Malware Analysis Report

2024-12-07 14:51

Sample ID 241011-s5f1eszdqf
Target code.vbs
SHA256 69983df4e763c21c65d22182966c032d269943f974123f395974e931de7459d5
Tags
discovery exploit persistence ransomware defense_evasion
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

69983df4e763c21c65d22182966c032d269943f974123f395974e931de7459d5

Threat Level: Likely malicious

The file code.vbs was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit persistence ransomware defense_evasion

Renames multiple (286) files with added filename extension

Renames multiple (151) files with added filename extension

Possible privilege escalation attempt

Manipulates Digital Signatures

Drops file in Drivers directory

Modifies file permissions

Checks computer location settings

Boot or Logon Autostart Execution: Print Processors

Indicator Removal: Clear Windows Event Logs

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in System32 directory

Modifies termsrv.dll

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 15:42

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-11 15:42

Reported

2024-10-11 15:44

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"

Signatures

Renames multiple (151) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\pcw.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\volmgr.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\wof.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\acpi.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\usbport.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\fltmgr.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\wacompen.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\mausbhost.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\tsusbflt.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\it-IT\idtsec.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\mrxsmb.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\dmvsc.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\MTConfig.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\volsnap.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\SDFLauncher.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\srv2.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\sermouse.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\afd.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\ntfs.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\pmem.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\wfplwfs.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\sisraid2.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\mrxsmb.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\sdbus.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\luafv.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\netio.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ntosext.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\CAD.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\vmstorfl.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\wdf01000.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\hidusb.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\vhdmp.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\isapnp.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\en-US\hidscanner.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\it-IT\wpdmtpdr.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\mouhid.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\scfilter.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\smbdirect.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\qwavedrv.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\UsbXhciCompanion.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\raspppoe.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\rdpbus.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\urscx01000.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\rdpdr.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\ataport.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\NdisImPlatform.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\parport.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\percsas3i.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\pcmcia.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\HdAudio.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\qwavedrv.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\i8042prt.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\nwifi.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\usbhub.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\USBXHCI.SYS.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\mslldp.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\hidclass.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\ndisuio.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\rdpdr.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\fvevol.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\tunnel.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\nwifi.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\parport.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\qwavedrv.sys.mui C:\Windows\System32\WScript.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File created C:\Windows\System32\wintrust.dll C:\Windows\System32\WScript.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Boot or Logon Autostart Execution: Print Processors

persistence
Description Indicator Process Target
File created C:\Windows\System32\spool\prtprocs\x64\winprint.dll C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\Fonts\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\System32\WScript.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Windows\System32\WScript.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\mdmaiwa5.inf_amd64_8416dd97e1ecb6dc\mdmaiwa5.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\net44amd.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\storagewmi_passthru.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\sysclass.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ndisuio.inf_amd64_6096fd74a67ccd5d\ndisuio.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Dism\DismCorePS.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\amdsata.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\uk-UA\BdeHdCfgLib.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\dsprov.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Network-Connectivity-Assistant-Service-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-Host-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\scavengeui.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\dhcpcsvc.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\87C0585DEAE72716889B524A66D1B5A3.mof C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\swprv.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS.gpd C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\lz32.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\CloudExperienceHostCommon.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-ApplicationModel-Sync-Desktop-FOD-Package~31bf3856ad364e35~wow64~~10.0.19041.264.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\0736061F644ECE849A494F2EDE2008CE.mof C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\es-ES\NdisImPlatform.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\migwiz\dlmanifests\TerminalServices-RemoteConnectionManager-DL.man C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\shell32.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\TpmInit.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\netmsg.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\UevAgentDriver.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingReceiver-Media-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EditionSpecific-Professional-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Network-Connectivity-Assistant-Service-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\cmmon32.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\Windows.Data.Activities.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\en-US\KrnlProv.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-DeviceUpdateCenter-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\KBDSL1.DLL C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Devices-EmulatedChipset-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-OpenSSH-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.84.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\oobe\it-IT\audit.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\dialclient.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\wpdcomp.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\fdPHost.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\raschap.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\es-ES\usbhub3.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-KeyboardFilter-Package~31bf3856ad364e35~amd64~~10.0.19041.844.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\xmlfilter.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\CertPolEng.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\WorkFoldersShell.Dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\DMWmiBridgeProv.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Containers-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\en-US\rtwlanu_oldIC.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\Autofmt.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\dinput.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\tools\en-US\PrintBrm.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spp\tokens\skus\ProfessionalWorkstation\ProfessionalWorkstation-Volume-CSVLK-6-ul-phn-rtm.xrm-ms C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\STEXSTOR.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\en-US\battery.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_f2e8231e8b60f214\msports.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx4-WCF-US-OC-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\ajrouter.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\sendmail.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\datadict.0C0A.dat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\umpass.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\iashlpr.dll.mui C:\Windows\System32\WScript.exe N/A

Modifies termsrv.dll

Description Indicator Process Target
File created C:\Windows\System32\termsrv.dll C:\Windows\System32\WScript.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PolicyDefinitions\it-IT\pca.adml C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.19041.264.mum C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-AppServerClient-OptGroup-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum C:\Windows\System32\WScript.exe N/A
File created C:\Windows\write.exe C:\Windows\System32\WScript.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\7b5c5e18f54175c9d821602aea803caa\Microsoft.PowerShell.Management.Activities.ni.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IO.Compression.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\en-US\PresentationHost_v0400.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-Holographic-Desktop-Analog-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-LanguageFeatures-TextToSpeech-it-it-Package~31bf3856ad364e35~wow64~~10.0.19041.1.mum C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-Lxss-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-OneCore-Containers-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-OneCore-DeviceUpdateCenter-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-EditionPack-Professional-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Fonts\DUBAI-MEDIUM.TTF C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsAuthenticationProtocols.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.windowsauthenticationprotocols.commands.resources.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationFramework-SystemXml.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\fr\UIAutomationProvider.resources.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\WindowsDefenderSecurityCenter.adml C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-EnterpriseClientSync-Host-Opt-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Speech\Common\it-IT\sapisvr.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-Security-SPP-Component-SKU-ProfessionalSingleLanguage-License-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-WordPad-FoD-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\ko-KR_BitLockerToGo.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE} C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\error.aspx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\HyperV-VmBus-VirtualDevice-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-NetFx-Shared-WPF-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\navigationBar.ascx.fr.resx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\Sensors.adml C:\Windows\System32\WScript.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\Setup.adml C:\Windows\System32\WScript.exe N/A
File created C:\Windows\assembly\GAC_MSIL\System.Speech\3.0.0.0__31bf3856ad364e35\System.Speech.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Cursors\aero_up_l.cur C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Workflow.Runtime.resources.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\mscorlib.resources.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.45.man C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.OCR~nb-no~1.0.mum C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\aspnet_rc.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\Smartcard.adml C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Handwriting~nn-no~1.0.mum C:\Windows\System32\WScript.exe N/A
File created C:\Windows\diagnostics\system\IEBrowseWeb\fr-FR\RS_RestoreIEconnection.psd1 C:\Windows\System32\WScript.exe N/A
File created C:\Windows\diagnostics\system\IEBrowseWeb\ja-JP\DiagPackage.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Globalization\ELS\HyphenationDictionaries\MsHy7de.lex C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\GlobalSansSerif.CompositeFont C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\jphone.browser C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-OneCore-Containers-Guest-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.867.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-Media-Streaming-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-TextPrediction-Dictionaries-de-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\System.Printing.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-msmq-adintegration-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\logo.scale-200.png C:\Windows\System32\WScript.exe N/A
File created C:\Windows\L2Schemas\WWAN_profile_v8.xsd C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-EditionPack-Professional-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.mum C:\Windows\System32\WScript.exe N/A
File created C:\Windows\INF\microsoft_bluetooth_avrcptransport.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-OfflineFiles-UI-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\fr\UIAutomationTypes.resources.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.mum C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-SearchEngine-Client-Package-shell-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum C:\Windows\System32\WScript.exe N/A
File created C:\Windows\INF\termkbd.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.WebSockets.Client\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.WebSockets.Client.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Transactions.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.Entity.dll C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 4516 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3100 wrote to memory of 4516 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4516 wrote to memory of 1628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4516 wrote to memory of 1628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4516 wrote to memory of 404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4516 wrote to memory of 404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\* && icacls C:\Windows\* /grant everyone:(F)

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\*

C:\Windows\system32\icacls.exe

icacls C:\Windows\* /grant everyone:(F)

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 99.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\whysoserious.bat

MD5 3dfc9ee09967df4e049864cf81d9588b
SHA1 bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce
SHA256 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d
SHA512 d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 15:42

Reported

2024-10-11 15:44

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"

Signatures

Renames multiple (286) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\it-IT\rdpwd.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\vdrvroot.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\bridge.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\pnpmem.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\modem.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\tpm.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\AGP440.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\bfe.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\serscan.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\tcpip.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\amdppm.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\i8042prt.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\hidbth.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\parport.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\serial.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\ja-JP\WpdMtpDr.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\acpipmi.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\lsi_sas.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\mrxsmb10.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\mouclass.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\iirsp.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\NV_AGP.SYS.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\wd.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\sermouse.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UAGP35.SYS C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\ataport.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\isapnp.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\kbdclass.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\ULIAGPKX.SYS.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\tpm.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\qwavedrv.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\partmgr.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\vhdmp.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\ndisuio.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\sermouse.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\wdf01000.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\atikmdag.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\HdAudio.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\nvraid.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ULIAGPKX.SYS C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\msahci.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\rdyboost.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\rspndr.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\NV_AGP.SYS.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\processr.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\luafv.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\http.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ksthunk.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\USBSTOR.SYS C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\tcpip.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\ULIAGPKX.SYS.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\etc\protocol C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\NV_AGP.SYS.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\msfs.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\NV_AGP.SYS C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\vmbus.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\srv.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\appid.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\portcls.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\rdbss.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\bthenum.sys.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\MTConfig.sys.mui C:\Windows\System32\WScript.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File created C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\wintrust.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wintrust.dll C:\Windows\System32\WScript.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Boot or Logon Autostart Execution: Print Processors

persistence
Description Indicator Process Target
File created C:\Windows\System32\spool\prtprocs\x64\en-US\LXKPTPRC.DLL.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\es-ES\LXKPTPRC.DLL.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\fr-FR\LXKPTPRC.DLL.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\it-IT\LXKPTPRC.DLL.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\ja-JP\LXKPTPRC.DLL.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\jnwppr.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\winprint.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\de-DE\LXKPTPRC.DLL.mui C:\Windows\System32\WScript.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Key Management Service.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-PrintService%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-BranchCacheSMB%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-CAPI2%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-OfflineFiles%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application Server-Applications%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application Server-Applications%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsSystemAssessmentTool%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4WHC.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\System.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\HardwareEvents.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Setup.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Security.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4WHC.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Application.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Media Center.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Internet Explorer.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\OAlerts.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\Media\Sonata\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Media\Calligraphy\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Media\Quirky\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Media\Festival\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Media\Heritage\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Media\Savanna\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Media\Delta\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Media\Landscape\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Media\Garden\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Web\Wallpaper\Characters\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Media\Cityscape\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Web\Wallpaper\Nature\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Media\Raga\Desktop.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini C:\Windows\System32\WScript.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Windows\System32\WScript.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\CNBBR320.DLL C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\TabSvc.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\msacm32.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\sppui\migrate.obe C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\KBDHU.DLL C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\ja-JP\sensorscpl.mfl C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\mmcico.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\en-US\WinSCard.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\msmq-triggers-DL.man C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\cmutil.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\NlsLexicons003e.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\sbp2.inf_amd64_neutral_332943647e950ada\sbp2.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_job_details.help.txt C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\ADFS-WebAgentToken-DL.man C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GS35006.GPD C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\en-US\apilogen.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\StarterN\license.rtf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WSDMon.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\drivers\x64\3\ja-JP\kyw7fr04.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\es-ES\hh.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\it-IT\osk.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\acledit.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\es-ES\wdc.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\SimpleTCP-DL.man C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\prnlx009.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\de-DE\DeviceProperties.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\drivers\x64\3\es-ES\CNBBR332.DLL.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WSTPager.ax C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\diskmgmt.msc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\wave.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\BWUnpairElevated.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\drivers\x64\3\unidrv.hlp C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\qedit.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\openfiles.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\RMActivate.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\fr-FR\fms.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\fr-FR\nlsbres.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\fr-FR\wininet.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\ja-JP\FirewallAPI.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\mciseq.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\de-DE\sqlsrv32.rll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1 C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\en-US\ieunatt.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\fr-FR\urlmon.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\NlsLexicons0046.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\qwinsta.exe C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\catroot2\edb006C0.log C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\drivers\x64\3\en-US\CNBP_332.DLL.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\es-ES\WinMgmt.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\StarterE\license.rtf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IIS-LegacyScripts-Deployment-DL.man C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\synth3dvsc.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\wpcsvc.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpD5400t.vdf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\prnlx00c.inf_loc C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\cmdial32.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\de-DE\cmdial32.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\trkwks.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\comres.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\manifeststore\user32.amx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\sl-SI\comctl32.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\B471CD3F6DA41643CF1F5221FE3E4CF9.mof C:\Windows\System32\WScript.exe N/A
File created C:\Windows\SysWOW64\mfcsubs.dll C:\Windows\System32\WScript.exe N/A

Modifies termsrv.dll

Description Indicator Process Target
File created C:\Windows\System32\termsrv.dll C:\Windows\System32\WScript.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.Entity\60bfeaba4a5209153daa3a63ef339cc1\System.Web.Entity.ni.dll.aux C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_mdmdcm5.inf_31bf3856ad364e35_6.1.7600.16385_none_46c088e6eb2f81f9\mdmdcm5.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-w3svc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_58d860520ac16b37\w3ctrs.ini C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_6.1.7601.17514_none_b6cddd21f1df8715\SFPAT.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..track-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c13d58e431d898bb\PerformancePerftrack.adml C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..boxgames-backgammon_31bf3856ad364e35_6.1.7600.16385_none_668d031845881638\bckgRes.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-smbserver_31bf3856ad364e35_6.1.7601.17514_none_571aee68017b07d2\sscore.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\assembly\GAC_MSIL\System.Core.resources\3.5.0.0_de_b77a5c561934e089\System.Core.Resources.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols.resources\2.0.0.0_fr_b03f5f7f11d50a3a\System.DirectoryServices.Protocols.resources.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\WinLogon.adml C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_join.help.txt C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-r..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8a371f8237ce9694\rdrleakdiag.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Boot\EFI\sv-SE\bootmgfw.efi.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Fonts\Candarai.ttf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageProviders.aspx.ja.resx C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-Client-Refresh-LanguagePack-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_mdmnokia.inf_31bf3856ad364e35_6.1.7600.16385_none_81fe1974cdead8a0\MSIRCOMM.sys C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-authentication-logonui_31bf3856ad364e35_6.1.7601.17514_none_c3b917fd89d834f3\LogonUI.exe C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-com-dtc-runtime-tm_31bf3856ad364e35_6.1.7601.17514_none_f7be9391315f6cc3\msdtctm.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5ed3d9a150a4801e\wer.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\inf\netl1c64.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Engine.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\sdiageng.adml C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_es-es_ba57accaf17aa08b\license.rtf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-proquota.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5a998b0d94a568a6\proquota.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\shrpubw.exe C:\Windows\System32\WScript.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\PerfCenterCPL.adml C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_f3250f5cd121dc4e\RS_Resetpagesyncpolicy.psd1 C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..r-wmerror.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fb99c9b51ac7298f\wmerror.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\Postage_VideoInset.png C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\NetFx_Full.mzz C:\Windows\System32\WScript.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\42295046050399a00e1928eeb8e37adc\UIAutomationClientsideProviders.ni.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-n..ion_service_runtime_31bf3856ad364e35_6.1.7601.17514_none_5726e0135925cd59\iaspolcy.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ecounters.resources_31bf3856ad364e35_6.1.7600.16385_en-us_818946d5f0fa8194\perfdisk.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..opeerpnrp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_839b02ed84198cec\pnrpnsp.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..-mscandui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cea99eac154e3adf\mscandui.dll.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Help\Windows\es-ES\netproj.h1s C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_dc21x4vm.inf_31bf3856ad364e35_6.1.7600.16385_none_8a8756a57a292631\dc21x4vm.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5956204d6dda4df5\settings.html C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\Mup-DL.man C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_617418a2a916eb62\JSC.Resources.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows Information Bar.wav C:\Windows\System32\WScript.exe N/A
File created C:\Windows\inf\ASP.NET\aspnet_perf.h C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-e..nmove-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a1d121939c849ce8\EncryptFilesonMove.adml C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..kstvtuner.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d906045c4a5c3b60\ksxbar.ax.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\inf\mdmmct.PNF C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-certutil.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8326e88a4904d5cb\certutil.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..update-authenticamd_31bf3856ad364e35_6.1.7600.16385_none_599889656b4ace55\mcupdate_AuthenticAMD.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\NETFXRepair.1031.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\Sidebar.adml C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_mdmnis3t.inf_31bf3856ad364e35_6.1.7600.16385_none_1a28a36619b5178f\mdmnis3t.inf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-a..olicy-snapin-native_31bf3856ad364e35_6.1.7600.16385_none_9b6078314990d8e8\AuditPolicyGPInterop.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-help-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a68b5bce18e9d8ab\Help.adml C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-n..ncmdtools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d589a6dd339da78d\showmount.exe.mui C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_CommonParameters.help.txt C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Fonts\Candara.ttf C:\Windows\System32\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-help-fstexp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_97c71811a7874322\fstexp.h1s C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_698fc88e65b943d6\spwmp.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-tapisetup_31bf3856ad364e35_6.1.7600.16385_none_c5e81c6ab4db0c88\TapiUnattend.exe C:\Windows\System32\WScript.exe N/A
File created C:\Windows\assembly\GAC_32\Policy.1.7.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.7.Microsoft.Ink.dll C:\Windows\System32\WScript.exe N/A
File created C:\Windows\inf\PERFLIB\0411\perfc.dat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 2936 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2768 wrote to memory of 2936 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2768 wrote to memory of 2936 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2936 wrote to memory of 2792 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2936 wrote to memory of 2792 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2936 wrote to memory of 2792 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2936 wrote to memory of 2860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2936 wrote to memory of 2860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2936 wrote to memory of 2860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\* && icacls C:\Windows\* /grant everyone:(F)

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\*

C:\Windows\system32\icacls.exe

icacls C:\Windows\* /grant everyone:(F)

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\whysoserious.bat

MD5 3dfc9ee09967df4e049864cf81d9588b
SHA1 bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce
SHA256 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d
SHA512 d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708