3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e

Analysis

max time kernel
131s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
Size

2.0MB
MD5

56210dd82506f4ed55835af8c6ddc0e0
SHA1

cb8f8d51d903589d80ea523f88f4ba02a1e779da
SHA256

3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e
SHA512

7c209b50669b8e8aaaf3fd58db361f67dad1831c027e62a8412fcfc7208babcb3f10922344a661edd278e76567dfccdbfd86f42bc6456100b59ae6cc047ad59a
SSDEEP

24576:B2KrlpxUxHoFhp/S1AWmQO18C2BwfTs6T22CKRJqNE4u6FOcnDsHspz8vlX9xRBW:BTDxB8CWwfTX3clnBowjmE

Score

8^/10

persistence

Malware Config

Signatures

Registers new Print Monitor 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port	spoolsv.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\I:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\J:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\Z:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\V:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\F:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\G:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\K:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\N:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\R:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\T:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\U:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\X:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\Y:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\L:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\M:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\O:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\P:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\S:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\E:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\Q:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
File opened (read-only)	\??\W:	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBIOSDate	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
664	tcpsvcs.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	968	spoolsv.exe
Token: SeRestorePrivilege	968	spoolsv.exe
Token: SeRestorePrivilege	968	spoolsv.exe
Token: SeRestorePrivilege	968	spoolsv.exe
Token: SeRestorePrivilege	968	spoolsv.exe
Token: SeRestorePrivilege	968	spoolsv.exe
Token: SeRestorePrivilege	968	spoolsv.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
664	tcpsvcs.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 944	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	28
PID 1764 wrote to memory of 944	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	28
PID 1764 wrote to memory of 944	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	28
PID 1764 wrote to memory of 944	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	28
PID 944 wrote to memory of 1996	944	cmd.exe	30
PID 944 wrote to memory of 1996	944	cmd.exe	30
PID 944 wrote to memory of 1996	944	cmd.exe	30
PID 944 wrote to memory of 1996	944	cmd.exe	30
PID 1996 wrote to memory of 1520	1996	net.exe	31
PID 1996 wrote to memory of 1520	1996	net.exe	31
PID 1996 wrote to memory of 1520	1996	net.exe	31
PID 1996 wrote to memory of 1520	1996	net.exe	31
PID 1764 wrote to memory of 664	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	33
PID 1764 wrote to memory of 664	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	33
PID 1764 wrote to memory of 664	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	33
PID 1764 wrote to memory of 664	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	33
PID 1764 wrote to memory of 664	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	33
PID 1764 wrote to memory of 664	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	33
PID 1764 wrote to memory of 664	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	33
PID 1764 wrote to memory of 664	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	33
PID 1764 wrote to memory of 664	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	33
PID 1764 wrote to memory of 664	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	33
PID 1764 wrote to memory of 664	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	33
PID 1764 wrote to memory of 664	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	33
PID 1764 wrote to memory of 664	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	33
PID 1764 wrote to memory of 992	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	35
PID 1764 wrote to memory of 992	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	35
PID 1764 wrote to memory of 992	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	35
PID 1764 wrote to memory of 992	1764	3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe	35
PID 992 wrote to memory of 580	992	cmd.exe	37
PID 992 wrote to memory of 580	992	cmd.exe	37
PID 992 wrote to memory of 580	992	cmd.exe	37
PID 992 wrote to memory of 580	992	cmd.exe	37
PID 580 wrote to memory of 1524	580	net.exe	38
PID 580 wrote to memory of 1524	580	net.exe	38
PID 580 wrote to memory of 1524	580	net.exe	38
PID 580 wrote to memory of 1524	580	net.exe	38

C:\Users\Admin\AppData\Local\Temp\3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
"C:\Users\Admin\AppData\Local\Temp\3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe"
1⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop Spooler
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\net.exe
    net stop Spooler
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Spooler
      4⤵
      PID:1520
- C:\Windows\SysWOW64\tcpsvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e2.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net start Spooler
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\SysWOW64\net.exe
    net start Spooler
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start Spooler
      4⤵
      PID:1524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1416

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Registers new Print Monitor
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/664-100-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-84-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-234-0x0000000010000000-0x0000000010101000-memory.dmp

Filesize
1.0MB

Download
memory/664-126-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-125-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-69-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-70-0x0000000010000000-0x0000000010101000-memory.dmp

Filesize
1.0MB

Download
memory/664-73-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-76-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-77-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-78-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-79-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-80-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-81-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-82-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-83-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-65-0x0000000010000000-0x0000000010101000-memory.dmp

Filesize
1.0MB

Download
memory/664-85-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-86-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-87-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-88-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-89-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-90-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-91-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-92-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-93-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-94-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-95-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-96-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-97-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-98-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-124-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-101-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-99-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-102-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-103-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-104-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-105-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-106-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-107-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-108-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-109-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-110-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-111-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-112-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-113-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-114-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-115-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-116-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-117-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-118-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-119-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-120-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-121-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-122-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/664-123-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/1764-59-0x0000000004A90000-0x0000000004C2D000-memory.dmp

Filesize
1.6MB

Download
memory/1764-57-0x0000000004620000-0x00000000046A3000-memory.dmp

Filesize
524KB

Download
memory/1764-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1764-60-0x0000000004860000-0x0000000004887000-memory.dmp

Filesize
156KB

Download
memory/1764-61-0x0000000003000000-0x0000000003101000-memory.dmp

Filesize
1.0MB

Download