Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
38s -
max time network
44s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01/05/2024, 22:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
StartAllBack.v3.7.7.exe
Resource
win10-20240404-en
windows10-1703-x64
20 signatures
150 seconds
General
-
Target
StartAllBack.v3.7.7.exe
-
Size
3.4MB
-
MD5
5f6757917139289b8cf4566a61c45173
-
SHA1
1dd8ef1a6365a30896bfb339caafd298a0d146f0
-
SHA256
2fac2937abb8ae4abb53d414a3494a1841bdc97a2928628ad4e01368e5158a42
-
SHA512
ccf629d6215b789cd6c3b33b33165e0edf60670a0a2d809a00fe90c1eba3931374c3b55ff1f99c4649924e327110a23828662e16be45a10f456d89514160eac0
-
SSDEEP
98304:6BOc/4Ib9mLM0kHQ+kk63RyWATDoTs6qIhMOZ5U:sOc/J4M0sW53YrhgmOZ5U
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 3 IoCs
pid Process 5092 StartIsBackCfg.exe 1168 startscreen.exe 1076 StartScreen.exe -
Loads dropped DLL 6 IoCs
pid Process 1012 StartAllBack.v3.7.7.exe 1012 StartAllBack.v3.7.7.exe 1012 StartAllBack.v3.7.7.exe 1012 StartAllBack.v3.7.7.exe 4784 explorer.exe 1076 StartScreen.exe -
Registers COM server for autorun 1 TTPs 23 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da3306b1-2554-420b-8d0e-6bd29bb4d8ed}\LocalServer32 StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da3306b1-2554-420b-8d0e-6bd29bb4d8ed}\LocalServer32\ = "\"C:\\Program Files (x86)\\StartIsBack\\UpdateCheck.exe\"" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32 StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\startscreen\desktop.ini StartScreen.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\StartIsBack\StartIsBack32.dll StartIsBackCfg.exe File opened for modification C:\Program Files (x86)\StartIsBack\Orbs StartIsBackCfg.exe File opened for modification C:\Program Files (x86)\StartIsBack\Styles StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\StartIsBack32.dll StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\Styles\Plain8.msstyles StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\Styles\Windows 7.msstyles StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\StartIsBackCfg.exe StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\StartScreen.exe StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\Orbs\StartIsBack_Ei8htOrb_v2_by_PainteR.bmp StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\Orbs\Windows 7.orb StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\UpdateCheck.exe StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\StartIsBack64.dll StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\Orbs\Shamrock.orb StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\Styles\Plain10.msstyles StartIsBackCfg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\2717123927\1590785016.pri explorer.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri SearchUI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 10 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4640 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Kills process with taskkill 8 IoCs
pid Process 4828 taskkill.exe 204 taskkill.exe 3816 taskkill.exe 4844 taskkill.exe 4788 taskkill.exe 3140 taskkill.exe 4796 taskkill.exe 4812 taskkill.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\ImplementsVerbs = "startpin;startunpin" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\ShellFolder StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\ShellFolder StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Properties\Position = "Bottom" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSILink\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\ = "Start Menu Pin" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID StartIsBackCfg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\ShellFolder\Attributes = "672137216" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\ShellFolder StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sib-activate\shell StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449} StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\ShellFolder\Attributes = "2684354560" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sib-activate\shell\open StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32 StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sib-reactivate\shell\open\command StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Open\MuiVerb = "@twinui.dll,-1321" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\Command StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\OpenFolder\Command StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\System.ControlPanel.Category = "1" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\Delete\Position = "Bottom" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sib-reactivate\shell\open\command\ = "\"C:\\Program Files (x86)\\StartIsBack\\StartIsBackCfg.exe\" /reactivate %1" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\runas\MuiVerb = "@appresolver.dll,-8504" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sib-activate\shell\open\command\ = "\"C:\\Program Files (x86)\\StartIsBack\\StartIsBackCfg.exe\" /activate %1" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath\MuiVerb = "@shell32.dll,-30329" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\runas\AppliesTo = "System.AppUserModel.RunFlags:=1 OR System.AppUserModel.RunFlags:=3" StartIsBackCfg.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9} StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\Shell\Open\Command\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBackCfg.exe" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sib-activate\shell\open\command StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df957}\TreatAs\ = "{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\Shell StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\StartIsBack.UpdateToast StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\runas\Command StartIsBackCfg.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\MuiVerb = "@appwiz.cpl,-173" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Properties\Command StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\ = "Settings Pages" StartIsBackCfg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\ShellFolder\Attributes = "2684354560" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E} StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\ = "StartIsBack All Programs Folder" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA} StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB} StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Open\ = "Open" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\ = "Uninstall Modern App" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F} StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\System.ApplicationName = "StartIsBack.Config" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\Delete\Command StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Properties\MuiVerb = "@shell32.dll,-16534" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\OpenFolder\Command\DelegateExecute = "{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\StartIsBack.UpdateToast\DisplayName = "StartIsBack" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da3306b1-2554-420b-8d0e-6bd29bb4d8ed}\LocalServer32\ = "\"C:\\Program Files (x86)\\StartIsBack\\UpdateCheck.exe\"" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\Delete\Command\DelegateExecute = "{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9} StartIsBackCfg.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 4796 taskkill.exe Token: SeDebugPrivilege 4812 taskkill.exe Token: SeDebugPrivilege 4828 taskkill.exe Token: SeDebugPrivilege 204 taskkill.exe Token: SeDebugPrivilege 3816 taskkill.exe Token: SeDebugPrivilege 4844 taskkill.exe Token: SeDebugPrivilege 4788 taskkill.exe Token: SeDebugPrivilege 3140 taskkill.exe Token: SeTakeOwnershipPrivilege 5092 StartIsBackCfg.exe Token: SeTakeOwnershipPrivilege 5092 StartIsBackCfg.exe Token: SeTakeOwnershipPrivilege 5092 StartIsBackCfg.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeCreatePagefilePrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeCreatePagefilePrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeCreatePagefilePrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeCreatePagefilePrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeCreatePagefilePrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeCreatePagefilePrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeCreatePagefilePrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeCreatePagefilePrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeCreatePagefilePrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeCreatePagefilePrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeCreatePagefilePrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeCreatePagefilePrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeCreatePagefilePrivilege 4784 explorer.exe Token: SeShutdownPrivilege 4784 explorer.exe Token: SeCreatePagefilePrivilege 4784 explorer.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 5092 StartIsBackCfg.exe 5092 StartIsBackCfg.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 1076 StartScreen.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe 4784 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5072 SearchUI.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1012 wrote to memory of 5092 1012 StartAllBack.v3.7.7.exe 72 PID 1012 wrote to memory of 5092 1012 StartAllBack.v3.7.7.exe 72 PID 1012 wrote to memory of 5092 1012 StartAllBack.v3.7.7.exe 72 PID 5092 wrote to memory of 1168 5092 StartIsBackCfg.exe 73 PID 5092 wrote to memory of 1168 5092 StartIsBackCfg.exe 73 PID 5092 wrote to memory of 1168 5092 StartIsBackCfg.exe 73 PID 5092 wrote to memory of 4796 5092 StartIsBackCfg.exe 74 PID 5092 wrote to memory of 4796 5092 StartIsBackCfg.exe 74 PID 5092 wrote to memory of 4796 5092 StartIsBackCfg.exe 74 PID 5092 wrote to memory of 4812 5092 StartIsBackCfg.exe 77 PID 5092 wrote to memory of 4812 5092 StartIsBackCfg.exe 77 PID 5092 wrote to memory of 4812 5092 StartIsBackCfg.exe 77 PID 5092 wrote to memory of 4828 5092 StartIsBackCfg.exe 79 PID 5092 wrote to memory of 4828 5092 StartIsBackCfg.exe 79 PID 5092 wrote to memory of 4828 5092 StartIsBackCfg.exe 79 PID 5092 wrote to memory of 204 5092 StartIsBackCfg.exe 81 PID 5092 wrote to memory of 204 5092 StartIsBackCfg.exe 81 PID 5092 wrote to memory of 204 5092 StartIsBackCfg.exe 81 PID 5092 wrote to memory of 3816 5092 StartIsBackCfg.exe 83 PID 5092 wrote to memory of 3816 5092 StartIsBackCfg.exe 83 PID 5092 wrote to memory of 3816 5092 StartIsBackCfg.exe 83 PID 5092 wrote to memory of 4844 5092 StartIsBackCfg.exe 85 PID 5092 wrote to memory of 4844 5092 StartIsBackCfg.exe 85 PID 5092 wrote to memory of 4844 5092 StartIsBackCfg.exe 85 PID 5092 wrote to memory of 4788 5092 StartIsBackCfg.exe 87 PID 5092 wrote to memory of 4788 5092 StartIsBackCfg.exe 87 PID 5092 wrote to memory of 4788 5092 StartIsBackCfg.exe 87 PID 5092 wrote to memory of 3140 5092 StartIsBackCfg.exe 89 PID 5092 wrote to memory of 3140 5092 StartIsBackCfg.exe 89 PID 5092 wrote to memory of 3140 5092 StartIsBackCfg.exe 89 PID 5092 wrote to memory of 4640 5092 StartIsBackCfg.exe 91 PID 5092 wrote to memory of 4640 5092 StartIsBackCfg.exe 91 PID 5092 wrote to memory of 4640 5092 StartIsBackCfg.exe 91 PID 1012 wrote to memory of 4784 1012 StartAllBack.v3.7.7.exe 93 PID 1012 wrote to memory of 4784 1012 StartAllBack.v3.7.7.exe 93 PID 4784 wrote to memory of 1076 4784 explorer.exe 94 PID 4784 wrote to memory of 1076 4784 explorer.exe 94 PID 4784 wrote to memory of 1076 4784 explorer.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\StartAllBack.v3.7.7.exe"C:\Users\Admin\AppData\Local\Temp\StartAllBack.v3.7.7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\STARTISBACK\StartIsBackCfg.exe"C:\Users\Admin\AppData\Local\Temp\STARTISBACK\StartIsBackCfg.exe" /install /elevated /silent2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\STARTISBACK\startscreen.exestartscreen.exe /stop3⤵
- Executes dropped EXE
PID:1168
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM startscreen*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM explorer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM explorer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM explorer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:204
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM explorer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3816
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM explorer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM explorer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM explorer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /TN "\StartIsBack health check" /XML "C:\Users\Admin\AppData\Local\Temp\sibtask.xml"3⤵
- Creates scheduled task(s)
PID:4640
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Program Files (x86)\StartIsBack\StartScreen.exe"C:\Program Files (x86)\StartIsBack\StartScreen.exe" /unpin3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of FindShellTrayWindow
PID:1076
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /43⤵PID:3212
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:5072
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
295KB
MD5ef55e07e1a2e47bb2bb749046cd150b2
SHA168362a1b38f03b8f25fc1f2cfcbd73d90b2ea0fa
SHA2561a8dac51758c66a1bb03fbc227b5edb52ef7379fa3603b62eb3307005d06c9b5
SHA5129c04a8c14dddf42b1ce6d07a5e562f008922595a9024cfcedb46529ab97804535fee8d1577ba9ee7438602aaac8613237869d5dc658bf7b68d44c250128b7b0e
-
Filesize
34KB
MD5641328c75e6b117545211db22dafcaa0
SHA1df4061f2b30b8cce58c2446cd6e8b86968ab46d0
SHA25676a72c9ad77843b58223dd588483ac1265a31c15aaeb47ee66d1925de787644b
SHA51254f265edd24cb26b4a550f65f8c3a70acc4fe2a95e03a43c14919d2b67f817162cdbd06aa9ccef86942f04a7e115b70b44164e83001f965cd7a627a06186d6b9
-
Filesize
295KB
MD585328e698e8a74852b4061a683915dc8
SHA1b898267f8574a34e6d605e541e5234c27dd53f5d
SHA256e5b74e9e7bd6758a0154b11462ae3328edd143190865198104d8bd53b9af7275
SHA51203945c487c6e697f7b352374a989bfe41d1de7d00624461d2b97fb2027b26d36b35035d5e78ea622c31372087dae647c5d3591c7f9a27941c009993e719ee28f
-
Filesize
563KB
MD5e4b19c388cf6d649053e7f018388b9a4
SHA19114450f106c4e274c335f4e5d41fe40380a9607
SHA2566405b9ad8b1557381de5a3d51502f408891283ba22ad45166343261e703bee07
SHA512f990a6765a3bc8c3d36d8617e68237d83cd2cca4e05a71389f4381e6ef8b2c96cc9f04a6f9db74a9af95f30bfd36c72394acff8718e8ab6d16581eafd68ab51e
-
Filesize
667KB
MD57ca847e6522f074352eadc0b62eb3399
SHA184fadc794964373f4098a474c3829d5d1953e07a
SHA256584d631fa9f62873409cc51777fbbe8df673887a8af0a092d4b0523da512e577
SHA5126c0e8a38a394309fcbb66d9da372cd35114b5a0aea397324f629fbb18866eaa934119483d5048dcb487377cd2d47d85ee23611aae84947a025b494a53bfcd20a
-
Filesize
2.3MB
MD554873041460fa7a27cfb5008239e11f9
SHA1c4fd1fa77a5e079f19cfaed945a83b65bc55431a
SHA2563b946870b669af9837a27204e72ebe8e42a3503a6ee4da3822672ff54bdad0c5
SHA51278fc2b84dc42e86bec9e802f6a96a3507802a033b54429ac0d2c65b726edfb0dc3ee1cf5c57dde455a5ffa36b49ebf9c1ff4335b5b7fab70b9609d903e59ca8a
-
Filesize
48KB
MD5a69385279536210958fb9c86cab229d6
SHA16ecb118cfb9b8ef42c79aa0d795c3d8b51f0341d
SHA2563955fc60d3b7c4a1badd831fde82269261407cf9d459c65b429e8abc769adeed
SHA512f1cf5b1ec22416e645c0dfc128c25166585e300a8db2de6ec51e0689e26e54831dcf2b26a03115423b9b71f1b109389a3e14173fe0a8bbebc2547f9ca33cd412
-
Filesize
118KB
MD5509fd060516d1971da8d0c2173748358
SHA167ccd63914312b1f491467bec42232916df109c7
SHA25643c7016d950248f52f9512c9e7393c38d61a3ba2235e5fb6deed83564d8e9442
SHA512de3d87b7e0a518ffbb10ccd400dbf5f9596177b75dd7aa4785855d36f007ef0417b88b2eb3aa6af7e52fb3670c021f714bcf87a33551ffc4536444d5204aa7e6
-
Filesize
405KB
MD5b6a2892c151ccd59d0b4c4c1777daac5
SHA1b34791b4db3956620dffb2e11e1fa160e2d20889
SHA2560c6e681a8091ba888e58473cceeae590c88a405bb30dcb344f940acf27290ce8
SHA512e8fc5c96d155bf9657c07d861e2597d681a23ce1d46ec3e779251126e989be41c883e0545e80b5291c96a3ead4eb6c2affe8b419abb506bc5e5376fe2fa212ae
-
Filesize
3KB
MD5f9756c261aa978c787302debff8f142a
SHA181b5b130741d5df2feccd67bb6edb1a9d08d48aa
SHA256a8d52a2653709d93d0d2c05d653dcf8f0cb06f11422d183eb6871528c95df319
SHA51220ae445ab28d98ce6c1c8b066b7133541d9f944df7dbfccbc35df724165624c82d76c260c6041e5033e965e4dc0a2a57a67b594057cbc88f8ccc6ac9490c08b3
-
Filesize
71KB
MD5a2d6e2201be02973328038457aa64bba
SHA1684338bd758a92449d43c49a0aa539f323760215
SHA256f4e76abf0df055fae97863708412773b51197bae0ddd9692a9509e824d847df0
SHA51221002b3b3cd01beb923692addaef4e5d0fcbee972154e25bea2c4ece591185bf8e6221959fbcc772fc7e7f73dce18747909dcd9c04423a0ade70f6cfba72f135
-
Filesize
3KB
MD5331691375e3eb33ed12214c26797c23f
SHA13719bd8407dcc0a40f5d9eedc927eea80d0ef9e4
SHA2562ffd12fcc5e8c87af2f14605602e8602dcfa2d5638ad6bd690e0a1014fe2c772
SHA512e002ce601db8cb4a3ad3ce02812752f5c547739df2aa2501de248899775a939a7a6652a3695a0a56b6cc3b2d599230f3278f1d8fad19066be30ee0ddedc2d7ff
-
Filesize
80B
MD58011052ff701a0c4439ee18450e8e51d
SHA1a4893c2482522ccc3dee1c95ce644d8e1090d6ae
SHA256b901f0d5c24c25f334690f540b2a62d3e9c76226bdc183d45422e3237cc36051
SHA512c1712b4ea2fb42f38e76adaed613890f5e707a1ca495c87da506d423b3141a463fff034b1ae80824f6f8db776a9181f27d5f3f5a6cb94a1ab87ac0babe10d2c9
-
Filesize
5KB
MD5109b201717ab5ef9b5628a9f3efef36f
SHA198db1f0cc5f110438a02015b722778af84d50ea7
SHA25620e642707ef82852bcf153254cb94b629b93ee89a8e8a03f838eef6cbb493319
SHA512174e241863294c12d0705c9d2de92f177eb8f3d91125b183d8d4899c89b9a202a4c7a81e0a541029a4e52513eee98029196a4c3b8663b479e69116347e5de5b4
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
Filesize
9KB
MD5ec9640b70e07141febbe2cd4cc42510f
SHA164a5e4b90e5fe62aa40e7ac9e16342ed066f0306
SHA256c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188
SHA51247605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe
-
Filesize
24KB
MD52b7007ed0262ca02ef69d8990815cbeb
SHA12eabe4f755213666dbbbde024a5235ddde02b47f
SHA2560b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
SHA512aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca
