Analysis Overview
SHA256
a87d04d8757e41482bc19cd0ead2948fd7a5f40aac33f1834f5972579578d79a
Threat Level: Likely malicious
The file script.vbs was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Manipulates Digital Signatures
Possible privilege escalation attempt
Checks computer location settings
Boot or Logon Autostart Execution: Print Processors
Indicator Removal: Clear Windows Event Logs
Modifies file permissions
Drops file in System32 directory
Modifies termsrv.dll
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-11 15:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-11 15:41
Reported
2024-10-11 15:44
Platform
win7-20240708-en
Max time kernel
49s
Max time network
17s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\ql2300.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\usb8023.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\ipnat.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\nwifi.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\partmgr.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\mpio.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\qwavedrv.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ohci1394.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\Synth3dVsc.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\vsmraid.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\volsnap.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\tcpip.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\vhdmp.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\amdppm.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\usbccgp.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\Wdf01000.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\ndis.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\tsusbhub.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\fr-FR\WUDFUsbccidDriver.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ql40xx.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\pci.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\bfe.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\rassstp.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\vwifibus.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\npfs.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\RNDISMP.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\isapnp.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\hdaudbus.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\compbatt.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\mrxsmb10.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\sbp2port.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\BrSerIb.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\rdbss.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\rdbss.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\BrFiltUp.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\kbdclass.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\pnpmem.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\isapnp.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\serscan.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\BrParwdm.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\tcpipreg.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\afd.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\USBCAMD2.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\vdrvroot.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\serial.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\bfe.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\tunnel.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\qwavedrv.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\rdvgkmd.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\AGP440.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\UAGP35.SYS.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\ohci1394.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\1394bus.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ksecpkg.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\RNDISMP.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\mshidkmdf.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\NV_AGP.SYS.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\iirsp.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\rndismpx.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\MTConfig.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\vwifibus.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\wd.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\mouhid.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\modem.sys.mui | C:\Windows\System32\WScript.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\wintrust.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll | C:\Windows\System32\WScript.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Boot or Logon Autostart Execution: Print Processors
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\spool\prtprocs\x64\fr-FR\LXKPTPRC.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\it-IT\LXKPTPRC.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\ja-JP\LXKPTPRC.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\jnwppr.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\winprint.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\de-DE\LXKPTPRC.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\en-US\LXKPTPRC.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\es-ES\LXKPTPRC.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\winevt\Logs\Application.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application Server-Applications%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\System.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Security.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Setup.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application Server-Applications%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CAPI2%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-PrintService%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Internet Explorer.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4WHC.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\OAlerts.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4WHC.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Media Center.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsSystemAssessmentTool%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\HardwareEvents.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-BranchCacheSMB%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-OfflineFiles%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Key Management Service.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~el-GR~7.1.7601.16492.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\spoolsv.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\perfproc.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\wzcdlg.mof | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\DevicePairingProxy.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\netcenter.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\acctres.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\msobjs.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\about_operators.help.txt | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmnokia.inf_amd64_neutral_a8e9a41983d33a0b\mdmnokia.PNF | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRD329C.GPD | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\vdsvd.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\msacm32.drv.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\drivers\x64\3\it-IT\CNBP_337.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\AutoRecover\B983243B1B5F59CFF73648C21D5FB88F.mof | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Refresh-LanguagePack-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\brmfcwia.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\authui.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\msinfo32.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\de-DE\avmx64c.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\de-DE\nv_LH.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\en-US\prnrc005.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igdkmd64.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6000at.vdf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\shwebsvc.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\drivers\x64\3\ja-JP\CNBP_327.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\NlsLexicons000a.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\EP0NGE6V.GPD | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\ja-JP\prnnr002.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVP1C.GPD | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\SHJ11N06.GPD | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\winload.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\finger.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\drivers\x64\3\de-DE\CNBBR342.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\kernelceip.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GS4000B6.GPD | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\prnle002.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\diskmgmt.msc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdva.cap | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf2100t.gpd | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\softkbd.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\LogFiles\WMI\Terminal-Services-Unified-APIs.etl | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\AutoRecover\2B08F8B4B5DBD8346D4FF75E51BC8F87.mof | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\inetres.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\mf.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnok002.inf_amd64_neutral_616c1e9b7df7d5a9\Amd64\OKML390T.GPD | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\it-IT\prnkm003.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\el-GR\comctl32.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\sppnp.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\unimdmat.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\gpprnext.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\drivers\color\wscRGB.cdmp | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\tracerpt.exe | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\winsockhc.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\AppIdPolicyEngineApi.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\it-IT\filetrace.mfl | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ShareMedia-ControlPanel-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\Amd64\CNBGRC1.GPD | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\azroles.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\TroubleshootingPack.format.ps1xml | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\en-US\wpdmtphw.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\Licenses\OEM\ProfessionalN\license.rtf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LN4231E3.PPD | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\tvratings.dll.mui | C:\Windows\System32\WScript.exe | N/A |
Modifies termsrv.dll
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\termsrv.dll | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2024 wrote to memory of 1668 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2024 wrote to memory of 1668 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2024 wrote to memory of 1668 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 1668 wrote to memory of 2540 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 1668 wrote to memory of 2540 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 1668 wrote to memory of 2540 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 1668 wrote to memory of 2268 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 1668 wrote to memory of 2268 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 1668 wrote to memory of 2268 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\*
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\* /grant everyone:(F)
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\whysoserious.bat
| MD5 | 3dfc9ee09967df4e049864cf81d9588b |
| SHA1 | bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce |
| SHA256 | 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d |
| SHA512 | d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-11 15:41
Reported
2024-10-11 15:44
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
123s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\en-US\dumpsd.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\mup.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\vhdmp.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\netio.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\stream.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\NdisVirtualBus.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\NdisVirtualBus.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\usbhub.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\kdnic.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\netvsc.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\de-DE\Microsoft.Bluetooth.Profiles.HidOverGatt.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\amdi2c.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\NdisVirtualBus.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\adp80xx.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\disk.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\nwifi.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\usbaudio2.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\WdfLdr.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\SleepStudyHelper.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\nvdimm.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\mouclass.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\pnpmem.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\ataport.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\msgpiowin32.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\vmbus.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\es-ES\hidscanner.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\1394ohci.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\cnghwassist.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\IndirectKmd.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\rdpdr.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\cdrom.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\mup.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\IPMIDRV.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\networks | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\scmbus.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\dumpsd.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\xboxgip.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ipfltdrv.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\scfilter.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\acpi.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\refsv1.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\MTConfig.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\pci.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\modem.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\agilevpn.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\vpci.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\processr.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\netvsc.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\VerifierExt.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\hvservice.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\ntfs.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\Classpnp.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UcmCx.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\kbdclass.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\acpi.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\bcmfn2.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\de-DE\UsbccidDriver.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\en-US\WUDFUsbccidDriver.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\tcpip.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\ndiscap.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\srvnet.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\volmgrx.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\fvevol.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\es-ES\idtsec.dll.mui | C:\Windows\System32\WScript.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\wintrust.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll | C:\Windows\System32\WScript.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Boot or Logon Autostart Execution: Print Processors
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\spool\prtprocs\x64\winprint.dll | C:\Windows\System32\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Audit.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Audit.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Time-Service%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Biometrics%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBClient%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Application.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4AutoPilot.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Security.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WorkFolders%4WHC.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-ConnectedAccountState%4ActionCenter.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\System.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Driver Watchdog.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx | C:\Windows\System32\WScript.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\de-DE\rmapi.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\de-DE\mofcomp.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-OpenSSH-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.964.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\photowiz.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Microsoft-WindowsPhone-SEManagementProvider.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\Microsoft.Graphics.Display.DisplayEnhancementService.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\uk-UA\MsDtcWmi.mfl | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\vstxraid.inf_amd64_300cb04282659e6d\vstxraid.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\fvewiz.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\DevicePairingFolder.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wstorflt.inf_amd64_8375a9378e7227d5\wstorflt.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\ja-JP\HalExtIntcLpioDma.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-2-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmtdkj4.inf_amd64_3bc71c4327f9f94e\mdmtdkj4.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\es-ES\netnb.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\es-ES\uefi.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\mshtml.tlb | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmUiDevices-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\mssph.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\iasdatastore.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\wlgpclnt.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\vssadmin.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\ResetEngine.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\AuthBroker.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Geocommon.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\iri.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\uk-UA\NetworkExplorer.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\fr-FR\volmgr.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\rtffilt.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\w32time.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\uk-UA\DscCoreConfProv.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\AutoRecover\3D486D2EBFD5C380959985A548DC1308.mof | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\de-DE\netwlv64.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\de-DE\whvcrash.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-WCOSMinusHeadless-WOW64-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\MSFT_ProcessResource.psm1 | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\en-US\MSFT_RegistryResource.strings.psd1 | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Family.Cache.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-AppCompat-Opt-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\evr.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_7080f6b8ea1744fb\netnvma.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\msidntld.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\he-IL\quickassist.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Dism\it-IT\WimProvider.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\uk-UA\Windows.Data.Activities.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\downlevel\api-ms-win-core-version-l1-1-0.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\twinapi.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\PickerPlatform.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbemcomn.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Streaming-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\xmlfilter.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\AutoRecover\0A76D835FEE42A0F9B07455539850A30.mof | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\AutoRecover\4E34C76D83E2430D779FE9AA17E87200.mof | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-Host-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0515~31bf3856ad364e35~amd64~~10.0.19041.1288.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\mtxdm.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\es-ES\wvid.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\msftedit.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\Microsoft.Uev.AgentWmi.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Hyphenation-Dictionaries-en-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-GB\msimsg.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\wecsvc.dll.mui | C:\Windows\System32\WScript.exe | N/A |
Modifies termsrv.dll
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\termsrv.dll | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2960 wrote to memory of 2700 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2960 wrote to memory of 2700 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2700 wrote to memory of 4428 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 2700 wrote to memory of 4428 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 2700 wrote to memory of 4672 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 2700 wrote to memory of 4672 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\*
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\* /grant everyone:(F)
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\whysoserious.bat
| MD5 | 3dfc9ee09967df4e049864cf81d9588b |
| SHA1 | bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce |
| SHA256 | 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d |
| SHA512 | d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708 |