The user downloaded what they thought was the SysInternals tool suite, double-clicked it, but the tools did not open and were not accessible. Since that time, the user has noticed that the system has « slowed down » and become less and less responsive. Goal is to determine what happened, and when.
Files can be downloaded HERE
3 files « sysinternals.exe » files were found :
Source: IEUser\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SysInternals.exe.51m0nh7.partial
Created 15/11/2022 21:18:40
Hash MD5 f7af417434e440b14142ccaf032d1ef0
Source: Users\IEUser\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC#!001\MicrosoftEdge\Cache\WMFWC1O7\SysInternals[1].exe
Created 15/11/2022 21:18:40
MD5 Hash d1a27b871a86c5371215f71885862cff
Source: Users\Public\Downloads\SysInternals.exe (deleted)
Created 15/11/2022 21:18:51
$LogFile analysis show that this one has been deleted 9 seconds later at 21:19:00
SysInternals[1].exe is known from VirusTotal :
IDA tell us that this file contains some strings like InternetOpenUrlA URLDownloadToFileA ShellExecuteA and commands
/C c:\Windows\vmtoolsIO.exe -install && net start VMwareIOHelperService && sc config VMwareIOHelperService start=auto
c:\\Windows\\Temp\\Hex2Dec.zip
We can see that values have been added to hosts file :
Source: Users\IEUser\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Add-Content -Path $env:windir\System32\drivers\etc\hosts -Value "n192.168.15.10twww.malware430.com" -Force
Add-Content -Path $env:windir\System32\drivers\etc\hosts -Value "n192.168.15.10twww.sysinternals.com" -Force
Shimcache
Source: Windows\System32\config\SYSTEM\ControlSet001\Control\Session Manager\AppCompatCache
15/11/2022 21:19:17
C:\Windows\vmtoolsIO.exe
Microsoft Edge
Source: Users\IEUser\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
http://www.malware430.com/html/VMwareUpdate.exe
15/11/2022 21:19:17
Users\IEUser\AppData\Local\Microsoft\Windows\INetCache\IE\WNC4UP6F\VMwareUpdate[1].exe
Windows Events
Source: Windows\System32\winevt\Logs\System.evtx
Un service a été installé sur le système.
Nom du service : VMWare IO Helper Service
Nom du fichier de service : c:\Windows\vmtoolsIO.exe
Type de service : user mode service
Type de démarrage du service : demand start
Compte de service : NT AUTHORITY\SYSTEM
15/11/2022 21:19:22
Once the service installed, prefetch directory content had been deleted :
$Log File
Event date 15/11/2022 21:19:22
File Deletion SVCHOST.EXE-7652BBC1.pf
File Deletion SVCHOST.EXE-7FB13051.pf
File Deletion SVCHOST.EXE-881C0886.pf
File Deletion SVCHOST.EXE-8FD92526.pf
File Deletion SVCHOST.EXE-93DCE9BF.pf
File Deletion SVCHOST.EXE-943994C7.pf
File Deletion SVCHOST.EXE-A9822852.pf
File Deletion SVCHOST.EXE-B227FD78.pf
File Deletion SVCHOST.EXE-BD0239A6.pf
File Deletion SVCHOST.EXE-C157FE85.pf
File Deletion SVCHOST.EXE-C407FFDC.pf
File Deletion SVCHOST.EXE-D46DD185.pf
File Deletion SVCHOST.EXE-D778BE1D.pf
File Deletion SVCHOST.EXE-E5A7F4DF.pf
File Deletion SVCHOST.EXE-EF984078.pf
File Deletion SVCHOST.EXE-F217BE22.pf
File Deletion SVCHOST.EXE-F737CE0B.pf
File Deletion SYSTEMSETTINGS.EXE-45A5EC0B.pf
File Deletion TASKHOSTW.EXE-4DB99E1B.pf
File Deletion TIWORKER.EXE-1DF9E9B1.pf
File Deletion TIWORKER.EXE-9961D998.pf
File Deletion TPAUTOCONNSVC.EXE-3F58EC59.pf
File Deletion TPVCGATEWAY.EXE-DBBE6AB9.pf
File Deletion TRUSTEDINSTALLER.EXE-031B6478.pf
File Deletion UDEFRAG.EXE-BF692AC4.pf
File Deletion UNREGMP2.EXE-F3D7C3D3.pf
File Deletion UPDATEPLATFORM.EXE-5D23AF63.pf
File Deletion VCREDIST_X64.EXE-33C40083.pf
File Deletion VCREDIST_X86.EXE-25545807.pf
File Deletion VERCLSID.EXE-4D95F5A7.pf
File Deletion VGAUTHSERVICE.EXE-41501B8F.pf
File Deletion VM3DSERVICE.EXE-5AFC041A.pf
File Deletion VMACTHLP.EXE-4A7FF661.pf
File Deletion VMTOOLSD.EXE-0AD357E6.pf
File Deletion VMTOOLSIO.EXE-B05FE979.pf
File Deletion VSSVC.EXE-04D079CC.pf
File Deletion WINDOWS-KB890830-X64-V5.70.EX-E982F4E4.pf
File Deletion WINDOWS.WARP.JITSERVICE.EXE-576D6110.pf
File Deletion WINDOWSINTERNAL.COMPOSABLESHE-EE394D7A.pf
File Deletion WINLOGON.EXE-8163EECC.pf
File Deletion WLRMDR.EXE-DDA57653.pf
File Deletion WMIADAP.EXE-369DF1CD.pf
File Deletion WMIAPSRV.EXE-576286C3.pf
File Deletion WMIPRVSE.EXE-43972D0F.pf
File Deletion WOWREG32.EXE-6F22B7D7.pf
File Deletion WSCRIPT.EXE-65A9658F.pf
File Deletion WUAUCLT.EXE-830BCC14.pf
File Deletion WWAHOST.EXE-2084B319.pf
File Deletion AgAppLaunch.db
File Deletion AgGlFaultHistory.db
File Deletion AgGlFgAppHistory.db
File Deletion AgGlGlobalHistory.db
File Deletion AgRobust.db
File Deletion PfSvPerfStats.bin
File Deletion ResPriHMStaticDb.ebd