121dec5bd279daf16e683e472949a269bb9751d6ceae4274875e36abe8871946

General

Target

boost-fps.exe
Size

1.3MB
MD5

92fc1129af30ba08a79113624f51bcb7
SHA1

b68388c46a78d262fcdedbaea09372785fb6786c
SHA256

121dec5bd279daf16e683e472949a269bb9751d6ceae4274875e36abe8871946
SHA512

3c1b7f326e717e0ed6cc435647598ec37ce0c2b90a942317f8d4b2c2ac8d3bd4f6c94ec86ad5af4ded8bf31a25485590b03549e0cd5e3509308e04e066efc12c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

taskhostw.exetaskhostw.exe

pid process

3380 taskhostw.exe
4468 taskhostw.exe

pid	process
3380	taskhostw.exe
4468	taskhostw.exe

Drops file in System32 directory 4 IoCs

Processes:

boost-fps.exe

description	ioc	process
File created	C:\Windows\SysWOW64\iasnap\taskhostw.exe	boost-fps.exe
File created	C:\Windows\SysWOW64\iasnap\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988	boost-fps.exe
File created	C:\Windows\SysWOW64\SubRange\RuntimeBroker.exe	boost-fps.exe
File created	C:\Windows\SysWOW64\SubRange\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	boost-fps.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

boost-fps.exetaskhostw.exe

description	pid	process	target process
PID 3744 set thread context of 3696	3744	boost-fps.exe	boost-fps.exe
PID 3380 set thread context of 4468	3380	taskhostw.exe	taskhostw.exe

Drops file in Program Files directory 4 IoCs

Processes:

boost-fps.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	boost-fps.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5940a34987c99120d96dace90a3f93f329dcad63	boost-fps.exe
File created	C:\Program Files (x86)\WindowsPowerShell\boost-fps.exe	boost-fps.exe
File created	C:\Program Files (x86)\WindowsPowerShell\cb6268b4effe6f5b732f0e6ea7e17d0b33b1d084	boost-fps.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4652 schtasks.exe
4332 schtasks.exe
112 schtasks.exe
1440 schtasks.exe
3540 schtasks.exe
4040 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

boost-fps.exeboost-fps.exetaskhostw.exe

pid process

3744 boost-fps.exe
3744 boost-fps.exe
3744 boost-fps.exe
3744 boost-fps.exe
3696 boost-fps.exe
4468 taskhostw.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

boost-fps.exeboost-fps.exetaskhostw.exe

description pid process

Token: SeDebugPrivilege 3744 boost-fps.exe
Token: SeDebugPrivilege 3696 boost-fps.exe
Token: SeDebugPrivilege 4468 taskhostw.exe

pid	process
4652	schtasks.exe
4332	schtasks.exe
112	schtasks.exe
1440	schtasks.exe
3540	schtasks.exe
4040	schtasks.exe

pid	process
3744	boost-fps.exe
3744	boost-fps.exe
3744	boost-fps.exe
3744	boost-fps.exe
3696	boost-fps.exe
4468	taskhostw.exe

description	pid	process
Token: SeDebugPrivilege	3744	boost-fps.exe
Token: SeDebugPrivilege	3696	boost-fps.exe
Token: SeDebugPrivilege	4468	taskhostw.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

boost-fps.exeboost-fps.exetaskhostw.exe

description	pid	process	target process
PID 3744 wrote to memory of 5024	3744	boost-fps.exe	boost-fps.exe
PID 3744 wrote to memory of 5024	3744	boost-fps.exe	boost-fps.exe
PID 3744 wrote to memory of 5024	3744	boost-fps.exe	boost-fps.exe
PID 3744 wrote to memory of 628	3744	boost-fps.exe	boost-fps.exe
PID 3744 wrote to memory of 628	3744	boost-fps.exe	boost-fps.exe
PID 3744 wrote to memory of 628	3744	boost-fps.exe	boost-fps.exe
PID 3744 wrote to memory of 3696	3744	boost-fps.exe	boost-fps.exe
PID 3744 wrote to memory of 3696	3744	boost-fps.exe	boost-fps.exe
PID 3744 wrote to memory of 3696	3744	boost-fps.exe	boost-fps.exe
PID 3744 wrote to memory of 3696	3744	boost-fps.exe	boost-fps.exe
PID 3744 wrote to memory of 3696	3744	boost-fps.exe	boost-fps.exe
PID 3744 wrote to memory of 3696	3744	boost-fps.exe	boost-fps.exe
PID 3744 wrote to memory of 3696	3744	boost-fps.exe	boost-fps.exe
PID 3744 wrote to memory of 3696	3744	boost-fps.exe	boost-fps.exe
PID 3696 wrote to memory of 4652	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 4652	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 4652	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 4332	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 4332	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 4332	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 112	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 112	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 112	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 1440	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 1440	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 1440	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 3540	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 3540	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 3540	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 4040	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 4040	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 4040	3696	boost-fps.exe	schtasks.exe
PID 3696 wrote to memory of 3380	3696	boost-fps.exe	taskhostw.exe
PID 3696 wrote to memory of 3380	3696	boost-fps.exe	taskhostw.exe
PID 3696 wrote to memory of 3380	3696	boost-fps.exe	taskhostw.exe
PID 3380 wrote to memory of 4468	3380	taskhostw.exe	taskhostw.exe
PID 3380 wrote to memory of 4468	3380	taskhostw.exe	taskhostw.exe
PID 3380 wrote to memory of 4468	3380	taskhostw.exe	taskhostw.exe
PID 3380 wrote to memory of 4468	3380	taskhostw.exe	taskhostw.exe
PID 3380 wrote to memory of 4468	3380	taskhostw.exe	taskhostw.exe
PID 3380 wrote to memory of 4468	3380	taskhostw.exe	taskhostw.exe
PID 3380 wrote to memory of 4468	3380	taskhostw.exe	taskhostw.exe
PID 3380 wrote to memory of 4468	3380	taskhostw.exe	taskhostw.exe

C:\Users\Admin\AppData\Local\Temp\boost-fps.exe
"C:\Users\Admin\AppData\Local\Temp\boost-fps.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\boost-fps.exe
"{path}"
2⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\boost-fps.exe
"{path}"
2⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\boost-fps.exe
"{path}"
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\PerfLogs\sppsvc.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4652

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4332

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:112

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\SubRange\RuntimeBroker.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1440

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "boost-fps" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\boost-fps.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3540

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\iasnap\taskhostw.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4040

C:\Windows\SysWOW64\iasnap\taskhostw.exe
"C:\Windows\System32\iasnap\taskhostw.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\iasnap\taskhostw.exe
"{path}"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\boost-fps.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\taskhostw.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Windows\SysWOW64\iasnap\taskhostw.exe
Filesize
1.3MB

MD5
92fc1129af30ba08a79113624f51bcb7

SHA1
b68388c46a78d262fcdedbaea09372785fb6786c

SHA256
121dec5bd279daf16e683e472949a269bb9751d6ceae4274875e36abe8871946

SHA512
3c1b7f326e717e0ed6cc435647598ec37ce0c2b90a942317f8d4b2c2ac8d3bd4f6c94ec86ad5af4ded8bf31a25485590b03549e0cd5e3509308e04e066efc12c

Download Submit
C:\Windows\SysWOW64\iasnap\taskhostw.exe
Filesize
1.3MB

MD5
92fc1129af30ba08a79113624f51bcb7

SHA1
b68388c46a78d262fcdedbaea09372785fb6786c

SHA256
121dec5bd279daf16e683e472949a269bb9751d6ceae4274875e36abe8871946

SHA512
3c1b7f326e717e0ed6cc435647598ec37ce0c2b90a942317f8d4b2c2ac8d3bd4f6c94ec86ad5af4ded8bf31a25485590b03549e0cd5e3509308e04e066efc12c

Download Submit
C:\Windows\SysWOW64\iasnap\taskhostw.exe
Filesize
1.3MB

MD5
92fc1129af30ba08a79113624f51bcb7

SHA1
b68388c46a78d262fcdedbaea09372785fb6786c

SHA256
121dec5bd279daf16e683e472949a269bb9751d6ceae4274875e36abe8871946

SHA512
3c1b7f326e717e0ed6cc435647598ec37ce0c2b90a942317f8d4b2c2ac8d3bd4f6c94ec86ad5af4ded8bf31a25485590b03549e0cd5e3509308e04e066efc12c

Download Submit
memory/112-137-0x0000000000000000-mapping.dmp

Download
memory/628-130-0x0000000000000000-mapping.dmp

Download
memory/1440-138-0x0000000000000000-mapping.dmp

Download
memory/3380-141-0x0000000000000000-mapping.dmp

Download
memory/3540-139-0x0000000000000000-mapping.dmp

Download
memory/3696-134-0x0000000004ED0000-0x0000000004F36000-memory.dmp

Filesize
408KB

Download
memory/3696-132-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3696-131-0x0000000000000000-mapping.dmp

Download
memory/3744-124-0x0000000000740000-0x000000000089A000-memory.dmp

Filesize
1.4MB

Download
memory/3744-128-0x0000000008A20000-0x0000000008ABC000-memory.dmp

Filesize
624KB

Download
memory/3744-127-0x00000000053E0000-0x00000000053EA000-memory.dmp

Filesize
40KB

Download
memory/3744-126-0x0000000005240000-0x00000000052D2000-memory.dmp

Filesize
584KB

Download
memory/3744-125-0x0000000005700000-0x0000000005CA4000-memory.dmp

Filesize
5.6MB

Download
memory/4040-140-0x0000000000000000-mapping.dmp

Download
memory/4332-136-0x0000000000000000-mapping.dmp

Download
memory/4468-144-0x0000000000000000-mapping.dmp

Download
memory/4652-135-0x0000000000000000-mapping.dmp

Download
memory/5024-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads