Analysis
-
max time kernel
131s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25/11/2022, 11:31
Static task
static1
Behavioral task
behavioral1
Sample
3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
Resource
win10v2004-20221111-en
General
-
Target
3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe
-
Size
2.0MB
-
MD5
56210dd82506f4ed55835af8c6ddc0e0
-
SHA1
cb8f8d51d903589d80ea523f88f4ba02a1e779da
-
SHA256
3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e
-
SHA512
7c209b50669b8e8aaaf3fd58db361f67dad1831c027e62a8412fcfc7208babcb3f10922344a661edd278e76567dfccdbfd86f42bc6456100b59ae6cc047ad59a
-
SSDEEP
24576:B2KrlpxUxHoFhp/S1AWmQO18C2BwfTs6T22CKRJqNE4u6FOcnDsHspz8vlX9xRBW:BTDxB8CWwfTX3clnBowjmE
Malware Config
Signatures
-
Registers new Print Monitor 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port spoolsv.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\I: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\J: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\Z: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\V: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\F: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\G: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\K: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\N: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\R: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\T: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\U: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\X: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\Y: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\L: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\M: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\O: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\P: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\S: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\E: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\Q: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe File opened (read-only) \??\W: 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBIOSDate 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe -
Modifies data under HKEY_USERS 14 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" spoolsv.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45" spoolsv.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" spoolsv.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:" spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 664 tcpsvcs.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 968 spoolsv.exe Token: SeRestorePrivilege 968 spoolsv.exe Token: SeRestorePrivilege 968 spoolsv.exe Token: SeRestorePrivilege 968 spoolsv.exe Token: SeRestorePrivilege 968 spoolsv.exe Token: SeRestorePrivilege 968 spoolsv.exe Token: SeRestorePrivilege 968 spoolsv.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 664 tcpsvcs.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1764 wrote to memory of 944 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 28 PID 1764 wrote to memory of 944 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 28 PID 1764 wrote to memory of 944 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 28 PID 1764 wrote to memory of 944 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 28 PID 944 wrote to memory of 1996 944 cmd.exe 30 PID 944 wrote to memory of 1996 944 cmd.exe 30 PID 944 wrote to memory of 1996 944 cmd.exe 30 PID 944 wrote to memory of 1996 944 cmd.exe 30 PID 1996 wrote to memory of 1520 1996 net.exe 31 PID 1996 wrote to memory of 1520 1996 net.exe 31 PID 1996 wrote to memory of 1520 1996 net.exe 31 PID 1996 wrote to memory of 1520 1996 net.exe 31 PID 1764 wrote to memory of 664 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 33 PID 1764 wrote to memory of 664 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 33 PID 1764 wrote to memory of 664 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 33 PID 1764 wrote to memory of 664 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 33 PID 1764 wrote to memory of 664 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 33 PID 1764 wrote to memory of 664 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 33 PID 1764 wrote to memory of 664 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 33 PID 1764 wrote to memory of 664 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 33 PID 1764 wrote to memory of 664 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 33 PID 1764 wrote to memory of 664 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 33 PID 1764 wrote to memory of 664 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 33 PID 1764 wrote to memory of 664 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 33 PID 1764 wrote to memory of 664 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 33 PID 1764 wrote to memory of 992 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 35 PID 1764 wrote to memory of 992 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 35 PID 1764 wrote to memory of 992 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 35 PID 1764 wrote to memory of 992 1764 3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe 35 PID 992 wrote to memory of 580 992 cmd.exe 37 PID 992 wrote to memory of 580 992 cmd.exe 37 PID 992 wrote to memory of 580 992 cmd.exe 37 PID 992 wrote to memory of 580 992 cmd.exe 37 PID 580 wrote to memory of 1524 580 net.exe 38 PID 580 wrote to memory of 1524 580 net.exe 38 PID 580 wrote to memory of 1524 580 net.exe 38 PID 580 wrote to memory of 1524 580 net.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe"C:\Users\Admin\AppData\Local\Temp\3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e.exe"1⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop Spooler2⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\net.exenet stop Spooler3⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Spooler4⤵PID:1520
-
-
-
-
C:\Windows\SysWOW64\tcpsvcs.exe"C:\Users\Admin\AppData\Local\Temp\3f7e30c503657c49f71c7519042b8283b7f12132de09860aa9dbc5afd45c7a5e2.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:664
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net start Spooler2⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\net.exenet start Spooler3⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start Spooler4⤵PID:1524
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding1⤵PID:1416
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
- Registers new Print Monitor
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:968