Malware Analysis Report

2024-12-07 14:40

Sample ID 241011-s419zazdpb
Target script.vbs
SHA256 a87d04d8757e41482bc19cd0ead2948fd7a5f40aac33f1834f5972579578d79a
Tags
defense_evasion discovery exploit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a87d04d8757e41482bc19cd0ead2948fd7a5f40aac33f1834f5972579578d79a

Threat Level: Likely malicious

The file script.vbs was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery exploit persistence

Drops file in Drivers directory

Manipulates Digital Signatures

Possible privilege escalation attempt

Checks computer location settings

Boot or Logon Autostart Execution: Print Processors

Indicator Removal: Clear Windows Event Logs

Modifies file permissions

Drops file in System32 directory

Modifies termsrv.dll

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 15:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 15:41

Reported

2024-10-11 15:44

Platform

win7-20240708-en

Max time kernel

49s

Max time network

17s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\ql2300.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\usb8023.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\ipnat.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\nwifi.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\partmgr.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\mpio.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\qwavedrv.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ohci1394.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\Synth3dVsc.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\vsmraid.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\volsnap.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\tcpip.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\vhdmp.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\amdppm.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\usbccgp.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\Wdf01000.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\ndis.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\tsusbhub.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\fr-FR\WUDFUsbccidDriver.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ql40xx.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\pci.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\bfe.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\rassstp.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\vwifibus.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\npfs.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\RNDISMP.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\isapnp.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\hdaudbus.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\compbatt.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\mrxsmb10.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\sbp2port.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\BrSerIb.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\rdbss.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\rdbss.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\BrFiltUp.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\kbdclass.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\pnpmem.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\isapnp.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\serscan.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\BrParwdm.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\tcpipreg.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\afd.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\USBCAMD2.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\vdrvroot.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\serial.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\bfe.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\tunnel.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\qwavedrv.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\rdvgkmd.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\AGP440.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\UAGP35.SYS.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\ohci1394.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\1394bus.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ksecpkg.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\RNDISMP.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\mshidkmdf.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\NV_AGP.SYS.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\iirsp.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\rndismpx.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\MTConfig.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\vwifibus.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\wd.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\mouhid.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\modem.sys.mui C:\Windows\System32\WScript.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File created C:\Windows\System32\wintrust.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll C:\Windows\System32\WScript.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Boot or Logon Autostart Execution: Print Processors

persistence
Description Indicator Process Target
File created C:\Windows\System32\spool\prtprocs\x64\fr-FR\LXKPTPRC.DLL.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\it-IT\LXKPTPRC.DLL.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\ja-JP\LXKPTPRC.DLL.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\jnwppr.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\winprint.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\de-DE\LXKPTPRC.DLL.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\en-US\LXKPTPRC.DLL.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\es-ES\LXKPTPRC.DLL.mui C:\Windows\System32\WScript.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File created C:\Windows\System32\winevt\Logs\Application.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application Server-Applications%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\System.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Security.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Setup.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application Server-Applications%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-CAPI2%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-PrintService%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Internet Explorer.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4WHC.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\OAlerts.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4WHC.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Media Center.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsSystemAssessmentTool%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\HardwareEvents.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-BranchCacheSMB%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-OfflineFiles%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Key Management Service.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~el-GR~7.1.7601.16492.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\spoolsv.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\perfproc.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\wzcdlg.mof C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\DevicePairingProxy.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\netcenter.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\acctres.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\msobjs.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\about_operators.help.txt C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmnokia.inf_amd64_neutral_a8e9a41983d33a0b\mdmnokia.PNF C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRD329C.GPD C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\vdsvd.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\msacm32.drv.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\drivers\x64\3\it-IT\CNBP_337.DLL.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\B983243B1B5F59CFF73648C21D5FB88F.mof C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Refresh-LanguagePack-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\brmfcwia.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\authui.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\msinfo32.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\avmx64c.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\nv_LH.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\en-US\prnrc005.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igdkmd64.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6000at.vdf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\shwebsvc.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\drivers\x64\3\ja-JP\CNBP_327.DLL.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\NlsLexicons000a.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\EP0NGE6V.GPD C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\prnnr002.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVP1C.GPD C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\SHJ11N06.GPD C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\winload.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\finger.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\drivers\x64\3\de-DE\CNBBR342.DLL.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\kernelceip.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GS4000B6.GPD C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\prnle002.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\diskmgmt.msc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdva.cap C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf2100t.gpd C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\softkbd.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\LogFiles\WMI\Terminal-Services-Unified-APIs.etl C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\2B08F8B4B5DBD8346D4FF75E51BC8F87.mof C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\inetres.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\mf.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnok002.inf_amd64_neutral_616c1e9b7df7d5a9\Amd64\OKML390T.GPD C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\prnkm003.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\el-GR\comctl32.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\sppnp.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\unimdmat.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\gpprnext.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\drivers\color\wscRGB.cdmp C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\tracerpt.exe C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\winsockhc.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\AppIdPolicyEngineApi.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\it-IT\filetrace.mfl C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ShareMedia-ControlPanel-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\Amd64\CNBGRC1.GPD C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\azroles.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\TroubleshootingPack.format.ps1xml C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\en-US\wpdmtphw.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\Licenses\OEM\ProfessionalN\license.rtf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LN4231E3.PPD C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\tvratings.dll.mui C:\Windows\System32\WScript.exe N/A

Modifies termsrv.dll

Description Indicator Process Target
File created C:\Windows\System32\termsrv.dll C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 1668 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2024 wrote to memory of 1668 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2024 wrote to memory of 1668 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1668 wrote to memory of 2540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1668 wrote to memory of 2540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1668 wrote to memory of 2540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1668 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1668 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1668 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\*

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\* /grant everyone:(F)

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\whysoserious.bat

MD5 3dfc9ee09967df4e049864cf81d9588b
SHA1 bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce
SHA256 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d
SHA512 d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-11 15:41

Reported

2024-10-11 15:44

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

123s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\en-US\dumpsd.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\mup.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\vhdmp.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\netio.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\stream.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\NdisVirtualBus.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\NdisVirtualBus.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\usbhub.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\kdnic.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\netvsc.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\de-DE\Microsoft.Bluetooth.Profiles.HidOverGatt.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\amdi2c.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\NdisVirtualBus.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\adp80xx.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\disk.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\nwifi.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\usbaudio2.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\WdfLdr.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\SleepStudyHelper.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\nvdimm.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\mouclass.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\pnpmem.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\ataport.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\msgpiowin32.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\vmbus.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\es-ES\hidscanner.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\1394ohci.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\cnghwassist.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\IndirectKmd.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\rdpdr.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\cdrom.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\mup.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\IPMIDRV.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\etc\networks C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\scmbus.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\dumpsd.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\xboxgip.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ipfltdrv.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\scfilter.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\acpi.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\refsv1.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\MTConfig.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\pci.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\modem.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\agilevpn.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\vpci.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\processr.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\netvsc.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\VerifierExt.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\hvservice.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\ntfs.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\Classpnp.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UcmCx.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\kbdclass.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\acpi.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\bcmfn2.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\de-DE\UsbccidDriver.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\en-US\WUDFUsbccidDriver.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\tcpip.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\ndiscap.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\srvnet.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\volmgrx.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\fvevol.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\es-ES\idtsec.dll.mui C:\Windows\System32\WScript.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File created C:\Windows\System32\wintrust.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll C:\Windows\System32\WScript.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Boot or Logon Autostart Execution: Print Processors

persistence
Description Indicator Process Target
File created C:\Windows\System32\spool\prtprocs\x64\winprint.dll C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Audit.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Audit.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Time-Service%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Biometrics%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBClient%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Application.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4AutoPilot.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Security.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WorkFolders%4WHC.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-ConnectedAccountState%4ActionCenter.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\System.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Driver Watchdog.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\de-DE\rmapi.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\de-DE\mofcomp.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-OpenSSH-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.964.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\photowiz.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Microsoft-WindowsPhone-SEManagementProvider.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\Microsoft.Graphics.Display.DisplayEnhancementService.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\uk-UA\MsDtcWmi.mfl C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vstxraid.inf_amd64_300cb04282659e6d\vstxraid.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\fvewiz.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\DevicePairingFolder.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wstorflt.inf_amd64_8375a9378e7227d5\wstorflt.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\HalExtIntcLpioDma.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-2-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmtdkj4.inf_amd64_3bc71c4327f9f94e\mdmtdkj4.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\es-ES\netnb.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\es-ES\uefi.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\mshtml.tlb C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmUiDevices-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\mssph.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\iasdatastore.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\wlgpclnt.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\vssadmin.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\ResetEngine.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\AuthBroker.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Geocommon.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\iri.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\uk-UA\NetworkExplorer.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\volmgr.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\rtffilt.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\w32time.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\uk-UA\DscCoreConfProv.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\3D486D2EBFD5C380959985A548DC1308.mof C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\netwlv64.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\whvcrash.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-WCOSMinusHeadless-WOW64-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\MSFT_ProcessResource.psm1 C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\en-US\MSFT_RegistryResource.strings.psd1 C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Family.Cache.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-AppCompat-Opt-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\evr.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_7080f6b8ea1744fb\netnvma.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\msidntld.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\he-IL\quickassist.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Dism\it-IT\WimProvider.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\uk-UA\Windows.Data.Activities.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\downlevel\api-ms-win-core-version-l1-1-0.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\twinapi.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\PickerPlatform.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbemcomn.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Streaming-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\xmlfilter.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\0A76D835FEE42A0F9B07455539850A30.mof C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\4E34C76D83E2430D779FE9AA17E87200.mof C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-Host-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0515~31bf3856ad364e35~amd64~~10.0.19041.1288.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\mtxdm.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\es-ES\wvid.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\msftedit.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\Microsoft.Uev.AgentWmi.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Hyphenation-Dictionaries-en-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-GB\msimsg.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\wecsvc.dll.mui C:\Windows\System32\WScript.exe N/A

Modifies termsrv.dll

Description Indicator Process Target
File created C:\Windows\System32\termsrv.dll C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2700 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2700 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2700 wrote to memory of 4428 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2700 wrote to memory of 4428 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2700 wrote to memory of 4672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2700 wrote to memory of 4672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\*

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\* /grant everyone:(F)

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\whysoserious.bat

MD5 3dfc9ee09967df4e049864cf81d9588b
SHA1 bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce
SHA256 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d
SHA512 d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708