32aa5f556099e8fdf9c0f4c8f5695e5736a7cc208aacc548d623d329256d4130

Analysis

max time kernel
140s
max time network
155s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-06-2022 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32aa5f556099e8fdf9c0f4c8f5695e5736a7cc208aacc548d623d329256d4130.exe
Size

312KB
MD5

e0da60dc0f07a4d1efc0a0a1e0235376
SHA1

d96c33ddb7a08244579fbc4124bbc85f00e926c6
SHA256

32aa5f556099e8fdf9c0f4c8f5695e5736a7cc208aacc548d623d329256d4130
SHA512

44b69ef60c80a978fa6c0c2ccf7ecc720f97b4e56dd106ed1142a0f92748448e80c266d75d5bd935ed3c93f7d225010ae36f8874872a6fbcf889e79c6bde8824

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

spoolsvc.exe

pid process

608 spoolsvc.exe

pid	process
608	spoolsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\XuiVam = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\spoolsvc.exe"	spoolsvc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

efsui.exe

pid process

1996 efsui.exe
1996 efsui.exe
1996 efsui.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

efsui.exe

pid process

1996 efsui.exe
1996 efsui.exe
1996 efsui.exe

pid	process
1996	efsui.exe
1996	efsui.exe
1996	efsui.exe

pid	process
1996	efsui.exe
1996	efsui.exe
1996	efsui.exe

C:\Users\Admin\AppData\Local\Temp\32aa5f556099e8fdf9c0f4c8f5695e5736a7cc208aacc548d623d329256d4130.exe
"C:\Users\Admin\AppData\Local\Temp\32aa5f556099e8fdf9c0f4c8f5695e5736a7cc208aacc548d623d329256d4130.exe"
1⤵
PID:1540

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1996

C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
Filesize
312KB

MD5
e0da60dc0f07a4d1efc0a0a1e0235376

SHA1
d96c33ddb7a08244579fbc4124bbc85f00e926c6

SHA256
32aa5f556099e8fdf9c0f4c8f5695e5736a7cc208aacc548d623d329256d4130

SHA512
44b69ef60c80a978fa6c0c2ccf7ecc720f97b4e56dd106ed1142a0f92748448e80c266d75d5bd935ed3c93f7d225010ae36f8874872a6fbcf889e79c6bde8824

Download Submit
memory/608-58-0x0000000000D90000-0x0000000000DB8000-memory.dmp

Filesize
160KB

Download
memory/1540-54-0x00000000010C0000-0x00000000010E8000-memory.dmp

Filesize
160KB

Download
memory/1540-55-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1996-56-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download