Jump to content

Suspicious behavior of task.vbs


Recommended Posts

I was doing some digging with Sysinternals Autoruns and I came across a scheduled task that executes a vb script called task; after doing some research it seems like its a part of Intel's system usage reports. However, after taking a look at the vbs script I found that it exhibits some really spooky behavior that give's me the impress it is doing something malicious, or something that it doesn't want the user to notice.

 

taskvbs.suspect.thumb.png.8735370cf23377abb7415e37e2569c78.png

 

Located in \Program Files\Intel\SUR\QUEENCREEK\x64 the task.vbs script executes task.bat, which then runs task.exe — seems a little odd to me that legitimate Intel software would use such poor practice. Without going into to much detail I just want to know if you guys think this is something I should be concerned about.

Link to post
Share on other sites

Hello @JonahN and :welcome:

 

My name is MKDB and I will assist you.

 

  • Please follow the steps in the given order and post back the logs as an attachment when ready. Thank you very much for your cooperation.
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
  • As English is not my native language, please do not use slang or idoms. It may be hard for me to understand.

 

 

I know this task and those files you are talking about. I've noticed them on other systems some time ago as well. Those files are legit.

If you still want to have your system checked for malware, please let me know.

Thank you!

 

 

  • Like 1
Link to post
Share on other sites

Hello! I really appriciate the reply MKDB, after some further investigation using a decompiler I've concluded the application is safe. 

All API calls,  Registry paths, and Assembly Sections consistent with the legitimate executable and show no signs of manipulation so I hope that this thread can serve as a reference for anyone

curious about these files.

 

Below I've attatched some extra information about the file just for SEO sake

 

 

MD5		d0587fbaf5b48c4e02a21d2a843e2783
SHA-1		56dca57e7a952633ce9dbedb7202a073eff76d5e
SHA-256		5dcfcea1cab3e808ca45831ade6bab950e190c3c18f47fd7230b85e952f1c4b3


Signers
Intel(R) System Usage Report
Intel External Issuing CA 7B
Sectigo (formerly Comodo CA)

 

https://www.virustotal.com/gui/file/5dcfcea1cab3e808ca45831ade6bab950e190c3c18f47fd7230b85e952f1c4b3/detection

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection.

Thank you.

 

 

As this topic seems to be solved, I do not follow it any longer.

Take care!

  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.