f326e717e0ed6cc435647598ec37ce0c2b90a942317f8d4b2c2ac8d3bd4f6c94ec86ad5af4ded8bf31a25485590b03549e0cd5e3509308e04e066efc12c

Download Submit
C:\Program Files\Windows Photo Viewer\en-US\Idle.exe
MD5
92fc1129af30ba08a79113624f51bcb7

SHA1
b68388c46a78d262fcdedbaea09372785fb6786c

SHA256
121dec5bd279daf16e683e472949a269bb9751d6ceae4274875e36abe8871946

SHA512
3c1b7f326e717e0ed6cc435647598ec37ce0c2b90a942317f8d4b2c2ac8d3bd4f6c94ec86ad5af4ded8bf31a25485590b03549e0cd5e3509308e04e066efc12c

Download Submit
\Program Files\Windows Photo Viewer\en-US\Idle.exe
MD5
92fc1129af30ba08a79113624f51bcb7

SHA1
b68388c46a78d262fcdedbaea09372785fb6786c

SHA256
121dec5bd279daf16e683e472949a269bb9751d6ceae4274875e36abe8871946

SHA512
3c1b7f326e717e0ed6cc435647598ec37ce0c2b90a942317f8d4b2c2ac8d3bd4f6c94ec86ad5af4ded8bf31a25485590b03549e0cd5e3509308e04e066efc12c

Download Submit
memory/368-61-0x00000000012C0000-0x00000000012C1000-memory.dmp

Filesize
4KB

Download
memory/368-62-0x0000000000440000-0x0000000000445000-memory.dmp

Filesize
20KB

Download
memory/368-63-0x0000000008030000-0x00000000080CC000-memory.dmp

Filesize
624KB

Download
memory/368-64-0x0000000007EB0000-0x0000000007F26000-memory.dmp

Filesize
472KB

Download
memory/368-59-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download
memory/920-76-0x0000000000000000-mapping.dmp

Download
memory/1164-95-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/1168-72-0x0000000000000000-mapping.dmp

Download
memory/1560-67-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1560-69-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/1560-65-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1560-66-0x0000000000465BEE-mapping.dmp

Download
memory/1636-94-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/1636-90-0x0000000000465BEE-mapping.dmp

Download
memory/1688-78-0x0000000000000000-mapping.dmp

Download
memory/1692-73-0x0000000000000000-mapping.dmp

Download
memory/1832-70-0x0000000000000000-mapping.dmp

Download
memory/1836-83-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/1836-86-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/1836-80-0x0000000000000000-mapping.dmp

Download
memory/1876-75-0x0000000000000000-mapping.dmp

Download
memory/1972-74-0x0000000000000000-mapping.dmp

Download
memory/2036-77-0x0000000000000000-mapping.dmp

Download
memory/2044-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads