32aa5f556099e8fdf9c0f4c8f5695e5736a7cc208aacc548d623d329256d4130

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-06-2022 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32aa5f556099e8fdf9c0f4c8f5695e5736a7cc208aacc548d623d329256d4130.exe
Size

312KB
MD5

e0da60dc0f07a4d1efc0a0a1e0235376
SHA1

d96c33ddb7a08244579fbc4124bbc85f00e926c6
SHA256

32aa5f556099e8fdf9c0f4c8f5695e5736a7cc208aacc548d623d329256d4130
SHA512

44b69ef60c80a978fa6c0c2ccf7ecc720f97b4e56dd106ed1142a0f92748448e80c266d75d5bd935ed3c93f7d225010ae36f8874872a6fbcf889e79c6bde8824

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

spoolsvc.exe

pid process

4236 spoolsvc.exe

pid	process
4236	spoolsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XuiVam = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\spoolsvc.exe"	spoolsvc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

efsui.exe

pid process

5096 efsui.exe
5096 efsui.exe
5096 efsui.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

efsui.exe

pid process

5096 efsui.exe
5096 efsui.exe
5096 efsui.exe

pid	process
5096	efsui.exe
5096	efsui.exe
5096	efsui.exe

pid	process
5096	efsui.exe
5096	efsui.exe
5096	efsui.exe

C:\Users\Admin\AppData\Local\Temp\32aa5f556099e8fdf9c0f4c8f5695e5736a7cc208aacc548d623d329256d4130.exe
"C:\Users\Admin\AppData\Local\Temp\32aa5f556099e8fdf9c0f4c8f5695e5736a7cc208aacc548d623d329256d4130.exe"
1⤵
PID:1140

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5096

C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
Filesize
312KB

MD5
e0da60dc0f07a4d1efc0a0a1e0235376

SHA1
d96c33ddb7a08244579fbc4124bbc85f00e926c6

SHA256
32aa5f556099e8fdf9c0f4c8f5695e5736a7cc208aacc548d623d329256d4130

SHA512
44b69ef60c80a978fa6c0c2ccf7ecc720f97b4e56dd106ed1142a0f92748448e80c266d75d5bd935ed3c93f7d225010ae36f8874872a6fbcf889e79c6bde8824

Download Submit
memory/1140-130-0x00000000002D0000-0x00000000002F8000-memory.dmp

Filesize
160KB

Download
memory/1140-131-0x0000000004C10000-0x0000000004C76000-memory.dmp

Filesize
408KB

Download
memory/1140-132-0x0000000005280000-0x0000000005824000-memory.dmp

Filesize
5.6MB

Download
memory/1140-133-0x0000000004D70000-0x0000000004E02000-memory.dmp

Filesize
584KB

Download