Analysis Overview
SHA256
6b7006ebcb34979159b16e885a65119a0e23fcab3dcd5bdff657aa2c4e29d488
Threat Level: Likely malicious
The file Windows Tweaks.bat was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Modifies file permissions
Reads user/profile data of web browsers
Enumerates connected drives
Gathers network information
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Runs net.exe
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Checks processor information in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-28 19:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 19:08
Reported
2024-05-28 19:10
Platform
win11-20240508-en
Max time kernel
68s
Max time network
72s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Z: | C:\Windows\system32\takeown.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Windows Tweaks.bat"
C:\Windows\system32\takeown.exe
takeown /s OYHKEPSP /u Admin /f "C:\Users\Public\Desktop" /r /d y
C:\Windows\system32\icacls.exe
icacls "C:\Users\Public\Desktop" /inheritance:r
C:\Windows\system32\icacls.exe
icacls "C:\Users\Public\Desktop" /inheritance:e /grant:r Admin:(OI)(CI)F /t /l /q /c
C:\Windows\system32\takeown.exe
takeown /s OYHKEPSP /u Admin /f "C:\Users\Admin\Desktop" /r /d y
C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\Desktop" /inheritance:r
C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\Desktop" /inheritance:e /grant:r Admin:(OI)(CI)F /t /l /q /c
C:\Windows\system32\takeown.exe
takeown /s OYHKEPSP /u Admin /f "Z:\Desktop" /r /d y
C:\Windows\system32\icacls.exe
icacls "Z:\Desktop" /inheritance:r
C:\Windows\system32\icacls.exe
icacls "Z:\Desktop" /inheritance:e /grant:r Admin:(OI)(CI)F /t /l /q /c
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\system32\net.exe
net user defaultuser1 /delete
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user defaultuser1 /delete
C:\Windows\system32\net.exe
net user defaultuser100000 /delete
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user defaultuser100000 /delete
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.0.432282475\711489598" -parentBuildID 20230214051806 -prefsHandle 1716 -prefMapHandle 1740 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4aabe8eb-8c4e-47ba-84a7-5b10df9665b5} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 1832 2ceff523e58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.1.2143866459\547042120" -parentBuildID 20230214051806 -prefsHandle 2344 -prefMapHandle 2332 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfb5ee1e-40de-4b56-a595-c97fed964215} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 2356 2cefa188d58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.2.377126813\1327222547" -childID 1 -isForBrowser -prefsHandle 2888 -prefMapHandle 2752 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1336 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c19a4d5-6d1e-4ece-9610-4355bd61192a} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 2956 2ce89d12d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.3.1897453309\1574214964" -childID 2 -isForBrowser -prefsHandle 3928 -prefMapHandle 3924 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1336 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44cc6602-db22-49bd-a129-b295fc72e55a} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 3940 2ce8c928258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.4.906325364\59300594" -childID 3 -isForBrowser -prefsHandle 4992 -prefMapHandle 5152 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1336 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e9b2354-dff4-4677-9054-00b9dd0541b8} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 2780 2ce8f88b358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.5.423884659\1998383923" -childID 4 -isForBrowser -prefsHandle 2532 -prefMapHandle 2528 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1336 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8716181f-8142-462e-b63b-aa5b8b18519a} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 5132 2ce8f88b658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.6.1515275830\836617289" -childID 5 -isForBrowser -prefsHandle 5580 -prefMapHandle 5576 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1336 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cdbdad9-5e8f-4989-b773-60316d2bceef} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 5592 2ce8f88b958 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| GB | 104.86.110.113:443 | tcp | |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 44.237.65.238:443 | shavar.prod.mozaws.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| N/A | 127.0.0.1:49788 | tcp | |
| N/A | 127.0.0.1:49796 | tcp |
Files
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | cd56e155edf53e5728c46b6c9eb9c413 |
| SHA1 | 14b1b0f090803c9ee39797aed4af13dc7849566d |
| SHA256 | 70a6cf268c013fb4d907bedc12af3e5f802f179f0cc8353c7b8227dde840d31a |
| SHA512 | a4ada455d44a89fd2baa505aa9266b70913967b839522ef5da8d7afd31af6662c3ad96ac3e3531d82a72be7d019c9d88f1ce391c5b5fa0e4422a634c51491165 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3qt190sk.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | d6ef8003cfe19a2c6ac84c544e952da7 |
| SHA1 | 540d2f2575c165b6091c5d82cc0d99550f529ed3 |
| SHA256 | 7bc05c4b0d57ab42fb37c5a7469fa8ed329a77845446a189a9af5325d0bcaea6 |
| SHA512 | 55e0ab88a134c0977d78ee871979174643a031ce7a6b23dba0115db81a6bd34e64db4c34ba4c62e9a18f3db8c4aaf2ed9b3f49b60d7cec96ac20bb38a136671c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\prefs.js
| MD5 | 7cd05762fb17299d408ac6108be8cf78 |
| SHA1 | 850efb7e7ad9bc6722895bbdb01350d74406a213 |
| SHA256 | ddb5c0aa42e97756ffa2f6f15dce3cb07f213e6588c8d25bd1180e3d842c5215 |
| SHA512 | 8af41a4dc5880688de735bec6ddafcd597e57bb335cc52977a773c4e5d8e2af8fda49904d36d73697e98e0451f197a2c6ef55af78258ce0f3a6a8ea7dbe1f765 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\prefs-1.js
| MD5 | e73e2f4875b473b50bfae67183883c0a |
| SHA1 | ec2239759c843ed631cc1196688a53a39bce4649 |
| SHA256 | a7c707ea5a9397d57570c2628de39e69d96044264bdfdbe89e3b2e8d6791ec0b |
| SHA512 | 76ffeeaea057bd5091fd464c4af4f0a3ae4b93db12c1f04ee273b81dbb1415c2db04ee477761fbfd54a3c403c491d53e0fed742cf0d015e5a265936bc83f228a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\sessionCheckpoints.json
| MD5 | 66bdbb6de2094027600e5df8fbbf28f4 |
| SHA1 | ce033f719ebce89ac8e5c6f0c9fed58c52eca985 |
| SHA256 | df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc |
| SHA512 | 18782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\sessionstore.jsonlz4
| MD5 | 379f76e802a1bef31b54cc08e9f7f24c |
| SHA1 | 28c99e028267004928e1d2a25e7fb439912a2091 |
| SHA256 | db3da38fa2ea8e4963da53d891175e64a8f6653a15885613763b1f7f444e7164 |
| SHA512 | 146db5a40c2fa11392d1c9cda651b1d225740ae0aa7f7c3cc1637469ebf8761685785f2920ade4ee4eb343afc15831a70fc71bfe5220f56447780239150c639f |