Analysis Overview
SHA256
f4775567ca9941b4fb3224d97b0741ae669eedfcb0d8b3c71106b21bdb1aee28
Threat Level: Known bad
The file Optimizer-16.4.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
Sets file execution options in registry
Modifies file permissions
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer Phishing Filter
Modifies system certificate store
Modifies registry class
Disables Windows logging functionality
System policy modification
Modifies Control Panel
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 12:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-23 12:12
Reported
2024-02-23 12:13
Platform
win10v2004-20240221-en
Max time kernel
79s
Max time network
82s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "%windir%\\System32\\taskkill.exe" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe\Debugger = "%windir%\\System32\\taskkill.exe" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Disables Windows logging functionality
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Mouse\MouseHoverTime = "0" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Desktop\AutoEndTasks = "1" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Desktop\WaitToKillAppTimeout = "2000" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Desktop\MenuShowDelay = "0" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Desktop\HungAppTimeout = "1000" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Accessibility\StickyKeys\Flags = "506" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Accessibility\Keyboard Response\Flags = "122" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Accessibility\ToggleKeys\Flags = "58" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
Modifies Internet Explorer Phishing Filter
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\Keyboard Response\Flags = "122" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "187" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\StickyKeys\Flags = "506" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\ToggleKeys\Flags = "58" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To\ = "{C2FBB630-2971-11D1-A18C-00C04FD75D13}" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To\ = "{C2FBB631-2971-11D1-A18C-00C04FD75D13}" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus = "1" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe
"C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config "RemoteRegistry" start= disabled
C:\Windows\system32\sc.exe
sc config "RemoteRegistry" start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
C:\Windows\system32\icacls.exe
icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat""
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable"
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\HelloFace\FODCleanupTask"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\HelloFace\FODCleanupTask" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClient"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Device Information\Device"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Device Information\Device" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Device Information\Device User"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Device Information\Device User" /disable
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39bb055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
Files
memory/2668-0-0x000001A2C1B80000-0x000001A2C1DD8000-memory.dmp
memory/2668-1-0x00007FFD03160000-0x00007FFD03C21000-memory.dmp
memory/2668-2-0x000001A2DC260000-0x000001A2DC312000-memory.dmp
memory/2668-3-0x000001A2DC430000-0x000001A2DC440000-memory.dmp
memory/2668-24-0x000001A2DCA40000-0x000001A2DCAB6000-memory.dmp
memory/2668-25-0x000001A2DC310000-0x000001A2DC332000-memory.dmp
memory/2668-27-0x000001A2DC3C0000-0x000001A2DC3DE000-memory.dmp
memory/2668-28-0x000001A2DC430000-0x000001A2DC440000-memory.dmp
memory/2668-30-0x000001A2DC430000-0x000001A2DC440000-memory.dmp
memory/2668-29-0x000001A2DC430000-0x000001A2DC440000-memory.dmp
memory/2668-31-0x00007FFD03160000-0x00007FFD03C21000-memory.dmp
memory/2668-32-0x000001A2DC430000-0x000001A2DC440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_joxftp02.ez0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2668-48-0x000001A2E0330000-0x000001A2E0346000-memory.dmp
memory/2668-49-0x000001A2E0350000-0x000001A2E035A000-memory.dmp
memory/2668-50-0x000001A2E03C0000-0x000001A2E03E6000-memory.dmp
memory/2668-66-0x000001A2E0BC0000-0x000001A2E0BD2000-memory.dmp
memory/2668-67-0x000001A2DC430000-0x000001A2DC440000-memory.dmp
memory/2668-68-0x000001A2DC430000-0x000001A2DC440000-memory.dmp
memory/2668-69-0x000001A2DC430000-0x000001A2DC440000-memory.dmp
memory/2668-70-0x000001A2DC430000-0x000001A2DC440000-memory.dmp
memory/2668-72-0x000001A2DC430000-0x000001A2DC440000-memory.dmp
memory/2668-73-0x000001A2DC430000-0x000001A2DC440000-memory.dmp
memory/2668-74-0x000001A2DC430000-0x000001A2DC440000-memory.dmp
memory/2668-75-0x000001A2DC430000-0x000001A2DC440000-memory.dmp
memory/2668-76-0x000001A2DC430000-0x000001A2DC440000-memory.dmp
C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat
| MD5 | cb03c3144aaff8fb1c3497c403c2b60f |
| SHA1 | ba4380abb20eaaeb638cdb142452def731817212 |
| SHA256 | abd9b7c86e9186c4af174c2a630629588ec89a716d3ff04d357d2610e490c8d3 |
| SHA512 | d76cf1fa9662bbafc931eb3720213e30a99de34ae0d92ff90a52a761555fc934fc9822c6beeddb882fabf990b30b17e8bf35b8acbc9d9898618d38fc259e9660 |
C:\ProgramData\Optimizer\Optimizer.json
| MD5 | 6b67d4971607b5050f86886ce9eeac6e |
| SHA1 | 11e812da278994cef6c50171c7494379dd34057a |
| SHA256 | 1cf9b8c1ab1a3f3b0535e9176b3434793364ad4cd5a40175e390184f1fe5f60c |
| SHA512 | 6b63200bb2773792c652496a6a1899ad6b58450a467b62294aef699cd2b3e75aa780012e6eb6bfafb62ab3aeeca2dc2084557718b52037852cf91a5ff388bb4c |
memory/2668-84-0x00007FFD03160000-0x00007FFD03C21000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 12:12
Reported
2024-02-23 12:13
Platform
win7-20240221-en
Max time kernel
48s
Max time network
50s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\WaitToKillAppTimeout = "2000" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\MenuShowDelay = "0" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Mouse\MouseHoverTime = "0" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\AutoEndTasks = "1" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\HungAppTimeout = "1000" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To\ = "{C2FBB631-2971-11D1-A18C-00C04FD75D13}" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To\ = "{C2FBB630-2971-11D1-A18C-00C04FD75D13}" | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2184 wrote to memory of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | C:\Windows\System32\cmd.exe |
| PID 2184 wrote to memory of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | C:\Windows\System32\cmd.exe |
| PID 2184 wrote to memory of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe | C:\Windows\System32\cmd.exe |
| PID 2924 wrote to memory of 3068 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\sc.exe |
| PID 2924 wrote to memory of 3068 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\sc.exe |
| PID 2924 wrote to memory of 3068 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\sc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe
"C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config "RemoteRegistry" start= disabled
C:\Windows\system32\sc.exe
sc config "RemoteRegistry" start= disabled
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/2184-0-0x0000000000CE0000-0x0000000000F38000-memory.dmp
memory/2184-1-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
memory/2184-2-0x000000001B050000-0x000000001B102000-memory.dmp
memory/2184-3-0x0000000002480000-0x0000000002500000-memory.dmp
memory/2184-25-0x0000000002480000-0x0000000002500000-memory.dmp
memory/2184-26-0x0000000002480000-0x0000000002500000-memory.dmp
C:\ProgramData\Optimizer\Optimizer.log
| MD5 | bb04e9af50309df0fdff67ea9cc5027c |
| SHA1 | ed67ba3c74f7661f7aa8540b7f0c2049f3ef937b |
| SHA256 | e1adfc78d8c11e74b5c7f001fa6b1b85b65ecdede8dd1bc79296e389e1e23506 |
| SHA512 | a055305978fadffbd4595dfbc3f328669df064c01d6621af0c1421e8e29f5a23a279820fe39eec56c52dcfa2f7a5205cd54cec5d05c75f77c9fc6bd90b647eeb |
memory/2184-49-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
memory/2184-50-0x0000000002480000-0x0000000002500000-memory.dmp
memory/2184-51-0x0000000002480000-0x0000000002500000-memory.dmp
memory/2184-52-0x0000000002480000-0x0000000002500000-memory.dmp
memory/2184-53-0x0000000002480000-0x0000000002500000-memory.dmp
memory/2184-54-0x0000000002480000-0x0000000002500000-memory.dmp
memory/2184-55-0x0000000002480000-0x0000000002500000-memory.dmp
C:\ProgramData\Optimizer\Optimizer.json
| MD5 | 6b67d4971607b5050f86886ce9eeac6e |
| SHA1 | 11e812da278994cef6c50171c7494379dd34057a |
| SHA256 | 1cf9b8c1ab1a3f3b0535e9176b3434793364ad4cd5a40175e390184f1fe5f60c |
| SHA512 | 6b63200bb2773792c652496a6a1899ad6b58450a467b62294aef699cd2b3e75aa780012e6eb6bfafb62ab3aeeca2dc2084557718b52037852cf91a5ff388bb4c |
memory/2184-58-0x0000000002480000-0x0000000002500000-memory.dmp
memory/2184-59-0x000007FEF5690000-0x000007FEF607C000-memory.dmp