Overview
overview
8Static
static
打印共�...er.bat
windows7-x64
8打印共�...er.bat
windows10-2004-x64
8打印共�...pl.dll
windows7-x64
1打印共�...pl.dll
windows10-2004-x64
1打印共�...er.bat
windows7-x64
8打印共�...er.bat
windows10-2004-x64
8打印共�...pl.dll
windows7-x64
1打印共�...pl.dll
windows10-2004-x64
1打印共�...er.bat
windows7-x64
8打印共�...er.bat
windows10-2004-x64
8打印共�...pl.dll
windows7-x64
8打印共�...pl.dll
windows10-2004-x64
8Analysis
-
max time kernel
146s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 13:58
Static task
static1
Behavioral task
behavioral1
Sample
打印共享修复Fix/Fix_PrintSpooler/Fix_PrintSpooler.bat
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
打印共享修复Fix/Fix_PrintSpooler/Fix_PrintSpooler.bat
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
打印共享修复Fix/Fix_PrintSpooler/win32spl.dll
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
打印共享修复Fix/Fix_PrintSpooler/win32spl.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
打印共享修复Fix/LTSC/Fix_PrintSpooler.bat
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
打印共享修复Fix/LTSC/Fix_PrintSpooler.bat
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
打印共享修复Fix/LTSC/win32spl.dll
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
打印共享修复Fix/LTSC/win32spl.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
打印共享修复Fix/Win7_X64/Fix_PrintSpooler.bat
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
打印共享修复Fix/Win7_X64/Fix_PrintSpooler.bat
Resource
win10v2004-20220901-en
Behavioral task
behavioral11
Sample
打印共享修复Fix/Win7_X64/win32spl.dll
Resource
win7-20220901-en
Behavioral task
behavioral12
Sample
打印共享修复Fix/Win7_X64/win32spl.dll
Resource
win10v2004-20220901-en
General
-
Target
打印共享修复Fix/Fix_PrintSpooler/Fix_PrintSpooler.bat
-
Size
1KB
-
MD5
b4bcdad4dae1d57e6e38f81deb446e6e
-
SHA1
40509574224f0610c65e127cfc19f1664136d905
-
SHA256
7a7c4645e761205829d8c5490472b6d9371618ad5632ed96da29785496a0ee82
-
SHA512
696392c468fe0a0e9d168946c154eff1f08df839cd35fe27102b80eb66bd8f95d9c9f9375fd35372c154628e1a5dcd132d5c6a6842af7eaf501d51c61d34485c
Malware Config
Signatures
-
Possible privilege escalation attempt 3 IoCs
Processes:
icacls.exetakeown.exeicacls.exepid process 644 icacls.exe 4176 takeown.exe 4628 icacls.exe -
Registers new Print Monitor 2 TTPs 12 IoCs
Processes:
spoolsv.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port spoolsv.exe -
Loads dropped DLL 1 IoCs
Processes:
spoolsv.exepid process 2176 spoolsv.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
takeown.exeicacls.exeicacls.exepid process 4176 takeown.exe 4628 icacls.exe 644 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\System32\win32spl.dll cmd.exe File opened for modification C:\Windows\System32\win32spl.dll cmd.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 spoolsv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 spoolsv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID spoolsv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spoolsv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID spoolsv.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5108 timeout.exe -
Modifies data under HKEY_USERS 18 IoCs
Processes:
spoolsv.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" spoolsv.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" spoolsv.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" spoolsv.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4176 takeown.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
cmd.exenet.exenet.exedescription pid process target process PID 4764 wrote to memory of 2512 4764 cmd.exe net.exe PID 4764 wrote to memory of 2512 4764 cmd.exe net.exe PID 2512 wrote to memory of 888 2512 net.exe net1.exe PID 2512 wrote to memory of 888 2512 net.exe net1.exe PID 4764 wrote to memory of 5108 4764 cmd.exe timeout.exe PID 4764 wrote to memory of 5108 4764 cmd.exe timeout.exe PID 4764 wrote to memory of 4176 4764 cmd.exe takeown.exe PID 4764 wrote to memory of 4176 4764 cmd.exe takeown.exe PID 4764 wrote to memory of 4628 4764 cmd.exe icacls.exe PID 4764 wrote to memory of 4628 4764 cmd.exe icacls.exe PID 4764 wrote to memory of 644 4764 cmd.exe icacls.exe PID 4764 wrote to memory of 644 4764 cmd.exe icacls.exe PID 4764 wrote to memory of 2200 4764 cmd.exe reg.exe PID 4764 wrote to memory of 2200 4764 cmd.exe reg.exe PID 4764 wrote to memory of 3900 4764 cmd.exe net.exe PID 4764 wrote to memory of 3900 4764 cmd.exe net.exe PID 3900 wrote to memory of 2112 3900 net.exe net1.exe PID 3900 wrote to memory of 2112 3900 net.exe net1.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\打印共享修复Fix\Fix_PrintSpooler\Fix_PrintSpooler.bat"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet stop spooler2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop spooler3⤵
-
C:\Windows\system32\timeout.exetimeout /t 3 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\takeown.exeTakeown /A /F C:\Windows\System32\win32spl.dll2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\win32spl.dll" /grant "administrators":F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\win32spl.dll" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v RpcAuthnLevelPrivacyEnabled /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\net.exenet start spooler2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start spooler3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
- Registers new Print Monitor
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\win32spl.dllFilesize
868KB
MD52e9581b7b9cd276a5ab115e4df69f6f9
SHA1800cdb03e4f2125200974a72f43653110426e56d
SHA256d417f0b2c3d9cc2bcae46358a391d308993ae537325663647ffb2d2c4679018a
SHA512c3e39ada472a82a707a6e3e79590c40cfc4fe5f46462fd7bd324ec682505a63be413e3453d703942985a73437d21ba6fac5b19ad96c4b55d524716fdf9257bd9
-
C:\Windows\System32\win32spl.dllFilesize
868KB
MD52e9581b7b9cd276a5ab115e4df69f6f9
SHA1800cdb03e4f2125200974a72f43653110426e56d
SHA256d417f0b2c3d9cc2bcae46358a391d308993ae537325663647ffb2d2c4679018a
SHA512c3e39ada472a82a707a6e3e79590c40cfc4fe5f46462fd7bd324ec682505a63be413e3453d703942985a73437d21ba6fac5b19ad96c4b55d524716fdf9257bd9
-
memory/644-137-0x0000000000000000-mapping.dmp
-
memory/888-133-0x0000000000000000-mapping.dmp
-
memory/2112-140-0x0000000000000000-mapping.dmp
-
memory/2200-138-0x0000000000000000-mapping.dmp
-
memory/2512-132-0x0000000000000000-mapping.dmp
-
memory/3900-139-0x0000000000000000-mapping.dmp
-
memory/4176-135-0x0000000000000000-mapping.dmp
-
memory/4628-136-0x0000000000000000-mapping.dmp
-
memory/5108-134-0x0000000000000000-mapping.dmp