| URL: | https://www.tweaking.com/files/setups/tweaking.com_windows_repair_aio_setup.exe |
| Full analysis: | https://app.any.run/tasks/085ee3fb-5525-4f37-9795-b8d6f3207456 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | September 30, 2019, 19:45:51 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 66A921EDFF305214926F6F65FDC3EEF8 |
| SHA1: | 0104474C28C5AD716D7C9C340BBD4A385AA6822B |
| SHA256: | D861925A5E834465CBE580B91569BAA8361C7E36793D1FA0B84E5C9B2FB347D1 |
| SSDEEP: | 3:N8DSL5EjLCx0KxAWKRzKC18zVlqQDh4A:2OL5EjLCLADzKC18zVoeh4A |
MALICIOUS
Application was dropped or rewritten from another process
- tweaking.com_windows_repair_aio_setup.exe (PID: 2612)
- irsetup.exe (PID: 2212)
- Repair_Windows.exe (PID: 1708)
- Repair_Windows.exe (PID: 2856)
- WR_Tray_Icon.exe (PID: 2480)
- irsetup.exe (PID: 2220)
- TweakingRegistryBackup.exe (PID: 2660)
- Tweaking_CleanMem.exe (PID: 2796)
- tweaking_ras.exe (PID: 3184)
- tweaking_ras.exe (PID: 3604)
- tweaking_ras.exe (PID: 1928)
- tweaking_ras.exe (PID: 732)
- ManageACL_32.exe (PID: 2648)
- tweaking_ras.exe (PID: 596)
- tweaking_ras.exe (PID: 2704)
- ManageACL_32.exe (PID: 1884)
- ManageACL_32.exe (PID: 4088)
- ManageACL_32.exe (PID: 3048)
- ManageACL_32.exe (PID: 304)
- ManageACL_32.exe (PID: 3856)
- ManageACL_32.exe (PID: 3592)
- ManageACL_32.exe (PID: 3676)
Loads dropped or rewritten executable
- irsetup.exe (PID: 2212)
- Repair_Windows.exe (PID: 1708)
- Repair_Windows.exe (PID: 2856)
- TweakingRegistryBackup.exe (PID: 2660)
Loads the Task Scheduler DLL interface
- Repair_Windows.exe (PID: 1708)
Loads the Task Scheduler COM API
- Repair_Windows.exe (PID: 1708)
Stealing of credential data
- TweakingRegistryBackup.exe (PID: 2660)
Starts NET.EXE for service management
- cmd.exe (PID: 3596)
- cmd.exe (PID: 3152)
- cmd.exe (PID: 3084)
Starts NET.EXE to view/change users group
- cmd.exe (PID: 2188)
Actions looks like stealing of personal data
- ManageACL_32.exe (PID: 4088)
SUSPICIOUS
Executable content was dropped or overwritten
- chrome.exe (PID: 3232)
- tweaking.com_windows_repair_aio_setup.exe (PID: 2612)
- irsetup.exe (PID: 2212)
Creates files in the Windows directory
- irsetup.exe (PID: 2212)
- TweakingRegistryBackup.exe (PID: 2660)
- Repair_Windows.exe (PID: 2856)
Creates a software uninstall entry
- irsetup.exe (PID: 2212)
- Repair_Windows.exe (PID: 2856)
Uses REG.EXE to modify Windows registry
- Repair_Windows.exe (PID: 1708)
- cmd.exe (PID: 2188)
Starts Internet Explorer
- Repair_Windows.exe (PID: 2856)
Cleans NTFS data-stream (Zone Identifier)
- chrome.exe (PID: 3232)
Creates files in the program directory
- irsetup.exe (PID: 2212)
- Repair_Windows.exe (PID: 2856)
- ManageACL_32.exe (PID: 3048)
- ManageACL_32.exe (PID: 1884)
- ManageACL_32.exe (PID: 3676)
- ManageACL_32.exe (PID: 304)
- ManageACL_32.exe (PID: 4088)
- ManageACL_32.exe (PID: 3592)
- ManageACL_32.exe (PID: 3856)
Starts CMD.EXE for commands execution
- tweaking_ras.exe (PID: 732)
- tweaking_ras.exe (PID: 3184)
- cmd.exe (PID: 2780)
- tweaking_ras.exe (PID: 3604)
- tweaking_ras.exe (PID: 1928)
- tweaking_ras.exe (PID: 596)
- tweaking_ras.exe (PID: 2704)
- cmd.exe (PID: 2732)
- cmd.exe (PID: 760)
Removes files from Windows directory
- cmd.exe (PID: 2188)
- Repair_Windows.exe (PID: 2856)
- cmd.exe (PID: 3104)
Executed as Windows Service
- tweaking_ras.exe (PID: 1928)
- tweaking_ras.exe (PID: 3184)
- tweaking_ras.exe (PID: 2704)
INFO
Application launched itself
- chrome.exe (PID: 3232)
- iexplore.exe (PID: 2264)
- iexplore.exe (PID: 3164)
Reads the hosts file
- chrome.exe (PID: 3232)
- chrome.exe (PID: 824)
Changes settings of System certificates
- chrome.exe (PID: 3232)
Dropped object may contain Bitcoin addresses
- irsetup.exe (PID: 2212)
- Repair_Windows.exe (PID: 2856)
Reads Internet Cache Settings
- chrome.exe (PID: 3232)
- iexplore.exe (PID: 3936)
- iexplore.exe (PID: 2600)
Changes internet zones settings
- iexplore.exe (PID: 3164)
- iexplore.exe (PID: 2264)
Reads internet explorer settings
- iexplore.exe (PID: 3936)
- iexplore.exe (PID: 2600)
Creates files in the user directory
- iexplore.exe (PID: 2600)
- iexplore.exe (PID: 2264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
130
Monitored processes
73
Malicious processes
15
Suspicious processes
5
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 304 | "C:\Program Files\Tweaking.com\Windows Repair (All in One)\files\ManageACL_32.exe" -on "C:\Program Files" -ot file -actn restore -bckp "C:\Windows\Temp\1program_files_x86.txt" -silent -ignoreerr -log "C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs\9.30.2019_8.48.48-PM\Restore_Program_Files_x86_Permissions_Error_Log.txt" | C:\Program Files\Tweaking.com\Windows Repair (All in One)\files\ManageACL_32.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Tweaking.com Integrity Level: SYSTEM Description: Tweaking.com - ManageACL Exit code: 0 Version: 1.7.0.0 Modules
| |||||||||||||||
| 596 | "C:\Program Files\Tweaking.com\Windows Repair (All in One)\files\tweaking_ras.exe" /0003[]||C:\Windows\System32\cmd.exe||[]/c start /HIGH C:\Windows\System32\cmd.exe /c ||C:\Windows\Temp\temp47721.bat|| & exit | C:\Program Files\Tweaking.com\Windows Repair (All in One)\files\tweaking_ras.exe | — | Repair_Windows.exe | |||||||||||
User: admin Company: Tweaking.com Integrity Level: HIGH Description: Tweaking.com - Run As System Service Exit code: 0 Version: 2.1.0.0 Modules
| |||||||||||||||
| 732 | "C:\Program Files\Tweaking.com\Windows Repair (All in One)\files\tweaking_ras.exe" /0001[]||C:\Windows\System32\cmd.exe||[]/c start /HIGH C:\Windows\System32\cmd.exe /c ||C:\Windows\Temp\temp10756.bat|| & exit | C:\Program Files\Tweaking.com\Windows Repair (All in One)\files\tweaking_ras.exe | — | Repair_Windows.exe | |||||||||||
User: admin Company: Tweaking.com Integrity Level: HIGH Description: Tweaking.com - Run As System Service Exit code: 0 Version: 2.1.0.0 Modules
| |||||||||||||||
| 760 | "C:\Windows\System32\cmd.exe" /c start /HIGH C:\Windows\System32\cmd.exe /c "C:\Windows\Temp\temp50490.bat" & exit | C:\Windows\System32\cmd.exe | — | tweaking_ras.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 824 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1028,11881820529276613447,14048681458928386729,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=13000766141887146428 --mojo-platform-channel-handle=1536 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
| 932 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,11881820529276613447,14048681458928386729,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16888957370670728140 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
| 940 | C:\Windows\system32\net1 localgroup "Administrators" "NT Authority\Local Service" /add | C:\Windows\system32\net1.exe | — | net.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Net Command Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1132 | REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v PoolUsageMaximum /t REG_DWORD /d 60 /f | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1168 | "C:\Windows\System32\reg.exe" DELETE HKLM\SYSTEM\ControlSet002\Control\Session Manager\Environment /v SAFEBOOT_OPTION /f | C:\Windows\System32\reg.exe | — | Repair_Windows.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1244 | "C:\Windows\System32\reg.exe" DELETE HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Option /f | C:\Windows\System32\reg.exe | — | Repair_Windows.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
2 197
Read events
1 873
Write events
318
Delete events
6
Modification events
| (PID) Process: | (3232) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (3232) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (3232) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: | |||
| (PID) Process: | (3232) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: 01000000 | |||
| (PID) Process: | (3232) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (2640) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | write | Name: | 3232-13214346366299125 |
Value: 259 | |||
| (PID) Process: | (3232) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| Operation: | write | Name: | dr |
Value: 1 | |||
| (PID) Process: | (3232) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome |
| Operation: | write | Name: | UsageStatsInSample |
Value: 0 | |||
| (PID) Process: | (3232) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | delete value | Name: | 1512-13197841398593750 |
Value: 0 | |||
| (PID) Process: | (3232) chrome.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96} |
| Operation: | write | Name: | usagestats |
Value: 0 | |||
Executable files
44
Suspicious files
69
Text files
1 164
Unknown types
27
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3232 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3232 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3232 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF100ea8.TMP | — | |
MD5:— | SHA256:— | |||
| 3232 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\8de8f647-81c5-42c8-8a57-ab1f78c8012e.tmp | — | |
MD5:— | SHA256:— | |||
| 3232 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp | — | |
MD5:— | SHA256:— | |||
| 3232 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3232 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old | text | |
MD5:— | SHA256:— | |||
| 3232 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1 | — | |
MD5:— | SHA256:— | |||
| 3232 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old | text | |
MD5:— | SHA256:— | |||
| 3232 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF100ea8.TMP | text | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
37
DNS requests
14
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3936 | iexplore.exe | GET | 200 | 199.119.100.39:80 | http://www.tweaking.com/files/buywrpro.php | US | html | 235 b | suspicious |
2600 | iexplore.exe | GET | 200 | 199.119.100.39:80 | http://www.tweaking.com/files/buywrpro.php | US | html | 235 b | suspicious |
3936 | iexplore.exe | GET | 301 | 199.119.100.39:80 | http://www.tweaking.com/favicon.ico | US | html | 370 b | suspicious |
2212 | irsetup.exe | GET | 200 | 3.221.210.78:80 | http://track.tweaking.com/ev-install-start.php?type=install-start&computer=S-1-5-21-1302019708-1500728564-335382590-1000 | US | text | 9 b | malicious |
2212 | irsetup.exe | GET | 200 | 3.221.210.78:80 | http://track.tweaking.com/ev-install-end.php?type=install-end&computer=S-1-5-21-1302019708-1500728564-335382590-1000 | US | text | 9 b | malicious |
2212 | irsetup.exe | GET | 200 | 3.221.210.78:80 | http://track.tweaking.com/ev-install-start.php?type=install-start&computer=S-1-5-21-1302019708-1500728564-335382590-1000 | US | text | 9 b | malicious |
3164 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
2212 | irsetup.exe | GET | 200 | 3.221.210.78:80 | http://track.tweaking.com/ev-install-end.php?type=install-end&computer=S-1-5-21-1302019708-1500728564-335382590-1000 | US | text | 9 b | malicious |
2856 | Repair_Windows.exe | GET | 200 | 199.119.100.39:80 | http://update.tweaking.com/update4.php?fr=1&nt=61&k=Free_Version&v=4.6.0&r=na | US | text | 41 b | suspicious |
2856 | Repair_Windows.exe | GET | 200 | 199.119.100.39:80 | http://www.tweaking.com/files/updates/windows_repair/update.htm | US | text | 5 b | suspicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
824 | chrome.exe | 172.217.21.227:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
824 | chrome.exe | 199.119.100.39:443 | www.tweaking.com | HIVELOCITY VENTURES CORP | US | suspicious |
824 | chrome.exe | 172.217.22.13:443 | accounts.google.com | Google Inc. | US | whitelisted |
824 | chrome.exe | 172.217.22.36:443 | www.google.com | Google Inc. | US | whitelisted |
824 | chrome.exe | 172.217.22.35:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
824 | chrome.exe | 172.217.23.110:443 | sb-ssl.google.com | Google Inc. | US | whitelisted |
3232 | chrome.exe | 91.199.212.52:80 | crt.usertrust.com | Comodo CA Ltd | GB | suspicious |
2856 | Repair_Windows.exe | 199.119.100.39:80 | www.tweaking.com | HIVELOCITY VENTURES CORP | US | suspicious |
2212 | irsetup.exe | 3.221.210.78:80 | track.tweaking.com | — | US | suspicious |
3936 | iexplore.exe | 199.119.100.39:80 | www.tweaking.com | HIVELOCITY VENTURES CORP | US | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
clientservices.googleapis.com |
| whitelisted |
www.tweaking.com |
| suspicious |
accounts.google.com |
| shared |
www.google.com |
| malicious |
ssl.gstatic.com |
| whitelisted |
sb-ssl.google.com |
| whitelisted |
crt.usertrust.com |
| whitelisted |
track.tweaking.com |
| malicious |
update.tweaking.com |
| suspicious |
www.bing.com |
| whitelisted |
Threats
4 ETPRO signatures available at the full report