Analysis Overview
SHA256
4b1486451a42cfc8d1372026c91ac09ae47bd010ec88d0233b93c0f4f8113296
Threat Level: Likely malicious
The file MediaCreationTool.bat was found to be: Likely malicious.
Malicious Activity Summary
Download via BitsAdmin
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Drops file in Windows directory
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-09 02:04
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-09 02:04
Reported
2024-08-09 02:07
Platform
win10v2004-20240802-en
Max time kernel
95s
Max time network
130s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\bitsadmin.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\System32\expand.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\System32\expand.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Robocopy.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Robocopy.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Robocopy.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Robocopy.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Robocopy.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Robocopy.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Robocopy.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Robocopy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MediaCreationTool.bat"
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\reg.exe
reg add HKCU\Console /v ForceV2 /d 0x01 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ScreenColors /d 31 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable00 /d 0x000000 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable08 /d 0x767676 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable01 /d 0x9e5a00 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable09 /d 0xff783b /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable02 /d 0x0ea113 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable10 /d 0x0cc616 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable03 /d 0xdd963a /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable11 /d 0xd6d661 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable04 /d 0x1f0fc5 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable12 /d 0x5648e7 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable05 /d 0x981788 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable13 /d 0x9e00b4 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable06 /d 0x009cc1 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable14 /d 0xa5f1f9 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable07 /d 0xcccccc /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable15 /d 0xffffff /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v QuickEdit /d 0x0000 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v LineWrap /d 0 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v LineSelection /d 0x0001 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v CtrlKeyShortcutsDisabled /d 0 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v WindowSize /d 2097272 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ScreenBufferSize /d 655294584 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v FontSize /d 0x00100008 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v FaceName /d "Consolas" /t reg_sz /f
C:\Windows\System32\attrib.exe
attrib -R -S -H "C:\ESD"
C:\Windows\System32\Robocopy.exe
robocopy "C:\Users\Admin\AppData\Local\Temp\/" "C:\ESD/" "MediaCreationTool.bat"
C:\Windows\System32\cmd.exe
cmd /d /x /c set "ROOT=C:\Users\Admin\AppData\Local\Temp" & call "C:\ESD\MediaCreationTool.bat" set
C:\Windows\System32\chcp.com
chcp 437
C:\Windows\System32\attrib.exe
attrib -R -S -H "C:\ESD"
C:\Windows\System32\Robocopy.exe
robocopy "C:\ESD\/" "C:\ESD/" "MediaCreationTool.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $h$s$h:|cmd /d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $h$s$h:"
C:\Windows\System32\cmd.exe
cmd /d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|" 2>nul
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!
C:\Windows\System32\cmd.exe
cmd /q /v:on /c echo !.:~2,1!
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!
C:\Windows\System32\cmd.exe
cmd /q /v:on /c echo !.:~2,1!
C:\Windows\System32\findstr.exe
findstr /c:\ /a:f0 " Detected Media "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:6f " en-US "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:9f " Professional "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:2f " x64 "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:1f "1 Auto Upgrade : MCT gets detected media, script assists setupprep for upgrading "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:1f "2 Auto ISO : MCT gets detected media, script assists making ISO here | C:ESD "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:1f "3 Auto USB : MCT gets detected media, script assists making USB stick target "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:1f "4 Select : MCT gets selected Edition, Language, Arch onto specified target "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:1f "5 MCT Defaults : MCT runs unassisted, creating media without script modification "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:17 "1-4 adds to media: PID.txt, EI.cfg, $ISO$ dir, auto.cmd for upgrade and tpm checks "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:17 "can rename script: "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:1f "def MediaCreationTool.bat"\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:17 " to always create unmodified MCT media "\..\c nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
C:\Windows\System32\windowspowershell\v1.0\powershell.exe
powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\attrib.exe
attrib -R -S -H "C:\ESD" /D
C:\Windows\System32\findstr.exe
findstr /c:\ /a:f0 " Windows 10 Version "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:5f " 1803 "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:f1 " 17134.112.180619-1212.rs4_release_svc_refresh "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:6f " en-US "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:9f " Consumer "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:2f " x64 "\..\c nul
C:\Windows\System32\windowspowershell\v1.0\powershell.exe
powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
C:\Windows\System32\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe" /transfer 638587659788329374 /priority foreground http://software-download.microsoft.com/download/pr/MediaCreationTool1803.exe C:\ESD\MCT\MediaCreationTool1803.exe
C:\Windows\System32\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe" /transfer 638587659807860838 /priority foreground https://software-download.microsoft.com/download/pr/MediaCreationTool1803.exe C:\ESD\MCT\MediaCreationTool1803.exe
C:\Windows\System32\windowspowershell\v1.0\powershell.exe
powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
C:\Windows\System32\expand.exe
expand.exe -R products1803.cab -F:* .
C:\Windows\System32\findstr.exe
findstr /c:\ /a:4f " ERROR "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:0f " Check urls in browser | del ESD dir | use powershell v3.0+ | unblock powershell | enable BITS serv "\..\c nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | software-download.microsoft.com | udp |
| US | 152.199.19.161:80 | software-download.microsoft.com | tcp |
| US | 8.8.8.8:53 | software-static.download.prss.microsoft.com | udp |
| US | 152.199.21.175:80 | software-static.download.prss.microsoft.com | tcp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.21.199.152.in-addr.arpa | udp |
| US | 152.199.19.161:80 | software-download.microsoft.com | tcp |
| US | 152.199.21.175:80 | software-static.download.prss.microsoft.com | tcp |
| US | 152.199.21.175:80 | software-static.download.prss.microsoft.com | tcp |
| US | 152.199.19.161:443 | software-download.microsoft.com | tcp |
| US | 152.199.21.175:443 | software-static.download.prss.microsoft.com | tcp |
| US | 152.199.19.161:443 | software-download.microsoft.com | tcp |
| US | 152.199.21.175:443 | software-static.download.prss.microsoft.com | tcp |
| US | 8.8.8.8:53 | download.microsoft.com | udp |
| GB | 95.100.245.121:80 | download.microsoft.com | tcp |
| GB | 95.100.245.121:443 | download.microsoft.com | tcp |
| US | 8.8.8.8:53 | 121.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\ESD\MediaCreationTool.bat
| MD5 | 998ca6b423965b3a357e57c27a4a850b |
| SHA1 | b18a2ad0999bf7a9f898d771503020eacb5d617d |
| SHA256 | 4b1486451a42cfc8d1372026c91ac09ae47bd010ec88d0233b93c0f4f8113296 |
| SHA512 | 23b63cb6c0beca86bdbef612dbfe3150ed6295e5987843e3ead36b038133f17cbf0860aef28fc3b3021056afac2996bc2eca1d35186a4a9c934a995ecfaef6e8 |
C:\Users\Admin\AppData\Roaming\c
| MD5 | 28d397e87306b8631f3ed80d858d35f0 |
| SHA1 | 08534f33c201a45017b502e90a800f1b708ebcb3 |
| SHA256 | a9253dc8529dd214e5f22397888e78d3390daa47593e26f68c18f97fd7a3876b |
| SHA512 | 0a0cd116c2c57fb125fd9ada131f6ca964587a9958a214814a623db1821ed5ce32daeec4085a14e31d900a357b1e2549319b2e0cc2c8cfbafc6a4a4aafebe203 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mlrpxszm.2oj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3856-7-0x000001375CD90000-0x000001375CDB2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | a8abfac46fecead606749e07ddd5fde3 |
| SHA1 | b016ccf671ed81f4d1687c5614169bfc516b36db |
| SHA256 | d84f53499110d4dfe73bf1cc9e6a0a167d5c02a18bd07e90d053b9f475eb70e5 |
| SHA512 | 0d135b229051d857c360cdae26f974bbf70256c0743d0b1b56f9d2bc9b6e1671e6ab0e9711326f69563943f00d79d8a3b2ca3e1551a40046026d7a3e34fbc4bf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 667045c59e581a86e3c631dbfb08a083 |
| SHA1 | 924e72ccb1a5679bd07032c2f1b6b506d805c1da |
| SHA256 | 20af0263adaf76d15bdf41aa3c5cb02d6868bbb2a13ae96cb839202df7421275 |
| SHA512 | 6a4184be6ffdd498f503255cf29e439448a10b2a1eba16f3d7d697d2225b96feca062cf72f91845f69ba4200df6b47d46357ff565eb0b0f39c3834e721d0d5f0 |
memory/4408-30-0x00000226F09C0000-0x00000226F09E6000-memory.dmp
memory/4408-31-0x00000226F0A30000-0x00000226F0A44000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8e16939e1c08c53d76d61d7ed974ecf8 |
| SHA1 | 6a2185d65319c7cbc6629daf8c0dd1404173d041 |
| SHA256 | 861bb189fb8050f7962a94067616b0332d3e90007c2721dc773bcbb7a836e1c0 |
| SHA512 | 7bc73bb757a8b1f7594cd3463070a129229bc544b1707b00e1d67e6a8f98f577f83ff5d9c3cd330629ed193034913b2e1060d3f565e1550bb84bfafcc12fe995 |
memory/924-43-0x000001B1F0E00000-0x000001B1F0E26000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-09 02:04
Reported
2024-08-09 02:06
Platform
win7-20240705-en
Max time kernel
60s
Max time network
52s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\bitsadmin.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Robocopy.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Robocopy.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Robocopy.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Robocopy.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Robocopy.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Robocopy.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Robocopy.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Robocopy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\windowspowershell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MediaCreationTool.bat"
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\reg.exe
reg add HKCU\Console /v ForceV2 /d 0x01 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ScreenColors /d 31 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable00 /d 0x000000 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable08 /d 0x767676 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable01 /d 0x9e5a00 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable09 /d 0xff783b /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable02 /d 0x0ea113 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable10 /d 0x0cc616 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable03 /d 0xdd963a /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable11 /d 0xd6d661 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable04 /d 0x1f0fc5 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable12 /d 0x5648e7 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable05 /d 0x981788 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable13 /d 0x9e00b4 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable06 /d 0x009cc1 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable14 /d 0xa5f1f9 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable07 /d 0xcccccc /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ColorTable15 /d 0xffffff /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v QuickEdit /d 0x0000 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v LineWrap /d 0 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v LineSelection /d 0x0001 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v CtrlKeyShortcutsDisabled /d 0 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v WindowSize /d 2097272 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v ScreenBufferSize /d 655294584 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v FontSize /d 0x00100008 /t reg_dword /f
C:\Windows\system32\reg.exe
reg add "HKCU\Console\MCT" /v FaceName /d "Consolas" /t reg_sz /f
C:\Windows\System32\attrib.exe
attrib -R -S -H "C:\ESD"
C:\Windows\System32\Robocopy.exe
robocopy "C:\Users\Admin\AppData\Local\Temp\/" "C:\ESD/" "MediaCreationTool.bat"
C:\Windows\System32\cmd.exe
cmd /d /x /c set "ROOT=C:\Users\Admin\AppData\Local\Temp" & call "C:\ESD\MediaCreationTool.bat" set
C:\Windows\System32\chcp.com
chcp 437
C:\Windows\System32\attrib.exe
attrib -R -S -H "C:\ESD"
C:\Windows\System32\Robocopy.exe
robocopy "C:\ESD\/" "C:\ESD/" "MediaCreationTool.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $h$s$h:|cmd /d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $h$s$h:"
C:\Windows\System32\cmd.exe
cmd /d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|" 2>nul
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!
C:\Windows\System32\cmd.exe
cmd /q /v:on /c echo !.:~2,1!
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!
C:\Windows\System32\cmd.exe
cmd /q /v:on /c echo !.:~2,1!
C:\Windows\System32\findstr.exe
findstr /c:\ /a:f0 " Detected Media "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:6f " en-US "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:9f " Ultimate "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:2f " x64 "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:1f "1 Auto Upgrade : MCT gets detected media, script assists setupprep for upgrading "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:1f "2 Auto ISO : MCT gets detected media, script assists making ISO here | C:ESD "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:1f "3 Auto USB : MCT gets detected media, script assists making USB stick target "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:1f "4 Select : MCT gets selected Edition, Language, Arch onto specified target "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:1f "5 MCT Defaults : MCT runs unassisted, creating media without script modification "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:17 "1-4 adds to media: PID.txt, EI.cfg, $ISO$ dir, auto.cmd for upgrade and tpm checks "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:17 "can rename script: "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:1f "def MediaCreationTool.bat"\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:17 " to always create unmodified MCT media "\..\c nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
C:\Windows\System32\windowspowershell\v1.0\powershell.exe
powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\attrib.exe
attrib -R -S -H "C:\ESD" /D
C:\Windows\System32\findstr.exe
findstr /c:\ /a:f0 " Windows 10 Version "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:5f " 1809 "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:f1 " 17763.379.190312-0539.rs5_release_svc_refresh "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:6f " en-US "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:9f " Consumer "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:2f " x64 "\..\c nul
C:\Windows\System32\windowspowershell\v1.0\powershell.exe
powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
C:\Windows\System32\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe" /transfer 638587659149588000 /priority foreground http://software-download.microsoft.com/download/pr/MediaCreationTool1809.exe C:\ESD\MCT\MediaCreationTool1809.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe" /transfer 638587659258764000 /priority foreground https://software-download.microsoft.com/download/pr/MediaCreationTool1809.exe C:\ESD\MCT\MediaCreationTool1809.exe
C:\Windows\System32\windowspowershell\v1.0\powershell.exe
powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
C:\Windows\System32\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe" /transfer 638587659345500000 /priority foreground http://download.microsoft.com/download/8/E/8/8E852CBF-0BCC-454E-BDF5-60443569617C/products_20190314.cab C:\ESD\MCT\products1809.cab
C:\Windows\System32\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe" /transfer 638587659463124000 /priority foreground https://download.microsoft.com/download/8/E/8/8E852CBF-0BCC-454E-BDF5-60443569617C/products_20190314.cab C:\ESD\MCT\products1809.cab
C:\Windows\System32\findstr.exe
findstr /c:\ /a:4f " ERROR "\..\c nul
C:\Windows\System32\findstr.exe
findstr /c:\ /a:0f " Check urls in browser | del ESD dir | use powershell v3.0+ | unblock powershell | enable BITS serv "\..\c nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | software-download.microsoft.com | udp |
| US | 152.199.19.161:80 | software-download.microsoft.com | tcp |
| US | 8.8.8.8:53 | software-static.download.prss.microsoft.com | udp |
| US | 152.199.21.175:80 | software-static.download.prss.microsoft.com | tcp |
| US | 152.199.21.175:80 | software-static.download.prss.microsoft.com | tcp |
| US | 152.199.19.161:80 | software-download.microsoft.com | tcp |
| US | 152.199.21.175:80 | software-static.download.prss.microsoft.com | tcp |
| US | 152.199.19.161:443 | software-download.microsoft.com | tcp |
| US | 152.199.19.161:443 | software-download.microsoft.com | tcp |
| US | 152.199.19.161:443 | software-download.microsoft.com | tcp |
| US | 152.199.19.161:443 | software-download.microsoft.com | tcp |
| US | 152.199.19.161:443 | software-download.microsoft.com | tcp |
| US | 152.199.19.161:443 | software-download.microsoft.com | tcp |
| US | 8.8.8.8:53 | download.microsoft.com | udp |
| GB | 95.100.245.121:80 | download.microsoft.com | tcp |
| GB | 95.100.245.121:443 | download.microsoft.com | tcp |
| GB | 95.100.245.121:443 | download.microsoft.com | tcp |
| GB | 95.100.245.121:80 | download.microsoft.com | tcp |
| GB | 95.100.245.121:443 | download.microsoft.com | tcp |
| GB | 95.100.245.121:443 | download.microsoft.com | tcp |
| GB | 95.100.245.121:443 | download.microsoft.com | tcp |
| GB | 95.100.245.121:443 | download.microsoft.com | tcp |
Files
C:\ESD\MediaCreationTool.bat
| MD5 | 998ca6b423965b3a357e57c27a4a850b |
| SHA1 | b18a2ad0999bf7a9f898d771503020eacb5d617d |
| SHA256 | 4b1486451a42cfc8d1372026c91ac09ae47bd010ec88d0233b93c0f4f8113296 |
| SHA512 | 23b63cb6c0beca86bdbef612dbfe3150ed6295e5987843e3ead36b038133f17cbf0860aef28fc3b3021056afac2996bc2eca1d35186a4a9c934a995ecfaef6e8 |
C:\Users\Admin\AppData\Roaming\c
| MD5 | 28d397e87306b8631f3ed80d858d35f0 |
| SHA1 | 08534f33c201a45017b502e90a800f1b708ebcb3 |
| SHA256 | a9253dc8529dd214e5f22397888e78d3390daa47593e26f68c18f97fd7a3876b |
| SHA512 | 0a0cd116c2c57fb125fd9ada131f6ca964587a9958a214814a623db1821ed5ce32daeec4085a14e31d900a357b1e2549319b2e0cc2c8cfbafc6a4a4aafebe203 |
memory/2084-12-0x000000001B670000-0x000000001B952000-memory.dmp
memory/2084-13-0x0000000002340000-0x0000000002348000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | cf8066f14821f1577ea6b7ca4130f0d7 |
| SHA1 | b9945591b92de31aaa03a39536cbd209897b6059 |
| SHA256 | b28eec137862442f50d9f5c2f2eae8cb26aee21b125e030e39bf170484c8fb69 |
| SHA512 | c0743b89d2c6a83d341c7cd1d2b3e773b59ceb87626bc352f358566b2e401badd48f8534883f93f4b00bc7a9b5233cf79cdf1e6f86d328871440d08c36cdba05 |
memory/2064-20-0x000000001B5B0000-0x000000001B892000-memory.dmp
memory/2064-21-0x00000000021D0000-0x00000000021D8000-memory.dmp
memory/2064-22-0x000000001B4B0000-0x000000001B4D2000-memory.dmp
memory/2064-23-0x00000000028C0000-0x00000000028D2000-memory.dmp
memory/1676-29-0x0000000002AE0000-0x0000000002B02000-memory.dmp
memory/1676-30-0x0000000002D30000-0x0000000002D42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabA98A.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarA99D.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |