4b9e4bbd675a45f1a99d54bff55576ba3c6d79ab76ea30e143d89fc1543e8580

Analysis

max time kernel
93s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SchooisMultitoolSetup.exe
Size

421KB
MD5

22a4e07eda10238a87e7effd7b12926d
SHA1

232499c11afbb30ba211c0cab9466c6d2f4e0b66
SHA256

4b9e4bbd675a45f1a99d54bff55576ba3c6d79ab76ea30e143d89fc1543e8580
SHA512

cc63c63e47e36950334ce8f41d29db70e0018d71215aac2a73e71402ccded0f0bc7b5de696c52fe5adac1249229a0ca9e30f5743df32ceea13b2f1ecea960e74
SSDEEP

12288:XfYis11Dexvq/deq8PeP4M4b9wOGfaehcJf+y8JeUfYR:XfYis11Dexvq/deq8PeP4bpaKp+yhFR

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

34 1624 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

SchooisMultitoolSetup.exe

pid process

4220 SchooisMultitoolSetup.exe
4220 SchooisMultitoolSetup.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3108 powershell.exe
1624 powershell.exe
3184 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

33 raw.githubusercontent.com
34 raw.githubusercontent.com

flow	pid	process
34	1624	powershell.exe

pid	process
4220	SchooisMultitoolSetup.exe
4220	SchooisMultitoolSetup.exe

pid	process
3108	powershell.exe
1624	powershell.exe
3184	powershell.exe

flow	ioc
33	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

Processes:

SchooisMultitoolSetup.exe

description	ioc	process
File created	C:\Program Files\SMT\Files\Apps\firefox.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\flux.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\config\tcoff.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\gradients.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\logo.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\restart.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\bts.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\sut.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\taskmanager.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\uacd.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\geek.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\GPEE.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\IB.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\cm.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\db.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\uta.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\LICENSE.md	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\bfc.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\ini.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\speak.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\hfb.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\pinger.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\rcmcreadme.txt	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\CODE_OF_CONDUCT.md	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Newtonsoft.Json.dll	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\autorespo.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\fo.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\IPGeolocator.exe	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\trt.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\winget.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\s32.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Uninstall Schooi's Multitool.exe	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\SECURITY.md	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\smt.ico	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Malwarebytes-Premium-Reset.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\rockyou.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\hibern.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\SuperF4.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\pcm.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Schnuker\install.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\SchooiMultitool.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\SSAMBYO.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\URLShortener.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\ednsc.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\fic.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\rcmc.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\.gitignore	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\CommandLineGame.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\IPStealer.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\RAUP.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\InfoFinder.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\ctt.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\PasswordGenerator.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\WA.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\pf.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\chrome.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\pswin7.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\Apps\wintoys.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\uninstall.log	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\IPLogs.txt	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\creds.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\mystery.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\music.bat	SchooisMultitoolSetup.exe
File created	C:\Program Files\SMT\Files\nsl.bat	SchooisMultitoolSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

findstr.execscript.execmd.exepowershell.exefindstr.execmd.exechcp.comcmd.execscript.exepowershell.exepowershell.execscript.exechcp.comcmd.exefind.exeSchooisMultitoolSetup.exechcp.comtimeout.execmd.execmd.execmd.exechcp.comPING.EXEcmd.execmd.execmd.execmd.exechcp.comcmd.execscript.execmd.exechcp.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SchooisMultitoolSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

3204 PING.EXE
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2860 timeout.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3204 PING.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3108 powershell.exe
3108 powershell.exe
3184 powershell.exe
3184 powershell.exe
1624 powershell.exe
1624 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3108 powershell.exe
Token: SeDebugPrivilege 3184 powershell.exe
Token: SeDebugPrivilege 1624 powershell.exe

pid	process
3204	PING.EXE

pid	process
2860	timeout.exe

pid	process
3204	PING.EXE

pid	process
3108	powershell.exe
3108	powershell.exe
3184	powershell.exe
3184	powershell.exe
1624	powershell.exe
1624	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SchooisMultitoolSetup.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4220 wrote to memory of 64	4220	SchooisMultitoolSetup.exe	cmd.exe
PID 4220 wrote to memory of 64	4220	SchooisMultitoolSetup.exe	cmd.exe
PID 4220 wrote to memory of 64	4220	SchooisMultitoolSetup.exe	cmd.exe
PID 64 wrote to memory of 1420	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 1420	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 1420	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 4384	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 4384	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 4384	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 3508	64	cmd.exe	findstr.exe
PID 64 wrote to memory of 3508	64	cmd.exe	findstr.exe
PID 64 wrote to memory of 3508	64	cmd.exe	findstr.exe
PID 64 wrote to memory of 4880	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 4880	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 4880	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 3488	64	cmd.exe	findstr.exe
PID 64 wrote to memory of 3488	64	cmd.exe	findstr.exe
PID 64 wrote to memory of 3488	64	cmd.exe	findstr.exe
PID 64 wrote to memory of 3384	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 3384	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 3384	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 864	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 864	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 864	64	cmd.exe	cmd.exe
PID 864 wrote to memory of 4528	864	cmd.exe	chcp.com
PID 864 wrote to memory of 4528	864	cmd.exe	chcp.com
PID 864 wrote to memory of 4528	864	cmd.exe	chcp.com
PID 64 wrote to memory of 3328	64	cmd.exe	chcp.com
PID 64 wrote to memory of 3328	64	cmd.exe	chcp.com
PID 64 wrote to memory of 3328	64	cmd.exe	chcp.com
PID 64 wrote to memory of 388	64	cmd.exe	chcp.com
PID 64 wrote to memory of 388	64	cmd.exe	chcp.com
PID 64 wrote to memory of 388	64	cmd.exe	chcp.com
PID 64 wrote to memory of 1488	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 1488	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 1488	64	cmd.exe	cmd.exe
PID 1488 wrote to memory of 392	1488	cmd.exe	cscript.exe
PID 1488 wrote to memory of 392	1488	cmd.exe	cscript.exe
PID 1488 wrote to memory of 392	1488	cmd.exe	cscript.exe
PID 64 wrote to memory of 1744	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 1744	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 1744	64	cmd.exe	cmd.exe
PID 1744 wrote to memory of 3588	1744	cmd.exe	cscript.exe
PID 1744 wrote to memory of 3588	1744	cmd.exe	cscript.exe
PID 1744 wrote to memory of 3588	1744	cmd.exe	cscript.exe
PID 64 wrote to memory of 3948	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 3948	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 3948	64	cmd.exe	cmd.exe
PID 3948 wrote to memory of 4592	3948	cmd.exe	cscript.exe
PID 3948 wrote to memory of 4592	3948	cmd.exe	cscript.exe
PID 3948 wrote to memory of 4592	3948	cmd.exe	cscript.exe
PID 64 wrote to memory of 4084	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 4084	64	cmd.exe	cmd.exe
PID 64 wrote to memory of 4084	64	cmd.exe	cmd.exe
PID 4084 wrote to memory of 3108	4084	cmd.exe	powershell.exe
PID 4084 wrote to memory of 3108	4084	cmd.exe	powershell.exe
PID 4084 wrote to memory of 3108	4084	cmd.exe	powershell.exe
PID 64 wrote to memory of 3184	64	cmd.exe	powershell.exe
PID 64 wrote to memory of 3184	64	cmd.exe	powershell.exe
PID 64 wrote to memory of 3184	64	cmd.exe	powershell.exe
PID 64 wrote to memory of 3204	64	cmd.exe	PING.EXE
PID 64 wrote to memory of 3204	64	cmd.exe	PING.EXE
PID 64 wrote to memory of 3204	64	cmd.exe	PING.EXE
PID 64 wrote to memory of 1636	64	cmd.exe	find.exe

C:\Users\Admin\AppData\Local\Temp\SchooisMultitoolSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SchooisMultitoolSetup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\SMT\SchooiMultitool.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo echo C:\Program Files\SMT\ "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4384
- - C:\Windows\SysWOW64\findstr.exe
    findstr "Program Files"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo echo C:\Program Files\SMT\ "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4880
- - C:\Windows\SysWOW64\findstr.exe
    findstr "System32"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\SysWOW64\chcp.com
      chcp
      4⤵
      System Location Discovery: System Language Discovery
      PID:4528
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3328
- - C:\Windows\SysWOW64\chcp.com
    chcp 437
    3⤵
    - System Location Discovery: System Language Discovery
    PID:388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c call ini.bat /i hex /s TerminalColor config\settings.ini
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\SysWOW64\cscript.exe
      cscript /nologo /e:jscript "C:\Program Files\SMT\Files\ini.bat" "config\settings.ini" "TerminalColor" "hex" "" "" ""
      4⤵
      System Location Discovery: System Language Discovery
      PID:392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c call ini.bat /i coloring /s TerminalTextColoring config\settings.ini
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\cscript.exe
      cscript /nologo /e:jscript "C:\Program Files\SMT\Files\ini.bat" "config\settings.ini" "TerminalTextColoring" "coloring" "" "" ""
      4⤵
      System Location Discovery: System Language Discovery
      PID:3588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c call ini.bat /i hex /s TerminalColor config\settings.ini
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\SysWOW64\cscript.exe
      cscript /nologo /e:jscript "C:\Program Files\SMT\Files\ini.bat" "config\settings.ini" "TerminalColor" "hex" "" "" ""
      4⤵
      System Location Discovery: System Language Discovery
      PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell Get-ExecutionPolicy
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ExecutionPolicy
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force;
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3184
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 -w 700 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3204
- - C:\Windows\SysWOW64\find.exe
    find "TTL="
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "irm https://raw.githubusercontent.com/SchooiCodes/smt/main/Files/config/version -OutFile C:\Users\Admin\AppData\Local\Temp\version"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c call ini.bat /i resizing /s TerminalResizing config\settings.ini
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1448
  - - C:\Windows\SysWOW64\cscript.exe
      cscript /nologo /e:jscript "C:\Program Files\SMT\Files\ini.bat" "config\settings.ini" "TerminalResizing" "resizing" "" "" ""
      4⤵
      System Location Discovery: System Language Discovery
      PID:1588
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3 /NOBREAK
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5020
  - - C:\Windows\SysWOW64\chcp.com
      chcp
      4⤵
      System Location Discovery: System Language Discovery
      PID:3900
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5076
- - C:\Windows\SysWOW64\chcp.com
    chcp 437
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SMT\Files\config\settings.ini

Filesize
104B

MD5
76bce085a9f1c3c94a5d984fe7e6d1c9

SHA1
bbac6f8eef17c58590d786e8387a6ebf28fc7cad

SHA256
1b5075e020bb4a27f583db12ee9e62256b655fc415feb1935dde5cabde04cb48

SHA512
fe0afe4aebe3deef8c4b2fe2d2bec903e5efacace9859bceaadbc59908187d22f90a0c0632c5561423c4ba73f54b6e28d81a937bda2e1e6b3030555b0b7c23ef

Download Submit
C:\Program Files\SMT\Files\config\tc.bat

Filesize
1KB

MD5
5fa72afa9821d492700e2940e1686c86

SHA1
08709efbc323871d635fa6cb5bea2ec2c06f1879

SHA256
5f31ac7d6bab5f951ec4346a16f70f033eee9b9c60a197d7ee2bb83798168621

SHA512
48853ca82ef4f0ba515f142303467ce1aee85e7531e1eb28704570a4ce050e8ba810eb783fe3efe3636ad72420184ef3cdd0d38034ee7b5cdb8ad7e6ef1b8e32

Download Submit
C:\Program Files\SMT\Files\config\version

Filesize
19B

MD5
c0b046c81c584ecd5711aa57f57ede0f

SHA1
e5bc632f0d997e937bd4dbdfa80e24f9b5eaecca

SHA256
de22e6d6570232e3df4d39723c5a01c6344f2473b4c9838e1eac07d2c290dc8c

SHA512
b2354f3732ad2014927bf9276ec885e4486dfd43faaf13dd562090bb592b2e83f2f955fb4aaf1d8b255dcd63505451dae26e45a4c4d7ec1e1441da77b95c6ca2

Download Submit
C:\Program Files\SMT\Files\ini.bat

Filesize
7KB

MD5
2b6992974a85b0b13124ff5106e60b29

SHA1
98d6874af78cbe78cf3dc20205158ad63d302cda

SHA256
95ea49c7c0382703df254bfd1f30b3b51926f2345ee6d6d10b7fcad738a7dcfe

SHA512
be6b293bc64ed7ce311796beb0ecfc7ce0038b508a97a4abcef4350175a724fc3a603e4d977f1adfac99d22f5298af853f000d1b88e7717680b7234d8c3df243

Download Submit
C:\Program Files\SMT\Files\logo.bat

Filesize
3KB

MD5
e96569aa0cc42136bd51bc79455c945b

SHA1
cbb7839981a2b7a9576ea20600183e5f0b3fa23f

SHA256
1b0d647d3f677db2b4bbb598ba9a1f78f5f1d4c5eeda104691a65679b18b7488

SHA512
14343e6bd84f963bc68e45aae0a341c796b2d34a34ef274ce26684118221de5c9da2edba456332e6f95eebfb488890cc7a75e5501978fcc631025db63cc59a13

Download Submit
C:\Program Files\SMT\SchooiMultitool.bat

Filesize
21KB

MD5
eca611b53b57465b571ac863d34726bf

SHA1
c7dd991aee18e95c779c2ed76e7ee280fb58a9b6

SHA256
e3b4e3dec43743b02cda71070a83d446ffe929e2b12e959df1e24697261a453d

SHA512
9aadeef2322aea874378faf971aed3229e042436c9c649e4b098b9f3f6a864df1f2396e5a0ce7057f8f585601bc5ad10112563c7ec02b076d43aeedfd1a59d43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
74beabd4347b1ecc24fdc6cd9bb2ec64

SHA1
b793909bd2bf91d40eafb71194cc3eeb0c057110

SHA256
80d19c23e407ccffe9f5b43087c752b2157294a1e42d887705b9924ceb9e6af9

SHA512
f36be6d71e6ae79ffa79e9bc8d57e79cc14ace932fcc2106ab4df8f4ba99506dac3c007d986dfe3bf8884977a411ba1faa713489dc27b25c23bec49d42abd802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
c8d7627fc95d8afc0489cee2dd6c344e

SHA1
bdb664e38903fad353d21a970d5342749868ca14

SHA256
792622ff235e942a095ea1cccd424970a3b12752905987263da31fe758506920

SHA512
a3436361debc92e674a7beef8f59a0f03601a7f26b2036f27cfddeb075d4a39c278b80ba091c55d8bc0fa60a8903639af9e9946b42e24611dffdd25faeec78b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
07a765fa5d8fec9ea855f15d586274fd

SHA1
58ec6b23f2cc04421c6ca23e4d968d74fdb22f7a

SHA256
7b7540576c2502146d2f3c0c588a34d01cfb69c2720ab001f6d99f5dd316f2a2

SHA512
6eabc392262fddfa04fc28d819f41f3352c10387d2e874629e1802cbeee3a0b5f7b0918da720981ede85308b79699eeb451679bb001ec941b63e00d57e2b442a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jmbajdy5.gio.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh97DC.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh97DC.tmp\modern-wizard.bmp

Filesize
150KB

MD5
c06f1dc0d75c5e520cb3a41e0fb59581

SHA1
0a09240ca314ec279e7c79001b2ccdf0d70ff819

SHA256
20e6feb5684f9af251ff42ddcaa8a05e09d2f152dfa6a98013970ac12917cfba

SHA512
2c9ef10e81da034cfd4f741bf8848741ad3a00bb409c21f1b2db0d40057e89d815beffdd7575a1be244e5593b2ed72f2661b5d3f942a36c215957d26d16cdc02

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh97DC.tmp\nsDialogs.dll

Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\version

Filesize
18B

MD5
3e91ee90aa2f5a6c5cdeef6ba7b3ae53

SHA1
ba7acea752c00f9923329ff27d3e8985509a2b2d

SHA256
f26b5780792545c74d966e584fcdcac86316e7577bbbe638552998d4ff74ec83

SHA512
b4fd99da508db16767b71999fc6edcfbe047e419adad79f8050539a289f2f7c99f36c2d11c2a821d22c7ec806715e48f2c9ce149bf4b72b5028f0aa04e618ceb

Download Submit
memory/1624-195-0x0000000005690000-0x00000000059E4000-memory.dmp

Filesize
3.3MB

Download
memory/3108-142-0x00000000067B0000-0x00000000067FC000-memory.dmp

Filesize
304KB

Download
memory/3108-159-0x0000000007D10000-0x0000000007DA6000-memory.dmp

Filesize
600KB

Download
memory/3108-143-0x0000000006D10000-0x0000000006D42000-memory.dmp

Filesize
200KB

Download
memory/3108-144-0x0000000070B40000-0x0000000070B8C000-memory.dmp

Filesize
304KB

Download
memory/3108-154-0x0000000006D50000-0x0000000006D6E000-memory.dmp

Filesize
120KB

Download
memory/3108-155-0x0000000007740000-0x00000000077E3000-memory.dmp

Filesize
652KB

Download
memory/3108-156-0x00000000080D0000-0x000000000874A000-memory.dmp

Filesize
6.5MB

Download
memory/3108-157-0x0000000007A90000-0x0000000007AAA000-memory.dmp

Filesize
104KB

Download
memory/3108-158-0x0000000007B00000-0x0000000007B0A000-memory.dmp

Filesize
40KB

Download
memory/3108-141-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/3108-160-0x0000000007C90000-0x0000000007CA1000-memory.dmp

Filesize
68KB

Download
memory/3108-140-0x0000000006290000-0x00000000065E4000-memory.dmp

Filesize
3.3MB

Download
memory/3108-126-0x0000000002E60000-0x0000000002E96000-memory.dmp

Filesize
216KB

Download
memory/3108-129-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/3108-127-0x00000000058D0000-0x0000000005EF8000-memory.dmp

Filesize
6.2MB

Download
memory/3108-130-0x0000000006120000-0x0000000006186000-memory.dmp

Filesize
408KB

Download
memory/3108-128-0x00000000057B0000-0x00000000057D2000-memory.dmp

Filesize
136KB

Download
memory/3184-175-0x0000000070B40000-0x0000000070B8C000-memory.dmp

Filesize
304KB

Download
memory/3184-171-0x0000000005D50000-0x00000000060A4000-memory.dmp

Filesize
3.3MB

Download