Overview

overview

8

Static

static

1

URLScan

urlscan

1

http://www.restuner....

windows10-1703-x64

8

Analysis

  • max time kernel
    57s
  • max time network
    37s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-05-2024 16:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://www.restuner.com/download.htm

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies system executable filetype association 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 41 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://www.restuner.com/download.htm"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://www.restuner.com/download.htm
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:428
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="428.0.767824752\1096448736" -parentBuildID 20221007134813 -prefsHandle 1720 -prefMapHandle 1712 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a282283e-423c-4e45-b73a-d196d635ccd1} 428 "\\.\pipe\gecko-crash-server-pipe.428" 1796 2d3516fd958 gpu
        3⤵
          PID:2460
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="428.1.1470517192\436916406" -parentBuildID 20221007134813 -prefsHandle 2144 -prefMapHandle 2140 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee897ba6-9832-44e8-9b09-25fb177cb702} 428 "\\.\pipe\gecko-crash-server-pipe.428" 2172 2d33f371358 socket
          3⤵
            PID:5116
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="428.2.635068040\1348135235" -childID 1 -isForBrowser -prefsHandle 2868 -prefMapHandle 2748 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a5aa96b-639c-41d8-8d23-d70b0eca03fb} 428 "\\.\pipe\gecko-crash-server-pipe.428" 2740 2d3557d2258 tab
            3⤵
              PID:2220
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="428.3.281105749\1844229521" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {59d348ae-c8a4-4265-979a-da12e2fd1346} 428 "\\.\pipe\gecko-crash-server-pipe.428" 3576 2d33f362558 tab
              3⤵
                PID:3408
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="428.4.201837788\1724883722" -childID 3 -isForBrowser -prefsHandle 4740 -prefMapHandle 4720 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {033a105f-9acc-487f-87b5-4acc60df42c5} 428 "\\.\pipe\gecko-crash-server-pipe.428" 4752 2d358568a58 tab
                3⤵
                  PID:4968
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="428.5.1201437587\1752089568" -childID 4 -isForBrowser -prefsHandle 4892 -prefMapHandle 4896 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7afa2370-91ea-4cf2-87de-f3b8a20fe39e} 428 "\\.\pipe\gecko-crash-server-pipe.428" 4884 2d358568d58 tab
                  3⤵
                    PID:4896
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="428.6.309599764\845129090" -childID 5 -isForBrowser -prefsHandle 5084 -prefMapHandle 5088 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d41ed28-7ea4-4945-bca3-9c9d9416c46a} 428 "\\.\pipe\gecko-crash-server-pipe.428" 5072 2d3588de358 tab
                    3⤵
                      PID:4676
                    • C:\Users\Admin\Downloads\ResTuner_setup.exe
                      "C:\Users\Admin\Downloads\ResTuner_setup.exe"
                      3⤵
                      • Executes dropped EXE
                      PID:3936
                      • C:\Users\Admin\AppData\Local\Temp\is-K1GLO.tmp\ResTuner_setup.tmp
                        "C:\Users\Admin\AppData\Local\Temp\is-K1GLO.tmp\ResTuner_setup.tmp" /SL5="$70160,4613100,826880,C:\Users\Admin\Downloads\ResTuner_setup.exe"
                        4⤵
                        • Executes dropped EXE
                        • Modifies system executable filetype association
                        • Drops file in Program Files directory
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        PID:1420
                        • C:\Program Files (x86)\Resource Tuner\restuner.exe
                          "C:\Program Files (x86)\Resource Tuner\restuner.exe"
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:2304

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Resource Tuner\Plugins\unnspack.dll
                  Filesize

                  206KB

                  MD5

                  cdb515328dadf0b2b5041d3ea80a6de3

                  SHA1

                  f4d36b054758a37a719afb7f93df0d5893dd45f7

                  SHA256

                  e738149ffc5e859bb32cbf4af5d64a46b80bc3bfa31636cc8185bf8499bec744

                  SHA512

                  50ddd48c1aabca31b89ec5818b56b3b2d7641a0c46c10dfb0f913fa2b357b7094e64846abbcb79d83a7bb9f0a385504c1a6c05b8c1f135f23aff0a0ea9fd6b1f

                  Download Submit

                • C:\Program Files (x86)\Resource Tuner\core.dll
                  Filesize

                  1.7MB

                  MD5

                  3e1a7da7135ded0be8ab949883cfb1c7

                  SHA1

                  b8f0c8cb460407cc577281fb400b06da2dcd10eb

                  SHA256

                  965045a7901e38f57beec8e8667591df5ef708ae8576322621c0223db9150ec3

                  SHA512

                  b8e1ff0a7129bef0147708aa9c6ae3ce9b1fd75602333b9c0603f2e7419deec9d678d34e69a37e6b1022e2aa30cec505771da63175043ff55e6b9cc308c904ac

                  Download Submit

                • C:\Program Files (x86)\Resource Tuner\langpack.dat
                  Filesize

                  276KB

                  MD5

                  901156f7624b73f9df2ff9b4428619c7

                  SHA1

                  7455e4860854748c6bad01257360c45e2033f8ee

                  SHA256

                  a48b2a38e8784d7f0e1e707192b10e269886179a4ff8478f1b77021c190ef600

                  SHA512

                  a83b379e8ad0cf9df8517e0e39c8ece50392d2f664fac00d8b9fd31a03c7aaf0aff2a860d33e1261be78765fd3ac58cc7d233344ef1366a2ba21b2ff712bedf3

                  Download Submit

                • C:\Program Files (x86)\Resource Tuner\restuner.exe
                  Filesize

                  4.5MB

                  MD5

                  635d7ef2dbf9e728574eda66ea618ab5

                  SHA1

                  b83388cae94813a9ea7915a221b46a7b26691b93

                  SHA256

                  114326f12d974aab3eccbeaacdfc83de9519224188c7c9d8a53a9ba6cc44a09e

                  SHA512

                  c287a79e3ff49294e6bf664496dc52a63156fd6b0e385a4d14d708fe2b8bf720d734d4e079addc69b66fbfde6f27a273e709f8f8c665a452b4685d0c0a80a04c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\is-K1GLO.tmp\ResTuner_setup.tmp
                  Filesize

                  3.0MB

                  MD5

                  4cf38b196d9c282483322a1c8817181c

                  SHA1

                  33b5ba25352edd8c58cefa4f42fe8d54e8e56ef7

                  SHA256

                  6365d59d52386e20b92a7e07efa094591f5d59d1999970903c0b0c4a18361524

                  SHA512

                  23660191e84bd174a3dfd01aea618e705e4c22c39d16300ff69fb749d2882fa62ba17ae99d10cb82186c9b614b1ee1441e3580f818ca037f8656d3770808ea3f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  2KB

                  MD5

                  7d478b6f84a7db7ed5ea6247c3e8e77b

                  SHA1

                  4c33a57649780f62e94513a6a63a9b0d1ef7b3ec

                  SHA256

                  b0d1f9fb237b4f5d8ce9964a5d701eb766af70187e9591c91046e3a3ce62cab4

                  SHA512

                  1f0e30a72d26d2ed70e840f648b12ca3379d323fb00ec620607a8f8a9db49b3cb25f1a55ae9c5b17e3d36a496251bf512d36b1f5efe2722538a750eb41588540

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\22455e00-01ad-4d9f-9af5-0dd0f2ba9307
                  Filesize

                  10KB

                  MD5

                  a12de5f81c4e86d857973f45d6c38bea

                  SHA1

                  a0d688dc9020296d9888775281639b2525438e24

                  SHA256

                  243982420a69afe847c41835464c0f0fbbea4e4addac885e4d80cf2bccf31aa3

                  SHA512

                  af44919824e0b3e3eaf818da57c2dd1205d22c725f9f6d936e6740faf8b597da78a3059fa2e6b3714822c6f581feac05a752764a44956ebb08ea574f2787b41e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\4a5f6ff9-fa72-4469-8f7e-f15c4e197162
                  Filesize

                  746B

                  MD5

                  884d3e82087b537fae681168697d4d30

                  SHA1

                  ad5b898a0b353e4de02cab7e78e6d45af62a2c31

                  SHA256

                  c6d00327864dfbf4eb69e4fc4bb5a8f8da717d1afeb26a4b88dd31ffc81dd6ff

                  SHA512

                  0f3f2042da5c785d17ae91f545e77984cfc2f08d32ceb3ae01f70167d1edbf044e88006a20a52bc200033d6c20e4902425772e912c73abd745dce285a8cea0fa

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  fdff32d26688322996783dee13afbff4

                  SHA1

                  0d99427cdd2000cde3cc97835faa15b0a85c89f5

                  SHA256

                  2143ee920e5ff7e83c7a33414e5b714a29ade11847e41d0b5af65317fdee8fbf

                  SHA512

                  0460b889cd270a7755833b4e7152fcc55f4ffe82d1acbde69bce101ea174729a567243a3ac08e5afddf1c23a9a89e3eb204d7131cf9c261f8efc2d7d7e5d84eb

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  747d67d748d25a79d3246b1f43f8bcb2

                  SHA1

                  b0cce67814709ef50c90064fa03175a7ac125527

                  SHA256

                  60de9d1fd56b62107fa3e392645b3e1651b9047c5b20026e008db2329d561507

                  SHA512

                  db2bffb22dfd4926ad914fd8bbbd067093d0cd94e371dbb06bb54ad4f4c7906aae4d128a0feaf6cf560c026c393ce7e291f9e64c1b78a1a02c5a3dcad020561d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  5KB

                  MD5

                  13456e0c2459daf7463a8c4137729bc6

                  SHA1

                  a08d2c90c46eba52ed3a2867e28dc9b68806e0ad

                  SHA256

                  d11ee1d50d3b286fd97a4cdcfd4917edc20f5bbc7d8f51c4e00a0ca432f55cfb

                  SHA512

                  a2979249e3493546c6c404e06ae14cb4c644b9da77d08e3b9a08df79e0e8f8f5a909aa9397b7533b6a47616df7641c4cba1e8ad89c5bf5f77d1a0e6748ff274a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  184KB

                  MD5

                  f72c2c8a738f1bdd4a5e24326ff248df

                  SHA1

                  d60277881f6b36509d709948fcf7ed3ec3da74a6

                  SHA256

                  06575a0a693c9e0f265fcf03ee5b6ced4dd922ac999f5d767a9a7d92fb199082

                  SHA512

                  7fa2cc3e4f6e6f9c77fc12e188a0ef4e5dfd9079e1ddd2d689669513bd2e512136ac4485b34aa0ed8587c8cd519572d31eb2496b4091e229b6c339bf25c27d6a

                  Download Submit

                • C:\Users\Admin\Downloads\ResTuner_setup.exe
                  Filesize

                  5.4MB

                  MD5

                  2181bbdd15d2b4962f1664fe0e251446

                  SHA1

                  aff5d93cdb7b815742bd3ae93c002a7d35fdaf37

                  SHA256

                  f7d638cb8587338cc2844fa9bb25ed403312f098df7897dcfe867e35705dc5c2

                  SHA512

                  f48118014773e42115ef0dff20e58533bf276826c0a9582e41df9d0ac6d3db96e09b1c9ac66fe70ca04203f9dfb788af1cdf848e5f11f71c30708cf5fca0ed1a

                  Download Submit

                • \Program Files (x86)\Resource Tuner\PLUGINS\unupack.dll
                  Filesize

                  205KB

                  MD5

                  bd7f86fe96b5217d94d5db7e560c9b54

                  SHA1

                  94cb90a1df78cd4070c953dde7763ed42c8c4ac2

                  SHA256

                  fb3428bc9832025cec1eacd4598d4b2f7e304aa7cf68df1dada64c1bed1589a6

                  SHA512

                  078a6be376e6ec06fb2eb3acdd3a1dae35ed53937249ae5fac9244bc751b144ce9d7e75c196b7f46d1988d0c7b03be41caf99d61b70e23c82350e5aab280e684

                  Download Submit

                • \Program Files (x86)\Resource Tuner\PLUGINS\unupx.dll
                  Filesize

                  275KB

                  MD5

                  1457ef3969bc2c702a9885993f132005

                  SHA1

                  3bbb1ed4bd7b5890384e048190109cc3a847f7ad

                  SHA256

                  5de37e4ed5fb019772f3f1844f6521516dad483074da3defda31dfab1e52158f

                  SHA512

                  2adb9c7a17d84aa22f039d278d117beaa5d15f2f5229614cc0bc85319a80de0ec16239f8f48a8abe977ed18f1a7a3eb2d05fbaa068312b686b76247cd232c48a

                  Download Submit

                • memory/1420-168-0x0000000000400000-0x0000000000713000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/1420-177-0x0000000000400000-0x0000000000713000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/1420-237-0x0000000000400000-0x0000000000713000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/1420-221-0x0000000000400000-0x0000000000713000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2304-245-0x0000000000400000-0x0000000000884000-memory.dmp

                  Filesize

                  4.5MB

                  Download

                • memory/2304-249-0x0000000061400000-0x000000006144E000-memory.dmp

                  Filesize

                  312KB

                  Download

                • memory/2304-248-0x0000000061480000-0x00000000614BC000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/2304-247-0x0000000061500000-0x000000006153C000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/2304-246-0x0000000061800000-0x00000000619B6000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/3936-176-0x0000000000400000-0x00000000004D7000-memory.dmp

                  Filesize

                  860KB

                  Download

                • memory/3936-163-0x0000000000401000-0x00000000004B7000-memory.dmp

                  Filesize

                  728KB

                  Download

                • memory/3936-160-0x0000000000400000-0x00000000004D7000-memory.dmp

                  Filesize

                  860KB

                  Download

                • memory/3936-238-0x0000000000400000-0x00000000004D7000-memory.dmp

                  Filesize

                  860KB

                  Download