4b9e4bbd675a45f1a99d54bff55576ba3c6d79ab76ea30e143d89fc1543e8580

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SchooisMultitoolSetup.exe
Size

421KB
MD5

22a4e07eda10238a87e7effd7b12926d
SHA1

232499c11afbb30ba211c0cab9466c6d2f4e0b66
SHA256

4b9e4bbd675a45f1a99d54bff55576ba3c6d79ab76ea30e143d89fc1543e8580
SHA512

cc63c63e47e36950334ce8f41d29db70e0018d71215aac2a73e71402ccded0f0bc7b5de696c52fe5adac1249229a0ca9e30f5743df32ceea13b2f1ecea960e74
SSDEEP

12288:XfYis11Dexvq/deq8PeP4M4b9wOGfaehcJf+y8JeUfYR:XfYis11Dexvq/deq8PeP4bpaKp+yhFR

Score

7^/10

discovery execution

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

SchooisMultitoolSetup.exe

pid process

2404 SchooisMultitoolSetup.exe
2404 SchooisMultitoolSetup.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

784 powershell.exe
1772 powershell.exe
1820 powershell.exe

pid	process
2404	SchooisMultitoolSetup.exe
2404	SchooisMultitoolSetup.exe

pid	process
784	powershell.exe
1772	powershell.exe
1820	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

SchooisMultitoolSetup.execscript.exepowershell.execscript.exepowershell.exe

description	ioc	process
File created	C:\Program Files\SMT\Files\Apps\chrome.bat	SchooisMultitoolSetup.exe
File opened for modification	C:\Program Files\SMT\Files\config\settings.ini	cscript.exe
File created	C:\Program Files\SMT\CODE_OF_CONDUCT.md	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\GPEE.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\IPLogs.txt	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\music.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\SuperF4.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\bts.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\dflc.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\ss.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\taskmanager.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\sut.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\geek.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\.gitignore	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Malwarebytes-Premium-Reset.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Newtonsoft.Json.dll	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\bfc.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\db.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\mystery.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\suc.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\CommandLineGame.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\PasswordGenerator.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\WD.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\hibern.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\iplog.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\s32.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\UPPPE.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\WA.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\autorespo.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\isgen2.txt	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\BR.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\uacd.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\uta.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\logo.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\ps7.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\config\settings.ini	SchooisMultitoolSetup.exe
File opened for modification	C:\Program Files\SMT\Files\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\SMT\Files\SMBBruteforcer.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\URLShortener.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\cm.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\isg.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\wifipasses.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\pswin7.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\fastfetch.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\config\version	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\SECURITY.md	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\emv2ae.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\logo.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\rcmc.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\rockyou.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\ctt.bat	SchooisMultitoolSetup.exe
File opened for modification	C:\Program Files\SMT\Files\config\settings.ini	cscript.exe
File created	C:\Program Files\SMT\Files\Apps\wintoys.bat	SchooisMultitoolSetup.exe
File opened for modification	C:\Program Files\SMT\Files\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\SMT\uninstall.log	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\InfoFinder.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\ednsc.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\ini.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\speak.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\trt.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\isgen.txt	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Schnuker\install.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\nsl.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\zicrack.bat	SchooisMultitoolSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exetimeout.execmd.exefindstr.execmd.execmd.execmd.execscript.exePING.EXEpowershell.exepowershell.execmd.execmd.execmd.execscript.execscript.execmd.exepowershell.exefind.execscript.exeSchooisMultitoolSetup.execmd.exefindstr.execscript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SchooisMultitoolSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

2272 PING.EXE
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

816 timeout.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2272 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

784 powershell.exe
1820 powershell.exe
1772 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 784 powershell.exe
Token: SeDebugPrivilege 1820 powershell.exe
Token: SeDebugPrivilege 1772 powershell.exe

pid	process
2272	PING.EXE

pid	process
816	timeout.exe

pid	process
2272	PING.EXE

pid	process
784	powershell.exe
1820	powershell.exe
1772	powershell.exe

description	pid	process
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SchooisMultitoolSetup.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2404 wrote to memory of 1064	2404	SchooisMultitoolSetup.exe	cmd.exe
PID 2404 wrote to memory of 1064	2404	SchooisMultitoolSetup.exe	cmd.exe
PID 2404 wrote to memory of 1064	2404	SchooisMultitoolSetup.exe	cmd.exe
PID 2404 wrote to memory of 1064	2404	SchooisMultitoolSetup.exe	cmd.exe
PID 1064 wrote to memory of 280	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 280	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 280	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 280	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 536	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 536	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 536	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 536	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 2792	1064	cmd.exe	findstr.exe
PID 1064 wrote to memory of 2792	1064	cmd.exe	findstr.exe
PID 1064 wrote to memory of 2792	1064	cmd.exe	findstr.exe
PID 1064 wrote to memory of 2792	1064	cmd.exe	findstr.exe
PID 1064 wrote to memory of 2372	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 2372	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 2372	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 2372	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 3008	1064	cmd.exe	findstr.exe
PID 1064 wrote to memory of 3008	1064	cmd.exe	findstr.exe
PID 1064 wrote to memory of 3008	1064	cmd.exe	findstr.exe
PID 1064 wrote to memory of 3008	1064	cmd.exe	findstr.exe
PID 1064 wrote to memory of 2376	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 2376	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 2376	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 2376	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 1632	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 1632	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 1632	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 1632	1064	cmd.exe	cmd.exe
PID 1632 wrote to memory of 1864	1632	cmd.exe	cscript.exe
PID 1632 wrote to memory of 1864	1632	cmd.exe	cscript.exe
PID 1632 wrote to memory of 1864	1632	cmd.exe	cscript.exe
PID 1632 wrote to memory of 1864	1632	cmd.exe	cscript.exe
PID 1064 wrote to memory of 2492	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 2492	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 2492	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 2492	1064	cmd.exe	cmd.exe
PID 2492 wrote to memory of 2268	2492	cmd.exe	cscript.exe
PID 2492 wrote to memory of 2268	2492	cmd.exe	cscript.exe
PID 2492 wrote to memory of 2268	2492	cmd.exe	cscript.exe
PID 2492 wrote to memory of 2268	2492	cmd.exe	cscript.exe
PID 1064 wrote to memory of 1844	1064	cmd.exe	cscript.exe
PID 1064 wrote to memory of 1844	1064	cmd.exe	cscript.exe
PID 1064 wrote to memory of 1844	1064	cmd.exe	cscript.exe
PID 1064 wrote to memory of 1844	1064	cmd.exe	cscript.exe
PID 1064 wrote to memory of 1144	1064	cmd.exe	cscript.exe
PID 1064 wrote to memory of 1144	1064	cmd.exe	cscript.exe
PID 1064 wrote to memory of 1144	1064	cmd.exe	cscript.exe
PID 1064 wrote to memory of 1144	1064	cmd.exe	cscript.exe
PID 1064 wrote to memory of 2496	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 2496	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 2496	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 2496	1064	cmd.exe	cmd.exe
PID 2496 wrote to memory of 784	2496	cmd.exe	powershell.exe
PID 2496 wrote to memory of 784	2496	cmd.exe	powershell.exe
PID 2496 wrote to memory of 784	2496	cmd.exe	powershell.exe
PID 2496 wrote to memory of 784	2496	cmd.exe	powershell.exe
PID 1064 wrote to memory of 1820	1064	cmd.exe	powershell.exe
PID 1064 wrote to memory of 1820	1064	cmd.exe	powershell.exe
PID 1064 wrote to memory of 1820	1064	cmd.exe	powershell.exe
PID 1064 wrote to memory of 1820	1064	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\SchooisMultitoolSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SchooisMultitoolSetup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\SMT\SchooiMultitool.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    - System Location Discovery: System Language Discovery
    PID:280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo echo C:\Program Files\SMT\ "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:536
- - C:\Windows\SysWOW64\findstr.exe
    findstr "Program Files"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo echo C:\Program Files\SMT\ "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2372
- - C:\Windows\SysWOW64\findstr.exe
    findstr "System32"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c call ini.bat /i hex /s TerminalColor config\settings.ini
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\cscript.exe
      cscript /nologo /e:jscript "C:\Program Files\SMT\Files\ini.bat" "config\settings.ini" "TerminalColor" "hex" "" "" ""
      4⤵
      System Location Discovery: System Language Discovery
      PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c call ini.bat /i coloring /s TerminalTextColoring config\settings.ini
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\cscript.exe
      cscript /nologo /e:jscript "C:\Program Files\SMT\Files\ini.bat" "config\settings.ini" "TerminalTextColoring" "coloring" "" "" ""
      4⤵
      System Location Discovery: System Language Discovery
      PID:2268
- - C:\Windows\SysWOW64\cscript.exe
    cscript /nologo /e:jscript "C:\Program Files\SMT\Files\ini.bat" "config\settings.ini" "TerminalTextColoring" "coloring" "false" "true" ""
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1844
- - C:\Windows\SysWOW64\cscript.exe
    cscript /nologo /e:jscript "C:\Program Files\SMT\Files\ini.bat" "config\settings.ini" "TerminalTextColoring" "hex" "false" "true" ""
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell Get-ExecutionPolicy
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ExecutionPolicy
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:784
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force;
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 -w 700 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2272
- - C:\Windows\SysWOW64\find.exe
    find "TTL="
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2180
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "irm https://raw.githubusercontent.com/SchooiCodes/smt/main/Files/config/version -OutFile C:\Users\Admin\AppData\Local\Temp\version"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c call ini.bat /i resizing /s TerminalResizing config\settings.ini
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2084
  - - C:\Windows\SysWOW64\cscript.exe
      cscript /nologo /e:jscript "C:\Program Files\SMT\Files\ini.bat" "config\settings.ini" "TerminalResizing" "resizing" "" "" ""
      4⤵
      System Location Discovery: System Language Discovery
      PID:2336
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3 /NOBREAK
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SMT\Files\config\settings.ini

Filesize
104B

MD5
76bce085a9f1c3c94a5d984fe7e6d1c9

SHA1
bbac6f8eef17c58590d786e8387a6ebf28fc7cad

SHA256
1b5075e020bb4a27f583db12ee9e62256b655fc415feb1935dde5cabde04cb48

SHA512
fe0afe4aebe3deef8c4b2fe2d2bec903e5efacace9859bceaadbc59908187d22f90a0c0632c5561423c4ba73f54b6e28d81a937bda2e1e6b3030555b0b7c23ef

Download Submit
C:\Program Files\SMT\Files\config\settings.ini

Filesize
105B

MD5
5b713b55207163bb17d926f393a86ac8

SHA1
1062278a306e13467af57ed9d798427e7bae0cac

SHA256
c89ad579cdcc61156d9e1e56f5edc981deba9f3a778ad85ab4bb92eaea7f8f2e

SHA512
e37cf63e005ab99a687ef839ce40c82d3bdf8d5aa2ab3abab518125997ebdeaca2b383a170cdb34a6a21f33b7f32b78e7050598daab3307435c535f3437d7aa0

Download Submit
C:\Program Files\SMT\Files\config\settings.ini

Filesize
116B

MD5
062038ed3ee482057daecabcbe52b7d6

SHA1
a0e2109a73a30578bd565f26232fda2b57a3aeee

SHA256
04ebad727e321316cd3ca497e4f467f3a649e5f7e42efd16acf92eb6a33b7d15

SHA512
84e681b54240087fb817201802aba39e9b9b5fb8feaac4a8cc5796849144870451cb01e96f5d7a609b03e8dc1458c920a6d986841a1bde14e079cb44b79ce3b5

Download Submit
C:\Program Files\SMT\Files\config\tcoff.bat

Filesize
419B

MD5
6206ec3a3eaf233ebd5e2a70470ff867

SHA1
9151ddf7b96ac3644a393d2fb83363973a03dbc8

SHA256
7f450a7627e46c0caa1be13a0373ef0036d50d90be0d18e4dd242bcb00787676

SHA512
e8454761faa35aa715c0376f38ddc54565065837890f8b6cc0374c5ad77816247093bda279d19ccfb641773a4a9191c395062a4c0eb9073b07056c38e79d49ad

Download Submit
C:\Program Files\SMT\Files\ini.bat

Filesize
7KB

MD5
2b6992974a85b0b13124ff5106e60b29

SHA1
98d6874af78cbe78cf3dc20205158ad63d302cda

SHA256
95ea49c7c0382703df254bfd1f30b3b51926f2345ee6d6d10b7fcad738a7dcfe

SHA512
be6b293bc64ed7ce311796beb0ecfc7ce0038b508a97a4abcef4350175a724fc3a603e4d977f1adfac99d22f5298af853f000d1b88e7717680b7234d8c3df243

Download Submit
C:\Program Files\SMT\Files\logo.bat

Filesize
3KB

MD5
e96569aa0cc42136bd51bc79455c945b

SHA1
cbb7839981a2b7a9576ea20600183e5f0b3fa23f

SHA256
1b0d647d3f677db2b4bbb598ba9a1f78f5f1d4c5eeda104691a65679b18b7488

SHA512
14343e6bd84f963bc68e45aae0a341c796b2d34a34ef274ce26684118221de5c9da2edba456332e6f95eebfb488890cc7a75e5501978fcc631025db63cc59a13

Download Submit
C:\Program Files\SMT\SchooiMultitool.bat

Filesize
21KB

MD5
eca611b53b57465b571ac863d34726bf

SHA1
c7dd991aee18e95c779c2ed76e7ee280fb58a9b6

SHA256
e3b4e3dec43743b02cda71070a83d446ffe929e2b12e959df1e24697261a453d

SHA512
9aadeef2322aea874378faf971aed3229e042436c9c649e4b098b9f3f6a864df1f2396e5a0ce7057f8f585601bc5ad10112563c7ec02b076d43aeedfd1a59d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjF690.tmp\modern-wizard.bmp

Filesize
150KB

MD5
c06f1dc0d75c5e520cb3a41e0fb59581

SHA1
0a09240ca314ec279e7c79001b2ccdf0d70ff819

SHA256
20e6feb5684f9af251ff42ddcaa8a05e09d2f152dfa6a98013970ac12917cfba

SHA512
2c9ef10e81da034cfd4f741bf8848741ad3a00bb409c21f1b2db0d40057e89d815beffdd7575a1be244e5593b2ed72f2661b5d3f942a36c215957d26d16cdc02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e97c591e060f4b4b7db7a063e967e615

SHA1
966b9b4efb0de47b53fbcfa219c3a6c5db151b44

SHA256
9c450649480f73d940edcea8e52e7c65d4a4a5c95485f9fed18162f2a56e3f4b

SHA512
98f898c79b301d9eaf782b2ab4bf95388e1fa30a57c51aa09dff59df5d42972155021622c3c197bf86db333ad8e42a906de6b1b93522375a12d80b59ffb2a9e5

Download Submit
\Users\Admin\AppData\Local\Temp\nsjF690.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
\Users\Admin\AppData\Local\Temp\nsjF690.tmp\nsDialogs.dll

Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit