Malware Analysis Report

2024-12-07 14:55

Sample ID 241011-s5jrbazdqh
Target file01.vbs
SHA256 a7e0361d293c68159a7d48b5cfeef5804ba938df7e6e0dfbb1e6ca200bcfd037
Tags
defense_evasion discovery exploit persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a7e0361d293c68159a7d48b5cfeef5804ba938df7e6e0dfbb1e6ca200bcfd037

Threat Level: Likely malicious

The file file01.vbs was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery exploit persistence ransomware

Renames multiple (25613) files with added filename extension

Drops file in Drivers directory

Possible privilege escalation attempt

Modifies file permissions

Indicator Removal: Clear Windows Event Logs

Boot or Logon Autostart Execution: Print Processors

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 15:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 15:42

Reported

2024-10-11 15:45

Platform

win11-20241007-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.vbs"

Signatures

Renames multiple (25613) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\it-IT\IndirectKmd.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\fvevol.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\pdc.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\acpi.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ks.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\msquic.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\iorate.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\serenum.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\winnat.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\etc\lmhosts.sam.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\de-DE\SensorsCx.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UcmCx.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\USBXHCI.SYS.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\cmimcext.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\modem.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\mup.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\srv2.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\pcmcia.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\mslldp.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\it-IT\Microsoft.Bluetooth.Profiles.HidOverGatt.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\rfcomm.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\disk.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\iaLPSS2i_I2C.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\USBCAMD2.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\mouhid.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\volsnap.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\AppvVemgr.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\filetrace.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\fvevol.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\pcmcia.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\agilevpn.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\USBHUB3.SYS.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\volmgrx.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\en-US\SensorsHid.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\tape.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\sdstor.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\IPMIDRV.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\cxwmbclass.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\partmgr.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\en-US\wpdmtpdr.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\BthA2dp.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\IndirectKmd.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\disk.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\hidspi.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\CAD.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\wudfpf.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\EhStorTcgDrv.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\uk-UA\bthenum.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\BthHfEnum.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\clfs.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\en-US\idtsec.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\es-ES\WUDFUsbccidDriver.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\HdAudio.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\ntfs.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\netbios.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\rdpdr.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\hidclass.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\EhStorPwdDrv.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\de-DE\wpdmtpdr.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\CEA.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\rootmdm.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\it-IT\mgtdyn.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\dumpfve.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\ataport.sys.mui.bat C:\Windows\System32\WScript.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Boot or Logon Autostart Execution: Print Processors

persistence
Description Indicator Process Target
File created C:\Windows\System32\spool\prtprocs\x64\winprint.dll.bat C:\Windows\System32\WScript.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File created C:\Windows\System32\winevt\Logs\HardwareEvents.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WorkFolders%4WHC.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\OAlerts.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TenantRestrictions%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Restricted.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Setup.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Device Management.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageManagement%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Internet Explorer.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Key Management Service.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AAD%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Biometrics%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4LogonTasksChannel.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Time-Service%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4ManagementService.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\subst.exe.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\pwlauncher.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\msg.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\cdosys.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\bthprint.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\pt-PT\quickassist.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-CustomShellHost-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-63-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OfflineFiles-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\iphlpsvc.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\powrprof.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ResetEngine.exe.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Portable-Devices-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_220db23f5419ea8d\netathrx.inf.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\PlayToStatusProvider.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\fdPHost.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\svsvc.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wuapi.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\lsi_sas2i.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\schannel.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\uk-UA\powercpl.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VMMS-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\uefi.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\fvecpl.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Hydrogen\BakedPlugins\Physics\defaultphysicsmaterial.hbakedphysicsmaterial.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\windows.internal.shell.broker.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\nshipsec.mof.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MultiPoint-Connector-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\es-ES\msclmd.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0113~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\0EBA1F7B891BD5FE808E91F1D5467AFE.mof.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\FrameServerMonitor.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-RegulatedPackages-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\l2nacp.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RecDisc-SDP-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prnjobs.vbs.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\en-US\EventTracingManagement.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\ja-JP\ntevt.mfl.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\nslookup.exe.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-ClientUA-Client-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\en-US\c_scmdisk.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\mlang.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\dsuiext.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\perfdisk.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-PointOfService-Main-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\cryptuiwizard.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\sppcommdlg.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\fr-FR\KrnlProv.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\it-IT\cimwin32.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wkspbrokerAx.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\mssmbios.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\mdmbtmdm.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\Magnify.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\uk-UA\InstallService.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\rpcping.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\uk-UA\iernonce.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\la57setup.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-FCI-Client-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\mfmp4srcsnk.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\FCAAC5BDE30A123DF3B6B30527D11B7F.mof.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\eventvwr.msc.bat C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3396 wrote to memory of 3284 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3396 wrote to memory of 3284 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3284 wrote to memory of 1320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3284 wrote to memory of 1320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3284 wrote to memory of 6084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3284 wrote to memory of 6084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\*

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\* /grant everyone:(F)

C:\Windows\explorer.exe

explorer.exe

Network

Files

C:\Users\Admin\AppData\Local\Temp\whysoserious.bat

MD5 3dfc9ee09967df4e049864cf81d9588b
SHA1 bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce
SHA256 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d
SHA512 d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708

memory/3396-5019-0x00007FFB01A20000-0x00007FFB01D98000-memory.dmp

memory/3396-5039-0x00007FFAFF330000-0x00007FFAFF442000-memory.dmp

memory/3396-5061-0x00007FFAEC470000-0x00007FFAEC48D000-memory.dmp

memory/3396-5067-0x00007FFAE97B0000-0x00007FFAE97D6000-memory.dmp

memory/3396-5072-0x00007FFAF6D70000-0x00007FFAF6DD5000-memory.dmp

memory/3396-5068-0x00007FFAF7AD0000-0x00007FFAF7D82000-memory.dmp

memory/3396-5066-0x00007FFAFEF40000-0x00007FFAFEF8C000-memory.dmp

memory/3396-5065-0x00007FFAFEAC0000-0x00007FFAFEACC000-memory.dmp

memory/3396-5064-0x00007FFAFEAA0000-0x00007FFAFEAB8000-memory.dmp

memory/3396-5063-0x00007FFAFF920000-0x00007FFAFFA82000-memory.dmp

memory/3396-5051-0x00007FFAFFE30000-0x00007FFAFFEDF000-memory.dmp

memory/3396-5045-0x00007FFAFFA90000-0x00007FFAFFB0F000-memory.dmp

memory/3396-5040-0x00007FFB00A10000-0x00007FFB00ABE000-memory.dmp

memory/3396-5044-0x00007FFB018E0000-0x00007FFB01911000-memory.dmp

memory/3396-5038-0x00007FFB00AC0000-0x00007FFB00AE9000-memory.dmp

memory/3396-5071-0x00007FFAEB3D0000-0x00007FFAEB47C000-memory.dmp

memory/3396-17508-0x00007FF679410000-0x00007FF67943A000-memory.dmp

memory/3396-17509-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp

memory/3396-17584-0x00007FFB00200000-0x00007FFB002D6000-memory.dmp

memory/3396-17637-0x00007FFAFCA80000-0x00007FFAFCB2C000-memory.dmp

memory/3396-17638-0x00007FFAFF120000-0x00007FFAFF1C2000-memory.dmp

memory/3396-17761-0x00007FFAF1C50000-0x00007FFAF1C6D000-memory.dmp

memory/3396-17665-0x00007FFB01120000-0x00007FFB018CE000-memory.dmp

memory/3396-17785-0x00007FFAFF260000-0x00007FFAFF281000-memory.dmp

memory/3396-17784-0x00007FFAFB960000-0x00007FFAFBA57000-memory.dmp

memory/3396-17783-0x00007FFAFD330000-0x00007FFAFD496000-memory.dmp

memory/3396-17782-0x00007FFAFD4A0000-0x00007FFAFDD07000-memory.dmp

memory/3396-17781-0x00007FFAFFDD0000-0x00007FFAFFE2D000-memory.dmp

memory/3396-17762-0x00007FFAFFCE0000-0x00007FFAFFDCA000-memory.dmp

memory/3396-17663-0x00007FFAFC7B0000-0x00007FFAFC7D5000-memory.dmp

memory/3396-17662-0x00007FFAF6A90000-0x00007FFAF6AC8000-memory.dmp

memory/3396-17655-0x00007FFAF6AD0000-0x00007FFAF6B0A000-memory.dmp

memory/3396-17651-0x00007FFAFC800000-0x00007FFAFC81A000-memory.dmp

memory/3396-17650-0x00007FFAFC8B0000-0x00007FFAFC8C6000-memory.dmp

memory/3396-17648-0x00007FFAFE390000-0x00007FFAFE3C5000-memory.dmp

memory/3396-17646-0x00007FFAFEB00000-0x00007FFAFEB12000-memory.dmp

memory/3396-17644-0x00007FFAFFC70000-0x00007FFAFFCD7000-memory.dmp

memory/3396-17643-0x00007FFAFEB70000-0x00007FFAFEBAD000-memory.dmp

memory/3396-17639-0x00007FFB00DB0000-0x00007FFB00ECE000-memory.dmp

memory/3396-17633-0x00007FFAF0E00000-0x00007FFAF0E0A000-memory.dmp

memory/3396-17641-0x00007FFAF6B10000-0x00007FFAF6BA8000-memory.dmp

memory/3396-17635-0x00007FFAFE430000-0x00007FFAFE448000-memory.dmp

memory/3396-17629-0x00007FFB00F60000-0x00007FFB00FFE000-memory.dmp

memory/3396-17627-0x00007FFB00C10000-0x00007FFB00DAA000-memory.dmp

memory/3396-17624-0x00007FFAFF8F0000-0x00007FFAFF916000-memory.dmp

memory/3396-17622-0x00007FFB01000000-0x00007FFB01120000-memory.dmp

memory/3396-17605-0x00007FFAFF7D0000-0x00007FFAFF8E1000-memory.dmp

memory/3396-17595-0x00007FFAFFB10000-0x00007FFAFFBAD000-memory.dmp

memory/3396-17581-0x00007FFB00B00000-0x00007FFB00BA3000-memory.dmp

memory/3396-17535-0x00007FFAFF450000-0x00007FFAFF7C4000-memory.dmp

memory/3396-17623-0x00007FFB00810000-0x00007FFB009BC000-memory.dmp

memory/3396-17525-0x00007FFB002E0000-0x00007FFB0039D000-memory.dmp