Overview

overview

8

Static

static

printerfix...er.bat

windows7-x64

8

printerfix...er.bat

windows10-2004-x64

8

printerfix...pl.dll

windows7-x64

1

printerfix...pl.dll

windows10-2004-x64

1

printerfix...er.bat

windows7-x64

8

printerfix...er.bat

windows10-2004-x64

8

printerfix...pl.dll

windows7-x64

1

printerfix...pl.dll

windows10-2004-x64

1

printerfix...er.bat

windows7-x64

8

printerfix...er.bat

windows10-2004-x64

8

printerfix...pl.dll

windows7-x64

1

printerfix...pl.dll

windows10-2004-x64

1

printerfix...er.bat

windows7-x64

8

printerfix...er.bat

windows10-2004-x64

8

printerfix...pl.dll

windows7-x64

1

printerfix...pl.dll

windows10-2004-x64

1

printerfix...er.bat

windows7-x64

8

printerfix...er.bat

windows10-2004-x64

8

printerfix...pl.dll

windows7-x64

8

printerfix...pl.dll

windows10-2004-x64

8

printerfix...pl.dll

windows7-x64

1

printerfix...pl.dll

windows10-2004-x64

1

printerfix...sv.exe

windows7-x64

printerfix...sv.exe

windows10-2004-x64

1

printerfix...pl.dll

windows7-x64

1

printerfix...pl.dll

windows10-2004-x64

1

printerfix...er.bat

windows7-x64

8

printerfix...er.bat

windows10-2004-x64

8

printerfix...pl.dll

windows7-x64

1

printerfix...pl.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    131s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2022 08:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    printerfix/Win 2019/Fix_PrintSpooler.bat

  • Size

    1KB

  • MD5

    b4bcdad4dae1d57e6e38f81deb446e6e

  • SHA1

    40509574224f0610c65e127cfc19f1664136d905

  • SHA256

    7a7c4645e761205829d8c5490472b6d9371618ad5632ed96da29785496a0ee82

  • SHA512

    696392c468fe0a0e9d168946c154eff1f08df839cd35fe27102b80eb66bd8f95d9c9f9375fd35372c154628e1a5dcd132d5c6a6842af7eaf501d51c61d34485c

Score
8/10
discoveryexploitpersistence

Malware Config

Signatures

  • Possible privilege escalation attempt 3 IoCs
    exploit
  • Registers new Print Monitor 2 TTPs 12 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Drops file in System32 directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 18 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2019\Fix_PrintSpooler.bat"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3088
    • C:\Windows\system32\net.exe
      net stop spooler
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3244
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop spooler
        3⤵
          PID:1664
      • C:\Windows\system32\timeout.exe
        timeout /t 3 /nobreak
        2⤵
        • Delays execution with timeout.exe
        PID:3528
      • C:\Windows\system32\takeown.exe
        Takeown /A /F C:\Windows\System32\win32spl.dll
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2200
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\win32spl.dll" /grant "administrators":F
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2728
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\win32spl.dll" /grant SYSTEM:F
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1040
      • C:\Windows\system32\reg.exe
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v RpcAuthnLevelPrivacyEnabled /t REG_DWORD /d 0 /f
        2⤵
          PID:5108
        • C:\Windows\system32\net.exe
          net start spooler
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:260
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 start spooler
            3⤵
              PID:116
        • C:\Windows\System32\spoolsv.exe
          C:\Windows\System32\spoolsv.exe
          1⤵
          • Registers new Print Monitor
          • Loads dropped DLL
          • Checks SCSI registry key(s)
          • Modifies data under HKEY_USERS
          PID:3292

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        File Permissions Modification

        1
        T1222

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\System32\win32spl.dll
          Filesize

          831KB

          MD5

          26327b93ebcad7bf061b63894923a78f

          SHA1

          4fc07b0cf4a9a54e5fdd71c33e329abe05b88823

          SHA256

          258058689cef565f5ab1938e1cfed2753bbf5ef2325ad5f8501afd932d42b53e

          SHA512

          fe0ac07985793ba1a0682ffc0375e07782b63588458d839293eeb5aa8d1cb0809f90051864f7620025bc49a67fd87720523fecaffb62ea895bec7f255a88199b

          Download Submit
        • C:\Windows\System32\win32spl.dll
          Filesize

          831KB

          MD5

          26327b93ebcad7bf061b63894923a78f

          SHA1

          4fc07b0cf4a9a54e5fdd71c33e329abe05b88823

          SHA256

          258058689cef565f5ab1938e1cfed2753bbf5ef2325ad5f8501afd932d42b53e

          SHA512

          fe0ac07985793ba1a0682ffc0375e07782b63588458d839293eeb5aa8d1cb0809f90051864f7620025bc49a67fd87720523fecaffb62ea895bec7f255a88199b

          Download Submit
        • memory/116-140-0x0000000000000000-mapping.dmp
          Download
        • memory/260-139-0x0000000000000000-mapping.dmp
          Download
        • memory/1040-137-0x0000000000000000-mapping.dmp
          Download
        • memory/1664-133-0x0000000000000000-mapping.dmp
          Download
        • memory/2200-135-0x0000000000000000-mapping.dmp
          Download
        • memory/2728-136-0x0000000000000000-mapping.dmp
          Download
        • memory/3244-132-0x0000000000000000-mapping.dmp
          Download
        • memory/3528-134-0x0000000000000000-mapping.dmp
          Download
        • memory/5108-138-0x0000000000000000-mapping.dmp
          Download