Analysis Overview
SHA256
a7e0361d293c68159a7d48b5cfeef5804ba938df7e6e0dfbb1e6ca200bcfd037
Threat Level: Likely malicious
The file code.vbs was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (24555) files with added filename extension
Renames multiple (25612) files with added filename extension
Drops file in Drivers directory
Possible privilege escalation attempt
Checks computer location settings
Boot or Logon Autostart Execution: Print Processors
Indicator Removal: Clear Windows Event Logs
Modifies file permissions
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-11 15:43
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-11 15:43
Reported
2024-10-11 15:45
Platform
win11-20241007-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Renames multiple (25612) files with added filename extension
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\NDKPing.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\mountmgr.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\disk.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\wacompen.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\mslldp.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\netvsc.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\intelppm.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\WifiCx.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\iaLPSS2i_GPIO2_GLK.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\EhStorTcgDrv.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\HvService.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\USBHUB3.SYS.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\en-US\UsbccidDriver.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\HyperVideo.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\agilevpn.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\IndirectKmd.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\vhdmp.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\iaLPSS2i_GPIO2_BXT_P.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\ndiscap.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\EhStorTcgDrv.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\rdpdr.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\es-ES\UsbccidDriver.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\hidbatt.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\msgpiowin32.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\USBCAMD2.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\kbdclass.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\sermouse.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\hyperkbd.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\sermouse.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\rdpdr.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\acpi.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\cdrom.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\NdisVirtualBus.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\winnat.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\volsnap.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\smbdirect.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\partmgr.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\tcpip.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\CEA.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fdc.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\ndis.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\bthenum.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\isapnp.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\hdaudbus.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\kmpdc.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\dmvsc.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\cdrom.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\tcpip.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\ja-JP\SensorsCx.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\USBXHCI.SYS.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\usbhub.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\dmvsc.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ExecutionContext.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\usb8023.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\USBHUB3.SYS.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\de-DE\idtsec.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\mouclass.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ndis.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\hidbatt.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\vhdmp.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\wof.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UsbPmApi.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\winnat.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Boot or Logon Autostart Execution: Print Processors
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\spool\prtprocs\x64\winprint.dll.bat | C:\Windows\System32\WScript.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4AutoPilot.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Restricted.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-ManagementAgent%4WHC.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TenantRestrictions%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4LogonTasksChannel.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-FileHistory-Core%4WHC.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Audit.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AAD%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\OAlerts.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageManagement%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\HardwareEvents.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Internet Explorer.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4ManagementService.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\NetDriverInstall.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.22000.376.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\propsys.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Dism\UnattendProvider.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_69e8e0efb212ba16\Amd64\LOCALE.GPD.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\mcicda.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\VoipRT.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-ServerCommon-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\cs-CZ\APHostRes.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\usosvc.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\cob-au.rs.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\MSFT_NetSwitchTeamMember.cdxml.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\it-IT\WUDFUsbccidDriver.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\msacm32.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\softkbd.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\uk-UA\WfHC.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\findstr.exe.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\tlscsp.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\it-IT\net7400-x64-n650.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\fr-FR\winlogon.mfl.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\atmlib.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-WindowsCore-Network-FlowSteering-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-Opt-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\diagperf.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-merged-Package~31bf3856ad364e35~amd64~de-DE~11.0.22000.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\seclogon.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\vds.mof.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\AutoRecover\9B7AE939DC5E63135058FA28EB025C7C.mof.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsExt-WCOSMinusHeadless-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\windows.internal.shellcommon.shareexperience.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\mmcshext.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\migwiz\replacementmanifests\Microsoft-Windows-SoftwareInventoryLogging-ScheduledTasks-Replacement.man.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmhay2.inf_amd64_6b35ae132cca4253\mdmhay2.inf.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmsonyu.inf_amd64_81026882a3888d9c\mdmsonyu.inf.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ws3cap.inf_amd64_cfe8f1c2f6f0f4f7\vms3cap.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\sensordataservice.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\btpanui.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DeviceCompanionAppInstall.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OneCore-Containers-Opt-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\iastorav.inf_amd64_87f761c07c99d5e7\iaStorAVC.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-EventLog-Api-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\adrclient.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\en-US\cli.mfl.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\Performance\WmiApRpl.h.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\credprovs.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\cpu.inf_amd64_4930e9ac235a7d97\amdk8.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\eappcfgui.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\appbackgroundtask.mof.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\Tabbtn.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\MSFT_BackgroundTask.Format.ps1xml.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Windows.Media.Streaming.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-Basic-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MSMQ-MMC-OptGroup-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22000.318.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\it-IT\gameport.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\joy.cpl.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\AutoRecover\A7463B23BFE582993515A0109F19D304.mof.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\DeviceDirectoryClient.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\uk-UA\rasmm.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DefaultDeviceManager.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Web-Services-for-Management-WinRM-WecSvc-Http-Registration-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\hid.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\kmddsp.tsp.mui.bat | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2168 wrote to memory of 4644 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2168 wrote to memory of 4644 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 4644 wrote to memory of 228 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 4644 wrote to memory of 228 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 4644 wrote to memory of 4744 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 4644 wrote to memory of 4744 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\*
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\* /grant everyone:(F)
Network
Files
C:\Users\Admin\AppData\Local\Temp\whysoserious.bat
| MD5 | 3dfc9ee09967df4e049864cf81d9588b |
| SHA1 | bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce |
| SHA256 | 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d |
| SHA512 | d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708 |
memory/2168-1487-0x00007FFBFD850000-0x00007FFBFDBC8000-memory.dmp
memory/2168-1514-0x00007FFBFB3C0000-0x00007FFBFB43F000-memory.dmp
memory/2168-1518-0x00007FFBEA5E0000-0x00007FFBEA5FD000-memory.dmp
memory/2168-1515-0x00007FFBFC940000-0x00007FFBFC9EF000-memory.dmp
memory/2168-1509-0x00007FFBFC860000-0x00007FFBFC90E000-memory.dmp
memory/2168-2711-0x00007FFBFAFA0000-0x00007FFBFAFEC000-memory.dmp
memory/2168-2714-0x00007FFBF22A0000-0x00007FFBF2305000-memory.dmp
memory/2168-2712-0x00007FFBE7430000-0x00007FFBE74DC000-memory.dmp
memory/2168-2704-0x00007FFBFAB20000-0x00007FFBFAB2C000-memory.dmp
memory/2168-11646-0x00007FFBFDEA0000-0x00007FFBFE0A9000-memory.dmp
memory/2168-11659-0x00007FFBFCAE0000-0x00007FFBFCB9D000-memory.dmp
memory/2168-11668-0x00007FFBFB440000-0x00007FFBFB7B4000-memory.dmp
memory/2168-11967-0x00007FFBFBC20000-0x00007FFBFBD32000-memory.dmp
memory/2168-11974-0x00007FFBEDB60000-0x00007FFBEDB6A000-memory.dmp
memory/2168-11979-0x00007FFBFB110000-0x00007FFBFB1B2000-memory.dmp
memory/2168-11993-0x00007FFBF1FC0000-0x00007FFBF1FF8000-memory.dmp
memory/2168-11998-0x00007FFBEDB40000-0x00007FFBEDB5D000-memory.dmp
memory/2168-12009-0x00007FFBF3AB0000-0x00007FFBF3C9E000-memory.dmp
memory/2168-12015-0x00007FFBFA9B0000-0x00007FFBFA9D9000-memory.dmp
memory/2168-12020-0x00007FFBF8D70000-0x00007FFBF8DA4000-memory.dmp
memory/2168-12017-0x00007FFBF4620000-0x00007FFBF4E36000-memory.dmp
memory/2168-11999-0x00007FFBFD480000-0x00007FFBFD56A000-memory.dmp
memory/2168-12013-0x00007FFBFA6B0000-0x00007FFBFA6F2000-memory.dmp
memory/2168-12012-0x00007FFBF9ED0000-0x00007FFBF9EDC000-memory.dmp
memory/2168-12011-0x00007FFBF36D0000-0x00007FFBF36F8000-memory.dmp
memory/2168-12010-0x00007FFBF3730000-0x00007FFBF39E2000-memory.dmp
memory/2168-12008-0x00007FFBE5900000-0x00007FFBE5959000-memory.dmp
memory/2168-12007-0x00007FFBE5960000-0x00007FFBE5986000-memory.dmp
memory/2168-12005-0x00007FFBFB2C0000-0x00007FFBFB2E1000-memory.dmp
memory/2168-12003-0x00007FFBF7970000-0x00007FFBF7A67000-memory.dmp
memory/2168-12002-0x00007FFBFC790000-0x00007FFBFC7ED000-memory.dmp
memory/2168-11994-0x00007FFBFCBB0000-0x00007FFBFD35E000-memory.dmp
memory/2168-11992-0x00007FFBF2000000-0x00007FFBF203A000-memory.dmp
memory/2168-11991-0x00007FFBF5270000-0x00007FFBF5286000-memory.dmp
memory/2168-11989-0x00007FFBFA3F0000-0x00007FFBFA425000-memory.dmp
memory/2168-11988-0x00007FFBFAB60000-0x00007FFBFAB72000-memory.dmp
memory/2168-11987-0x00007FFBFBA40000-0x00007FFBFBBA2000-memory.dmp
memory/2168-11984-0x00007FFBF2040000-0x00007FFBF20D8000-memory.dmp
memory/2168-11982-0x00007FFBFDBD0000-0x00007FFBFDCEE000-memory.dmp
memory/2168-11978-0x00007FFBF8AA0000-0x00007FFBF8B4C000-memory.dmp
memory/2168-11976-0x00007FFBFA490000-0x00007FFBFA4A8000-memory.dmp
memory/2168-11975-0x00007FFBFC5B0000-0x00007FFBFC5E1000-memory.dmp
memory/2168-11972-0x00007FFBFD360000-0x00007FFBFD3FE000-memory.dmp
memory/2168-11968-0x00007FFBFC5F0000-0x00007FFBFC78A000-memory.dmp
memory/2168-11966-0x00007FFBFC910000-0x00007FFBFC939000-memory.dmp
memory/2168-11965-0x00007FFBFB390000-0x00007FFBFB3B6000-memory.dmp
memory/2168-11964-0x00007FFBFBDD0000-0x00007FFBFBF7C000-memory.dmp
memory/2168-11961-0x00007FFBFB860000-0x00007FFBFB971000-memory.dmp
memory/2168-11960-0x00007FFBFB7C0000-0x00007FFBFB85D000-memory.dmp
memory/2168-11958-0x00007FFBFDDA0000-0x00007FFBFDE43000-memory.dmp
memory/2168-11959-0x00007FFBFD570000-0x00007FFBFD646000-memory.dmp
memory/2168-11963-0x00007FFBFD650000-0x00007FFBFD770000-memory.dmp
memory/2168-25641-0x00007FF67CBE0000-0x00007FF67CC0A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-11 15:43
Reported
2024-10-11 15:45
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Renames multiple (24555) files with added filename extension
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\es-ES\mssmbios.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\pcw.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\usbcir.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\scmbus.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\null.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\urscx01000.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\vms3cap.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\wcnfs.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\rfxvmt.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\tsusbhub.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\dxgmms2.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\hdaudbus.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\rasl2tp.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\synth3dvsc.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\hidclass.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\lsi_sss.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ufxsynopsys.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\nvdimm.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\sdstor.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\USBXHCI.SYS.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\rdbss.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\storahci.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\wfplwfs.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\iaStorAVC.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\hvservice.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\modem.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\mvumis.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\pacer.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\wdf01000.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\mrxsmb.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\exfat.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\modem.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\ws2ifsl.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\mountmgr.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\dmvsc.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\pcmcia.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\rdvgkmd.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fileinfo.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\netvsc.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\volsnap.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\dumpsd.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\netvsc.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\partmgr.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\hidbatt.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\dumpsd.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fvevol.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\usbhub.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\it-IT\mgtdyn.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\NdisImPlatform.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\gm.dls.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\Udecx.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\NdisVirtualBus.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\vhdmp.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\EhStorTcgDrv.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\i8042prt.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\qwavedrv.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\ndiscap.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\fr-FR\SensorsHid.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\iorate.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\errdev.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\usbstor.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\http.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\luafv.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\mountmgr.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Boot or Logon Autostart Execution: Print Processors
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\spool\prtprocs\x64\winprint.dll.bat | C:\Windows\System32\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4AutoPilot.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Audit.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Restricted.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4ManagementService.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Internet Explorer.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker%4BitLocker Management.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Security.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Key Management Service.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Biometrics%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Setup.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\HardwareEvents.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\fr-FR\crypt32.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\tdh.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\uk-UA\shdocvw.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Media-Foundation-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PeerDist-Client-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\fr-FR\ufxsynopsys.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\de-DE\smbwmiv2.mfl.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Client-Manager-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\NetworkStatus.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\de-DE\polprocl.mfl.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ConsentUxClient.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingCommon-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\rshx32.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\DFDTS.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\BthAvrcp.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-RegulatedPackages-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\TtlsAuth.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\wshext.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\TSWorkspace.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\it-IT\netmscli.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\shutdown.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spp\tokens\skus\ProfessionalSingleLanguage\ProfessionalSingleLanguage-Retail-1-ul-oob.xrm-ms.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\rundll32.exe.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-IsolatedUserMode-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\it-IT\c_sensor.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\sbe.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-LanguageFeatures-Handwriting-de-de-Package~31bf3856ad364e35~wow64~~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\userinitext.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\sdfrd.inf_amd64_25779da6eca4810a\SDFRd.inf.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\fthsvc.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\sdshext.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\imaadp32.acm.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\deviceregistration.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA364xp_ssku_DE_0522.bin.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\win32spl.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\EventCreate.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\migwiz\mighost.exe.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\AutoRecover\348C74BBB0C8791244D9BA708604211E.mof.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\fr-FR\powermeterprovider.mfl.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\apds.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-LanguageFeatures-Speech-ja-jp-Package~31bf3856ad364e35~wow64~~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\es-ES\usbcir.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\FunDisc.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\setupcl.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StepsRecorder-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\StorSvc.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\odbcconf.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\provpackageapidll.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\AppV\AppVStreamingUX.exe.config.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\bg-BG\quickassist.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SMB1Server-D-Opt-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\OptionalFeatures.exe.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\MultiDigiMon.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\oobe\de-DE\W32UIRes.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\cfgbkend.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA435_olpc_LE_5.bin.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Storage\Volume.cdxml.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\shlwapi.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\AutoRecover\AD6E370A764693BABD73A1B75D243F0B.mof.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EnterpriseClientSync-Host-Opt-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-Feature-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 916 wrote to memory of 4340 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 916 wrote to memory of 4340 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 4340 wrote to memory of 4996 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 4340 wrote to memory of 4996 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 4340 wrote to memory of 1552 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 4340 wrote to memory of 1552 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\*
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\* /grant everyone:(F)
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.72.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\whysoserious.bat
| MD5 | 3dfc9ee09967df4e049864cf81d9588b |
| SHA1 | bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce |
| SHA256 | 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d |
| SHA512 | d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708 |