Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6512
Target ID:	0
Parent PID:	4004
Name:	SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe"
Size:	20872232
MD5:	6E2E6F5D50FA7ADF690C2A6A797D7690
Time:	09:30:01
Date:	23/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x4a0000
Modulesize:	2805760
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\wscript.exe

wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	2788
Target ID:	5
Parent PID:	6512
Name:	wscript.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\wscript.exe
Commandline:	wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"
Size:	147456
MD5:	FF00E0480075B095948000BDC66E81F0
Time:	09:30:20
Date:	23/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x330000
Modulesize:	159744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Wscript called in batch mode (surpress errors)	System Summary	Scripting
EXE planting / hijacking vulnerabilities found	Privilege Escalation, Compliance	DLL Search Order Hijacking
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\wscript.exe

wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	5824
Target ID:	6
Parent PID:	6512
Name:	wscript.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\wscript.exe
Commandline:	wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"
Size:	147456
MD5:	FF00E0480075B095948000BDC66E81F0
Time:	09:30:26
Date:	23/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x330000
Modulesize:	159744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Wscript called in batch mode (surpress errors)	System Summary	Scripting
EXE planting / hijacking vulnerabilities found	Privilege Escalation, Compliance	DLL Search Order Hijacking
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

"C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -install yes

Details

Is windows:	false
Is dropped:	true
PID:	6972
Target ID:	7
Parent PID:	6512
Name:	tscmon.exe
Path:	C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe
Commandline:	"C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -install yes
Size:	1362072
MD5:	C9CB53D48CCDA8441189E1E76AD33EB7
Time:	09:30:32
Date:	23/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x410000
Modulesize:	1441792
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary

C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

"C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -remove yes

Details

Is windows:	false
Is dropped:	true
PID:	6200
Target ID:	8
Parent PID:	6512
Name:	tscmon.exe
Path:	C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe
Commandline:	"C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -remove yes
Size:	1362072
MD5:	C9CB53D48CCDA8441189E1E76AD33EB7
Time:	09:30:33
Date:	23/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x410000
Modulesize:	1441792
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary

C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\AdvancedSystemRepairPro.exe

"C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\AdvancedSystemRepairPro.exe" /minimize

Details

Is windows:	false
Is dropped:	true
PID:	2884
Target ID:	9
Parent PID:	1064
Name:	AdvancedSystemRepairPro.exe
Path:	C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\AdvancedSystemRepairPro.exe
Commandline:	"C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\AdvancedSystemRepairPro.exe" /minimize
Size:	19981464
MD5:	E80DF622083CD7283507473E22E1DEB3
Time:	09:30:36
Date:	23/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x620000
Modulesize:	20074496
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\wscript.exe

wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	3472
Target ID:	11
Parent PID:	6512
Name:	wscript.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\wscript.exe
Commandline:	wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"
Size:	147456
MD5:	FF00E0480075B095948000BDC66E81F0
Time:	09:30:39
Date:	23/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x330000
Modulesize:	159744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Wscript called in batch mode (surpress errors)	System Summary	Scripting
EXE planting / hijacking vulnerabilities found	Privilege Escalation, Compliance	DLL Search Order Hijacking
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\wscript.exe

wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr4.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	1924
Target ID:	12
Parent PID:	6512
Name:	wscript.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\wscript.exe
Commandline:	wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr4.vbs"
Size:	147456
MD5:	FF00E0480075B095948000BDC66E81F0
Time:	09:30:40
Date:	23/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x330000
Modulesize:	159744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Wscript called in batch mode (surpress errors)	System Summary	Scripting
EXE planting / hijacking vulnerabilities found	Privilege Escalation, Compliance	DLL Search Order Hijacking
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

"C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -install yes

Details

Is windows:	false
Is dropped:	true
PID:	4132
Target ID:	14
Parent PID:	6512
Name:	tscmon.exe
Path:	C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe
Commandline:	"C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -install yes
Size:	1362072
MD5:	C9CB53D48CCDA8441189E1E76AD33EB7
Time:	09:30:41
Date:	23/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x540000
Modulesize:	1441792
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

http://asrupdates.com/app_upgrade/asr.php?a=%s&i=%i&r=%i&v=%s&l=%iInstallTime40asrinf%i.iniupdateNot

unknown

http://asrupdates.com/db3/1.db

unknown

http://www.winimage.com/zLibDll1.2.3rbr

unknown

http://www.advancedsystemrepair.com.

unknown

https://advancedsystemrepair.com/reg-premium-de.phphttps://advancedsystemrepair.com/reg-premium7-de.

unknown

http://ocsp.thawte.com0

unknown

http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v

unknown

http://advancedsystemrepair.com/Malware.phpWhat

unknown

http://advancedsystemrepair.com/inapp3_de.phphttp://advancedsystemrepair.com/inapp2_de.phphttp://adv

unknown

https://advancedsystemrepair.com/thank-you-page-german-t.php?id=%sSelect

unknown

http://advancedsystemrepair.com/Review-Apps.phphttp://advancedsystemrepair.com/reviews.php1OnTimerAn

unknown

http://wixtoolset.org/news/

unknown

http://qt.digia.com/product/licensing

unknown

https://advancedsystemrepair.com/Purchase/ASR-german-Upgrade-m7.php

unknown

https://advancedsystemrepair.com/certifications/Proof.phphttps://advancedsystemrepair.com/ASR_DLL_Ex

unknown

http://www.westcoastlabs.com/about-us/https://advancedsystemrepair.com/ASR-Antimalware-Checkmark-Cer

unknown

http://advancedsystemrepair.com/Support.phphttps://advancedsystemrepair.com/License-Key-Lookup.php:/

unknown

http://asrupdates.com/db3/0.db

unknown

http://asrupdates.com/db3/2.db

unknown

https://advancedsystemrepair.com/reg-premium-pro-de.phphttps://advancedsystemrepair.com/reg-premium-

unknown

http://qt.digia.com/

unknown

http://advancedsystemrepair.com/EULA.phphttp://advancedsystemrepair.com/Privacy-Policy.phpTXThttp://

unknown

http://crl.thawte.com/ThawteTimestampingCA.crl0

unknown

http://advancedsystemrepair.com/privacypolicy.php

unknown

http://www.winimage.com/zLibDll

unknown

http://asrupdates.com/wr/view_d3.php?id=%iVideoLocal

unknown

http://advancedsystemrepair.com/Privacy-Policy.phphttp://advancedsystemrepair.com/EULA.phphttp://adv

unknown

http://asrupdates.com/db3/0.dbhttp://asrupdates.com/db3/1.dbhttp://asrupdates.com/db3/2.db.tmpasrupd

unknown

There are 18 hidden URLs, click here to show them.

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted

C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

HKEY_CURRENT_USER\SOFTWARE\AdvancedSystemRepairPro

InstallDir

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\AdvancedSystemRepairPro

InstallDir

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\AdvancedSystemRepairPro.exe

HKEY_CURRENT_USER\SOFTWARE\AdvancedSystemRepairPro

InstallDir

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\AdvancedSystemRepairPro

InstallDir