ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c

Analysis

max time kernel
34s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 19:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe
Size

900KB
MD5

75f6cc3b9d91fb36827052daa68ab459
SHA1

44b85c2b29c6b84fa020c9aead696e588877cb0e
SHA256

ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c
SHA512

0b962a953c5057de44af5d1d6a362408901d5505d4a71554138027adeb7a26027076259fea474e9fa8fa966a26c66f32b4585824be803f914258018da37cebab
SSDEEP

12288:6yu8gCTiJiYNadtDIC4W43ksPZE5SqG2VcV8XX7xe9DPBi3/2Kmm97Wb9cd:6yu8gCTX8aTUC5akaa5qZV8Xrg9Deb7z

Score

8^/10

discovery exploit persistence

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

subinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exe

pid	process
4292	subinacl.exe
628	subinacl.exe
4488	subinacl.exe
748	subinacl.exe
3916	subinacl.exe
2072	subinacl.exe
4692	subinacl.exe
3064	subinacl.exe
4428	subinacl.exe
4012	subinacl.exe

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exetakeown.exe

pid process

1804 takeown.exe
3772 icacls.exe
3948 icacls.exe
220 takeown.exe

pid	process
1804	takeown.exe
3772	icacls.exe
3948	icacls.exe
220	takeown.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PrintNotify\Parameters\ServiceDll = "C:\\Windows\\system32\\spool\\DRIVERS\\W32X86\\3\\PrintConfig.dll"	regedit.exe

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\ImagePath = "%SystemRoot%\\System32\\spoolsv.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PrintNotify\ImagePath = "%SystemRoot%\\system32\\svchost.exe -k print"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RpcLocator\ImagePath = "%SystemRoot%\\system32\\locator.exe"	regedit.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3224 regsvr32.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exetakeown.exeicacls.exeicacls.exe

pid process

220 takeown.exe
1804 takeown.exe
3772 icacls.exe
3948 icacls.exe

pid	process
3224	regsvr32.exe

pid	process
220	takeown.exe
1804	takeown.exe
3772	icacls.exe
3948	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\runonce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Done = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Done.bat"	reg.exe

Drops file in System32 directory 4 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\spoolsv.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\spoolsv.exe	cmd.exe
File created	C:\Windows\SysWOW64\spoolss.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\spoolss.dll	cmd.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

3316 sc.exe
2996 sc.exe
548 sc.exe

pid	process
3316	sc.exe
2996	sc.exe
548	sc.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

3452 regedit.exe
Runs net.exe

pid	process
3452	regedit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

takeown.exetakeown.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	220	takeown.exe
Token: SeTakeOwnershipPrivilege	1804	takeown.exe
Token: SeSecurityPrivilege	4292	subinacl.exe
Token: SeBackupPrivilege	4292	subinacl.exe
Token: SeRestorePrivilege	4292	subinacl.exe
Token: SeRestorePrivilege	4292	subinacl.exe
Token: SeTakeOwnershipPrivilege	4292	subinacl.exe
Token: SeChangeNotifyPrivilege	4292	subinacl.exe
Token: SeDebugPrivilege	4292	subinacl.exe
Token: SeSecurityPrivilege	628	subinacl.exe
Token: SeBackupPrivilege	628	subinacl.exe
Token: SeRestorePrivilege	628	subinacl.exe
Token: SeRestorePrivilege	628	subinacl.exe
Token: SeTakeOwnershipPrivilege	628	subinacl.exe
Token: SeChangeNotifyPrivilege	628	subinacl.exe
Token: SeDebugPrivilege	628	subinacl.exe
Token: SeSecurityPrivilege	4488	subinacl.exe
Token: SeBackupPrivilege	4488	subinacl.exe
Token: SeRestorePrivilege	4488	subinacl.exe
Token: SeRestorePrivilege	4488	subinacl.exe
Token: SeTakeOwnershipPrivilege	4488	subinacl.exe
Token: SeChangeNotifyPrivilege	4488	subinacl.exe
Token: SeDebugPrivilege	4488	subinacl.exe
Token: SeSecurityPrivilege	748	subinacl.exe
Token: SeBackupPrivilege	748	subinacl.exe
Token: SeRestorePrivilege	748	subinacl.exe
Token: SeRestorePrivilege	748	subinacl.exe
Token: SeTakeOwnershipPrivilege	748	subinacl.exe
Token: SeChangeNotifyPrivilege	748	subinacl.exe
Token: SeDebugPrivilege	748	subinacl.exe
Token: SeSecurityPrivilege	3916	subinacl.exe
Token: SeBackupPrivilege	3916	subinacl.exe
Token: SeRestorePrivilege	3916	subinacl.exe
Token: SeRestorePrivilege	3916	subinacl.exe
Token: SeTakeOwnershipPrivilege	3916	subinacl.exe
Token: SeChangeNotifyPrivilege	3916	subinacl.exe
Token: SeDebugPrivilege	3916	subinacl.exe
Token: SeSecurityPrivilege	2072	subinacl.exe
Token: SeBackupPrivilege	2072	subinacl.exe
Token: SeRestorePrivilege	2072	subinacl.exe
Token: SeRestorePrivilege	2072	subinacl.exe
Token: SeTakeOwnershipPrivilege	2072	subinacl.exe
Token: SeChangeNotifyPrivilege	2072	subinacl.exe
Token: SeDebugPrivilege	2072	subinacl.exe
Token: SeSecurityPrivilege	4692	subinacl.exe
Token: SeBackupPrivilege	4692	subinacl.exe
Token: SeRestorePrivilege	4692	subinacl.exe
Token: SeRestorePrivilege	4692	subinacl.exe
Token: SeTakeOwnershipPrivilege	4692	subinacl.exe
Token: SeChangeNotifyPrivilege	4692	subinacl.exe
Token: SeDebugPrivilege	4692	subinacl.exe
Token: SeSecurityPrivilege	3064	subinacl.exe
Token: SeBackupPrivilege	3064	subinacl.exe
Token: SeRestorePrivilege	3064	subinacl.exe
Token: SeRestorePrivilege	3064	subinacl.exe
Token: SeTakeOwnershipPrivilege	3064	subinacl.exe
Token: SeChangeNotifyPrivilege	3064	subinacl.exe
Token: SeDebugPrivilege	3064	subinacl.exe
Token: SeSecurityPrivilege	4428	subinacl.exe
Token: SeBackupPrivilege	4428	subinacl.exe
Token: SeRestorePrivilege	4428	subinacl.exe
Token: SeRestorePrivilege	4428	subinacl.exe
Token: SeTakeOwnershipPrivilege	4428	subinacl.exe
Token: SeChangeNotifyPrivilege	4428	subinacl.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4200 LogonUI.exe

pid	process
4200	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.execmd.execmd.exenet.exe

description	pid	process	target process
PID 2952 wrote to memory of 5080	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 5080	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 5080	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 4992	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 4992	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 4992	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 1292	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 1292	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 1292	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 1292 wrote to memory of 5036	1292	cmd.exe	attrib.exe
PID 1292 wrote to memory of 5036	1292	cmd.exe	attrib.exe
PID 1292 wrote to memory of 5036	1292	cmd.exe	attrib.exe
PID 2952 wrote to memory of 4936	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 4936	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 4936	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 1820	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 1820	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 1820	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 1336	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 1336	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 1336	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 2240	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 2240	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 2240	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 1696	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 1696	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 1696	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 2664	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 2664	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 2664	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 1460	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 1460	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 2952 wrote to memory of 1460	2952	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 1460 wrote to memory of 1728	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 1728	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 1728	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 1308	1460	cmd.exe	net.exe
PID 1460 wrote to memory of 1308	1460	cmd.exe	net.exe
PID 1460 wrote to memory of 1308	1460	cmd.exe	net.exe
PID 1308 wrote to memory of 3144	1308	net.exe	net1.exe
PID 1308 wrote to memory of 3144	1308	net.exe	net1.exe
PID 1308 wrote to memory of 3144	1308	net.exe	net1.exe
PID 1460 wrote to memory of 220	1460	cmd.exe	takeown.exe
PID 1460 wrote to memory of 220	1460	cmd.exe	takeown.exe
PID 1460 wrote to memory of 220	1460	cmd.exe	takeown.exe
PID 1460 wrote to memory of 1804	1460	cmd.exe	takeown.exe
PID 1460 wrote to memory of 1804	1460	cmd.exe	takeown.exe
PID 1460 wrote to memory of 1804	1460	cmd.exe	takeown.exe
PID 1460 wrote to memory of 3772	1460	cmd.exe	icacls.exe
PID 1460 wrote to memory of 3772	1460	cmd.exe	icacls.exe
PID 1460 wrote to memory of 3772	1460	cmd.exe	icacls.exe
PID 1460 wrote to memory of 3948	1460	cmd.exe	icacls.exe
PID 1460 wrote to memory of 3948	1460	cmd.exe	icacls.exe
PID 1460 wrote to memory of 3948	1460	cmd.exe	icacls.exe
PID 1460 wrote to memory of 4292	1460	cmd.exe	subinacl.exe
PID 1460 wrote to memory of 4292	1460	cmd.exe	subinacl.exe
PID 1460 wrote to memory of 4292	1460	cmd.exe	subinacl.exe
PID 1460 wrote to memory of 628	1460	cmd.exe	subinacl.exe
PID 1460 wrote to memory of 628	1460	cmd.exe	subinacl.exe
PID 1460 wrote to memory of 628	1460	cmd.exe	subinacl.exe
PID 1460 wrote to memory of 4488	1460	cmd.exe	subinacl.exe
PID 1460 wrote to memory of 4488	1460	cmd.exe	subinacl.exe
PID 1460 wrote to memory of 4488	1460	cmd.exe	subinacl.exe
PID 1460 wrote to memory of 748	1460	cmd.exe	subinacl.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

5036 attrib.exe

pid	process
5036	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe
"C:\Users\Admin\AppData\Local\Temp\ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
2⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ztmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ztmp"
2⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
2⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
3⤵
- Views/modifies file attributes
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe"
2⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe"
2⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll" del "C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll"
2⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg" del "C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg"
2⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5143.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5143.bat"
2⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4658.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4658.exe"
2⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5143.bat
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\reg.exe
Reg Delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\runonce /v Done /f
3⤵
PID:1728

C:\Windows\SysWOW64\net.exe
Net stop spooler
3⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop spooler
4⤵
PID:3144

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\spoolss.dll /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\spoolsv.exe /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\spoolss.dll" /grant administrators:f /grant administrator:f /grant users:f /grant system:f /t
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3772

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\spoolsv.exe" /grant administrators:f /grant administrator:f /grant users:f /grant system:f /t
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3948

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /subdirectories C:\Windows\System32\spool /setowner=administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /file C:\Windows\System32\spool*.* /setowner=Administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /setowner=administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /file C:\Windows\System32\spool*.* /grant=administrators=f /grant=administrator=f /grant=users=f /grant=system=f
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /subdirectories C:\Windows\System32\spool /grant=administrators=f /grant=administrator=f /grant=users=f /grant=system=f
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /grant=administrators=f /grant=system=f
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /file C:\Windows\System32\spool*.* /setowner=Administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /file C:\Windows\System32\spool*.* /grant=administrators=f /grant=administrator=f /grant=users=f /grant=system=f
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Windows\System32\spoolss.dll
3⤵
- Loads dropped DLL
PID:3224

C:\Windows\SysWOW64\msiexec.exe
Msiexec /unregserver
3⤵
PID:4608

C:\Windows\SysWOW64\msiexec.exe
Msiexec /regserver
3⤵
PID:3060

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg
3⤵
- Sets DLL path for service in the registry
- Sets service image path in registry
- Runs .reg file with regedit
PID:3452

C:\Windows\SysWOW64\sc.exe
sc config spooler depend= RPCSS
3⤵
- Launches sc.exe
PID:3316

C:\Windows\SysWOW64\sc.exe
sc config spooler type= own
3⤵
- Launches sc.exe
PID:2996

C:\Windows\SysWOW64\sc.exe
sc config spooler start= auto
3⤵
- Launches sc.exe
PID:548

C:\Windows\SysWOW64\reg.exe
Reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /v Type /t REG_DWORD /d 0x00000010 /f
3⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /setowner=administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /grant=administrators=f /grant=system=f
3⤵
- Executes dropped EXE
PID:4012

C:\Windows\SysWOW64\net.exe
Net start spooler
3⤵
PID:1752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start spooler
4⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
Reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\runonce /v Done /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Done.bat" /f
3⤵
- Adds Run key to start application
PID:2268

C:\Windows\SysWOW64\cscript.exe
cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
3⤵
PID:2624

C:\Windows\SysWOW64\shutdown.exe
Shutdown /r /f /t 10
3⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe"
2⤵
PID:3136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe"
2⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll" del "C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll"
2⤵
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg" del "C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg"
2⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5143.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5143.bat"
2⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4658.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4658.exe"
2⤵
PID:1560

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:4464

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa398e855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg

Filesize
14KB

MD5
4a0dee6357cac5c02ceeac9a2dbe0b10

SHA1
b793bce7b5464af3b904c69df1f7f53e39b3f463

SHA256
8e26f7164963cda331406cd232ff330ed50adc36caf0b88ed6ce67e117011fa0

SHA512
fd327c69455973c554a75d86214f4b6a053bb01988effeee18fe9929042c8e38aa1416238b91f3b342470e856f955838b3887d62dd44295ec82f18b32ffabecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll

Filesize
44KB

MD5
cedb970eee0aa5088b9bde3b0f94a971

SHA1
8e6fdf3e333b4e8db05a4e6c35dd5191b013855d

SHA256
8a7de956e6e069be66d7c8f5730694e262b0d25ac987c4ca4fbf634d43f80dac

SHA512
5f80f6fb31457436c80b65c0b685d47a23b350ad55d4c86674a91b52ee1728cb8ded05403f21ce81a4ccaba9a8dad91770e2ffa19a57591cb2af27d55f7f2551

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe

Filesize
485KB

MD5
d246a6f32cd74a0ae1f00ef7c73a1dbc

SHA1
1ec9b95aedff7eb09e0c7c4c8ecde473c9609328

SHA256
771cfd6d6474de9cf0abaf2af3e800125217cc7eaea92d6d04f8274080961e5e

SHA512
4237ca05a34ed9c1e2a3a5fea48c3a1a99d10fa301ee4bb2e0045aa33cc944cf8defdeada3df98f4f84b8a96d292f16f89990da6979ee85fe9ca6d6b71fd1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs

Filesize
186B

MD5
96d166f9530d94e1021916fd7c6e4a6f

SHA1
c641b873029c1c48f6c177319f3a5647d1b4685d

SHA256
253c417d94f7f5838807aa4fbbf64a5b197ffb65380234cdd40c48140ff0d961

SHA512
ba87107ab97aaa27e1f2bc5ceb024316c1d271dcc001e1427ca8c99e781da367c3709f00aaedcfbfb59cd91bed9b00dfd84de2abd279955dfda974515556c5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4658.exe

Filesize
15B

MD5
3c52638971ead82b5929d605c1314ee0

SHA1
7318148a40faca203ac402dff51bbb04e638545c

SHA256
5614459ec05fdf6110fa8ce54c34e859671eeffba2b7bb4b1ad6c2c6706855ab

SHA512
46f85f730e3ca9a57f51416c6ab4d03f868f895568eee8f7943cd249b2f71d2a3e83c34e7132715c983d3efaa865a9cb599a4278c911130a0a6948a535c0573b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5143.bat

Filesize
5KB

MD5
b37df59a34f4ac0ad6f6b989cf946bfe

SHA1
f92e97eb2e9923b7079b5dcead6aa7a3545014df

SHA256
ee0fb25f0a8084e480aef45ce03e64525bd105d36a88edc3bdc632868e0aaeff

SHA512
0d77b6860ff47b5524b97b69461ded70468ba3880f42696fe3373e4b68f57054cee9f09ee77dece084f8d0eb4b606b633cbbebf82a591d13c3bac64e5ef3f653

Download Submit
C:\Windows\SysWOW64\spoolss.dll

Filesize
44KB

MD5
cedb970eee0aa5088b9bde3b0f94a971

SHA1
8e6fdf3e333b4e8db05a4e6c35dd5191b013855d

SHA256
8a7de956e6e069be66d7c8f5730694e262b0d25ac987c4ca4fbf634d43f80dac

SHA512
5f80f6fb31457436c80b65c0b685d47a23b350ad55d4c86674a91b52ee1728cb8ded05403f21ce81a4ccaba9a8dad91770e2ffa19a57591cb2af27d55f7f2551

Download Submit
C:\Windows\SysWOW64\spoolss.dll

Filesize
44KB

MD5
cedb970eee0aa5088b9bde3b0f94a971

SHA1
8e6fdf3e333b4e8db05a4e6c35dd5191b013855d

SHA256
8a7de956e6e069be66d7c8f5730694e262b0d25ac987c4ca4fbf634d43f80dac

SHA512
5f80f6fb31457436c80b65c0b685d47a23b350ad55d4c86674a91b52ee1728cb8ded05403f21ce81a4ccaba9a8dad91770e2ffa19a57591cb2af27d55f7f2551

Download Submit
C:\Windows\SysWOW64\spoolsv.exe

Filesize
485KB

MD5
d246a6f32cd74a0ae1f00ef7c73a1dbc

SHA1
1ec9b95aedff7eb09e0c7c4c8ecde473c9609328

SHA256
771cfd6d6474de9cf0abaf2af3e800125217cc7eaea92d6d04f8274080961e5e

SHA512
4237ca05a34ed9c1e2a3a5fea48c3a1a99d10fa301ee4bb2e0045aa33cc944cf8defdeada3df98f4f84b8a96d292f16f89990da6979ee85fe9ca6d6b71fd1c4e

Download Submit
memory/220-147-0x0000000000000000-mapping.dmp

Download
memory/548-180-0x0000000000000000-mapping.dmp

Download
memory/628-154-0x0000000000000000-mapping.dmp

Download
memory/748-158-0x0000000000000000-mapping.dmp

Download
memory/1292-134-0x0000000000000000-mapping.dmp

Download
memory/1308-145-0x0000000000000000-mapping.dmp

Download
memory/1336-138-0x0000000000000000-mapping.dmp

Download
memory/1460-142-0x0000000000000000-mapping.dmp

Download
memory/1560-197-0x0000000000000000-mapping.dmp

Download
memory/1616-196-0x0000000000000000-mapping.dmp

Download
memory/1696-140-0x0000000000000000-mapping.dmp

Download
memory/1728-144-0x0000000000000000-mapping.dmp

Download
memory/1752-186-0x0000000000000000-mapping.dmp

Download
memory/1804-148-0x0000000000000000-mapping.dmp

Download
memory/1820-137-0x0000000000000000-mapping.dmp

Download
memory/2072-162-0x0000000000000000-mapping.dmp

Download
memory/2240-139-0x0000000000000000-mapping.dmp

Download
memory/2268-188-0x0000000000000000-mapping.dmp

Download
memory/2624-189-0x0000000000000000-mapping.dmp

Download
memory/2664-141-0x0000000000000000-mapping.dmp

Download
memory/2996-179-0x0000000000000000-mapping.dmp

Download
memory/3060-175-0x0000000000000000-mapping.dmp

Download
memory/3064-170-0x0000000000000000-mapping.dmp

Download
memory/3068-187-0x0000000000000000-mapping.dmp

Download
memory/3136-192-0x0000000000000000-mapping.dmp

Download
memory/3144-146-0x0000000000000000-mapping.dmp

Download
memory/3224-172-0x0000000000000000-mapping.dmp

Download
memory/3316-178-0x0000000000000000-mapping.dmp

Download
memory/3452-176-0x0000000000000000-mapping.dmp

Download
memory/3580-191-0x0000000000000000-mapping.dmp

Download
memory/3700-181-0x0000000000000000-mapping.dmp

Download
memory/3772-149-0x0000000000000000-mapping.dmp

Download
memory/3788-195-0x0000000000000000-mapping.dmp

Download
memory/3916-160-0x0000000000000000-mapping.dmp

Download
memory/3948-150-0x0000000000000000-mapping.dmp

Download
memory/4012-184-0x0000000000000000-mapping.dmp

Download
memory/4292-151-0x0000000000000000-mapping.dmp

Download
memory/4376-193-0x0000000000000000-mapping.dmp

Download
memory/4428-182-0x0000000000000000-mapping.dmp

Download
memory/4488-156-0x0000000000000000-mapping.dmp

Download
memory/4608-174-0x0000000000000000-mapping.dmp

Download
memory/4664-194-0x0000000000000000-mapping.dmp

Download
memory/4692-166-0x0000000000000000-mapping.dmp

Download
memory/4936-136-0x0000000000000000-mapping.dmp

Download
memory/4992-133-0x0000000000000000-mapping.dmp

Download
memory/5036-135-0x0000000000000000-mapping.dmp

Download
memory/5080-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads