-1

After what seems a human-directed ransomware attack, I am analyzing the system. It is a Windows Server 2016 and I had created the usual Administrator account. Now I see that during the attack, a new "Administrador.WIN-RSDLE3HIAER" account has appeared under C:\Users folder. The old plain Administrator still exists but it seems like all files are now under the newly created account (Donwloads, favorites, Desktop, etc... are still in the original account, but empty). It is like the profile was moved to the new Account.

My question, in the search of learning is why is this done, why creating a new account? Is this some kind of self-protection from the attackers? Why is all my original content now under the newly created account? I could still enter "Administrator" under the login page and access my profile so this is why I cannot understand the nature of the new account/folder, how I got redirected... in a word... how does this thing work?

Cheers

kankamuso
  • 487
  • 6
  • 16
  • Is it possible that you confuse "account" with "user profile"? Ie. is "Administrador.WIN-RSDLE3HIAER" just a folder in C:\Users or does an account by that name actually show up in Computer Management - Local Users and Groups - Users? What is the owner of the folder C:\Users\Administrador.WIN-RSDLE3HIAER? – Tilman Schmidt Jun 10 '20 at 22:53
  • @TilmanSchmidt, I have not been able to boot to OS yet, so I cannot answer those questions.I am currently running some LiveCD Antivirus just to have time to analyze the system whenever I can boot it up. :-( – kankamuso Jun 11 '20 at 13:37
  • @TeroKilkanen, that is a nice post and I am currently trying to understand where it came from and how. This is why I ask about the fact that what seemingly is a new Admin account has appeared... Why do they do it, what is its reason to exit. Just trying to learn from this experience. But cannot find technical info in that text about this specific problem (perhaps I am that 5% :-)). – kankamuso Jun 11 '20 at 13:41
  • 1
    @kankamuso, the reason I'm asking is this: When Windows decides for whatever reason that the existing user profile of a user is unusable, it creates a new one automatically, and also tries to move the user's files over from the old profile folder to the new one. The name Administrador.WIN-RSDLE3HIAER looks quite similar to the sort of folder name which Windows creates in such a case. So this mechanism would match your description, were it not for the fact that you report an actual account by that name. I'll attempt an answer in that direction. – Tilman Schmidt Jun 14 '20 at 12:19

1 Answers1

1

Possible explanation: there is no new account, nor was the new folder intentionally created by the attacker. The user profile of the administrator account was damaged during the attack, or by some defense or recovery measures. This has then triggered the profile repair mechanism of Windows.

When Windows encounters an unrecoverable error loading the profile of a user while logging on, it creates a new profile folder automatically, appending a random suffix to the name. It also tries moving over as much of the data as possible from the old, damaged profile. So the folder C:\Users\Administrador.WIN-RSDLE3HIAER would just be a new profile folder for the existing administrator account Administrador.

To confirm this, check the the owner and permissions of the folders C:\Users\Administrador and C:\Users\Administrador.WIN-RSDLE3HIAER, and match them to the local users in the Windows Security Account Manager (SAM) database. If you are doing this from a live Linux system, use a tool like chntpw to access the SAM database file %SystemRoot%\System32\config\SAM.

Tilman Schmidt
  • 4,101
  • 12
  • 27
  • I think you are right. Just to test, I deleted de built-in profile and upon login it was recreated again using Administrator-SERVER02 (machine name). The old annoying folder had disappeared and both Administrator and ADMINISTRATOR-SERVER02 co-existed. – kankamuso Jun 14 '20 at 14:26