a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5

Analysis

max time kernel
80s
max time network
88s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 19:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe
Size

721KB
MD5

20e1fcbec4619053a06e4bd67811c200
SHA1

cf3e7f3128d933d9d5e9395f7093bfd56e9f9a2c
SHA256

a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5
SHA512

5d806117fa3b85fffe491fdc2944f99bb576ec4de64c9e26ff3125f63419c0c97a29e3afb7d8351e3b68b320028a1d4ae943e89a092a9f12eea2dfeca140cb08
SSDEEP

12288:6yuMgCTiJiYNadtDII4EViqHbVmacykOvHnQts/XQnFhYCNIBtAGVcW:6yuMgCTX8aTUI1RH/HAY

Score

8^/10

discovery exploit persistence

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

subinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exe

pid	process
2268	subinacl.exe
1048	subinacl.exe
3836	subinacl.exe
4348	subinacl.exe
3260	subinacl.exe
2808	subinacl.exe
4428	subinacl.exe
3152	subinacl.exe
4860	subinacl.exe
3368	subinacl.exe

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exetakeown.exeicacls.exeicacls.exe

pid process

4224 takeown.exe
4780 takeown.exe
4704 icacls.exe
2348 icacls.exe

pid	process
4224	takeown.exe
4780	takeown.exe
4704	icacls.exe
2348	icacls.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\ImagePath = "%SystemRoot%\\System32\\spoolsv.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RpcLocator\ImagePath = "%SystemRoot%\\system32\\locator.exe"	regedit.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1816 regsvr32.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exetakeown.exeicacls.exeicacls.exe

pid process

4224 takeown.exe
4780 takeown.exe
4704 icacls.exe
2348 icacls.exe

pid	process
1816	regsvr32.exe

pid	process
4224	takeown.exe
4780	takeown.exe
4704	icacls.exe
2348	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Done = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Done.bat"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\runonce	reg.exe

Drops file in System32 directory 4 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\spoolsv.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\spoolsv.exe	cmd.exe
File created	C:\Windows\SysWOW64\spoolss.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\spoolss.dll	cmd.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4772 sc.exe
828 sc.exe
1612 sc.exe

pid	process
4772	sc.exe
828	sc.exe
1612	sc.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "182"	LogonUI.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

4032 regedit.exe
Runs net.exe

pid	process
4032	regedit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

takeown.exetakeown.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4224	takeown.exe
Token: SeTakeOwnershipPrivilege	4780	takeown.exe
Token: SeSecurityPrivilege	2268	subinacl.exe
Token: SeBackupPrivilege	2268	subinacl.exe
Token: SeRestorePrivilege	2268	subinacl.exe
Token: SeRestorePrivilege	2268	subinacl.exe
Token: SeTakeOwnershipPrivilege	2268	subinacl.exe
Token: SeChangeNotifyPrivilege	2268	subinacl.exe
Token: SeDebugPrivilege	2268	subinacl.exe
Token: SeSecurityPrivilege	1048	subinacl.exe
Token: SeBackupPrivilege	1048	subinacl.exe
Token: SeRestorePrivilege	1048	subinacl.exe
Token: SeRestorePrivilege	1048	subinacl.exe
Token: SeTakeOwnershipPrivilege	1048	subinacl.exe
Token: SeChangeNotifyPrivilege	1048	subinacl.exe
Token: SeDebugPrivilege	1048	subinacl.exe
Token: SeSecurityPrivilege	3836	subinacl.exe
Token: SeBackupPrivilege	3836	subinacl.exe
Token: SeRestorePrivilege	3836	subinacl.exe
Token: SeRestorePrivilege	3836	subinacl.exe
Token: SeTakeOwnershipPrivilege	3836	subinacl.exe
Token: SeChangeNotifyPrivilege	3836	subinacl.exe
Token: SeDebugPrivilege	3836	subinacl.exe
Token: SeSecurityPrivilege	4348	subinacl.exe
Token: SeBackupPrivilege	4348	subinacl.exe
Token: SeRestorePrivilege	4348	subinacl.exe
Token: SeRestorePrivilege	4348	subinacl.exe
Token: SeTakeOwnershipPrivilege	4348	subinacl.exe
Token: SeChangeNotifyPrivilege	4348	subinacl.exe
Token: SeDebugPrivilege	4348	subinacl.exe
Token: SeSecurityPrivilege	3260	subinacl.exe
Token: SeBackupPrivilege	3260	subinacl.exe
Token: SeRestorePrivilege	3260	subinacl.exe
Token: SeRestorePrivilege	3260	subinacl.exe
Token: SeTakeOwnershipPrivilege	3260	subinacl.exe
Token: SeChangeNotifyPrivilege	3260	subinacl.exe
Token: SeDebugPrivilege	3260	subinacl.exe
Token: SeSecurityPrivilege	2808	subinacl.exe
Token: SeBackupPrivilege	2808	subinacl.exe
Token: SeRestorePrivilege	2808	subinacl.exe
Token: SeRestorePrivilege	2808	subinacl.exe
Token: SeTakeOwnershipPrivilege	2808	subinacl.exe
Token: SeChangeNotifyPrivilege	2808	subinacl.exe
Token: SeDebugPrivilege	2808	subinacl.exe
Token: SeSecurityPrivilege	4428	subinacl.exe
Token: SeBackupPrivilege	4428	subinacl.exe
Token: SeRestorePrivilege	4428	subinacl.exe
Token: SeRestorePrivilege	4428	subinacl.exe
Token: SeTakeOwnershipPrivilege	4428	subinacl.exe
Token: SeChangeNotifyPrivilege	4428	subinacl.exe
Token: SeDebugPrivilege	4428	subinacl.exe
Token: SeSecurityPrivilege	3152	subinacl.exe
Token: SeBackupPrivilege	3152	subinacl.exe
Token: SeRestorePrivilege	3152	subinacl.exe
Token: SeRestorePrivilege	3152	subinacl.exe
Token: SeTakeOwnershipPrivilege	3152	subinacl.exe
Token: SeChangeNotifyPrivilege	3152	subinacl.exe
Token: SeDebugPrivilege	3152	subinacl.exe
Token: SeSecurityPrivilege	4860	subinacl.exe
Token: SeBackupPrivilege	4860	subinacl.exe
Token: SeRestorePrivilege	4860	subinacl.exe
Token: SeRestorePrivilege	4860	subinacl.exe
Token: SeTakeOwnershipPrivilege	4860	subinacl.exe
Token: SeChangeNotifyPrivilege	4860	subinacl.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

3096 LogonUI.exe

pid	process
3096	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1156 wrote to memory of 5016	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 5016	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 5016	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 5040	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 5040	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 5040	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 2160	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 2160	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 2160	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 2160 wrote to memory of 3624	2160	cmd.exe	attrib.exe
PID 2160 wrote to memory of 3624	2160	cmd.exe	attrib.exe
PID 2160 wrote to memory of 3624	2160	cmd.exe	attrib.exe
PID 1156 wrote to memory of 3232	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 3232	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 3232	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 2116	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 2116	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 2116	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 460	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 460	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 460	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 396	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 396	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 396	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 4308	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 4308	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 4308	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 3396	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 3396	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 3396	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 740	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 740	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1156 wrote to memory of 740	1156	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 740 wrote to memory of 2472	740	cmd.exe	reg.exe
PID 740 wrote to memory of 2472	740	cmd.exe	reg.exe
PID 740 wrote to memory of 2472	740	cmd.exe	reg.exe
PID 740 wrote to memory of 1988	740	cmd.exe	net.exe
PID 740 wrote to memory of 1988	740	cmd.exe	net.exe
PID 740 wrote to memory of 1988	740	cmd.exe	net.exe
PID 1988 wrote to memory of 804	1988	net.exe	net1.exe
PID 1988 wrote to memory of 804	1988	net.exe	net1.exe
PID 1988 wrote to memory of 804	1988	net.exe	net1.exe
PID 740 wrote to memory of 4224	740	cmd.exe	takeown.exe
PID 740 wrote to memory of 4224	740	cmd.exe	takeown.exe
PID 740 wrote to memory of 4224	740	cmd.exe	takeown.exe
PID 740 wrote to memory of 4780	740	cmd.exe	takeown.exe
PID 740 wrote to memory of 4780	740	cmd.exe	takeown.exe
PID 740 wrote to memory of 4780	740	cmd.exe	takeown.exe
PID 740 wrote to memory of 4704	740	cmd.exe	icacls.exe
PID 740 wrote to memory of 4704	740	cmd.exe	icacls.exe
PID 740 wrote to memory of 4704	740	cmd.exe	icacls.exe
PID 740 wrote to memory of 2348	740	cmd.exe	icacls.exe
PID 740 wrote to memory of 2348	740	cmd.exe	icacls.exe
PID 740 wrote to memory of 2348	740	cmd.exe	icacls.exe
PID 740 wrote to memory of 2268	740	cmd.exe	subinacl.exe
PID 740 wrote to memory of 2268	740	cmd.exe	subinacl.exe
PID 740 wrote to memory of 2268	740	cmd.exe	subinacl.exe
PID 740 wrote to memory of 1048	740	cmd.exe	subinacl.exe
PID 740 wrote to memory of 1048	740	cmd.exe	subinacl.exe
PID 740 wrote to memory of 1048	740	cmd.exe	subinacl.exe
PID 740 wrote to memory of 3836	740	cmd.exe	subinacl.exe
PID 740 wrote to memory of 3836	740	cmd.exe	subinacl.exe
PID 740 wrote to memory of 3836	740	cmd.exe	subinacl.exe
PID 740 wrote to memory of 4348	740	cmd.exe	subinacl.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3624 attrib.exe

pid	process
3624	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe
"C:\Users\Admin\AppData\Local\Temp\a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
2⤵
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ztmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ztmp"
2⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
2⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
3⤵
- Views/modifies file attributes
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe"
2⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe"
2⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll" del "C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll"
2⤵
PID:460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg" del "C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg"
2⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4938.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4938.bat"
2⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4987.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4987.exe"
2⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4938.bat
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\reg.exe
Reg Delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\runonce /v Done /f
3⤵
PID:2472

C:\Windows\SysWOW64\net.exe
Net stop spooler
3⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop spooler
4⤵
PID:804

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\spoolss.dll /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\spoolsv.exe /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\spoolss.dll" /grant administrators:f /grant administrator:f /grant users:f /grant system:f /t
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4704

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\spoolsv.exe" /grant administrators:f /grant administrator:f /grant users:f /grant system:f /t
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2348

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /subdirectories C:\Windows\System32\spool /setowner=administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /file C:\Windows\System32\spool*.* /setowner=Administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /setowner=administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /file C:\Windows\System32\spool*.* /grant=administrators=f /grant=administrator=f /grant=users=f /grant=system=f
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /subdirectories C:\Windows\System32\spool /grant=administrators=f /grant=administrator=f /grant=users=f /grant=system=f
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /grant=administrators=f /grant=system=f
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /file C:\Windows\System32\spool*.* /setowner=Administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /file C:\Windows\System32\spool*.* /grant=administrators=f /grant=administrator=f /grant=users=f /grant=system=f
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Windows\System32\spoolss.dll
3⤵
- Loads dropped DLL
PID:1816

C:\Windows\SysWOW64\msiexec.exe
Msiexec /unregserver
3⤵
PID:3816

C:\Windows\SysWOW64\msiexec.exe
Msiexec /regserver
3⤵
PID:1068

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg
3⤵
- Sets service image path in registry
- Runs .reg file with regedit
PID:4032

C:\Windows\SysWOW64\sc.exe
sc config spooler depend= RPCSS
3⤵
- Launches sc.exe
PID:1612

C:\Windows\SysWOW64\sc.exe
sc config spooler type= own
3⤵
- Launches sc.exe
PID:4772

C:\Windows\SysWOW64\sc.exe
sc config spooler start= auto
3⤵
- Launches sc.exe
PID:828

C:\Windows\SysWOW64\reg.exe
Reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /v Type /t REG_DWORD /d 0x00000010 /f
3⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /setowner=administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /grant=administrators=f /grant=system=f
3⤵
- Executes dropped EXE
PID:3368

C:\Windows\SysWOW64\net.exe
Net start spooler
3⤵
PID:4572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start spooler
4⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
Reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\runonce /v Done /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Done.bat" /f
3⤵
- Adds Run key to start application
PID:2476

C:\Windows\SysWOW64\cscript.exe
cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
3⤵
PID:4352

C:\Windows\SysWOW64\shutdown.exe
Shutdown /r /f /t 10
3⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe"
2⤵
PID:3088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe"
2⤵
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll" del "C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll"
2⤵
PID:3356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg" del "C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg"
2⤵
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4938.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4938.bat"
2⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4987.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4987.exe"
2⤵
PID:3624

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2816

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b0055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg

Filesize
11KB

MD5
5b8a8081eb0b3300176510c426c722c9

SHA1
e6d4f7e41a8b49bfe3e18b492afc3e3be2dcc25e

SHA256
00d3bb72cb6e3f9019bfa24023eece8aebcadb776a13a26ea2ed50bf91fd7946

SHA512
3d72dca455156510f0097b9aa7eeebf59cd6b490281e750bf5c072f96eb878c26228ac69572284040c966ace031dea51b4db9f4185328ac6b2821304be1474ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll

Filesize
44KB

MD5
629181c26a78eb66b0b4e774e5ac2882

SHA1
7fb19484c68be7a298647461d543a35c0b739664

SHA256
de39d01adc4123c81ef77b24d7fc2f66c27cc2d31248ef53c52cd31ac90a95ce

SHA512
13377149d4d68130efc148c13ab10480a2f320d4396f61ec7a4fa5e497637469f831401d9c57438fa3d85ca883767c7781bfe37ebf83923aaecab9bebd30e00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe

Filesize
309KB

MD5
49b6dd6ab3715b7a67965f17194e98a9

SHA1
748cce9f0ddad553aad3e695f10d6249fde953c2

SHA256
331d69f3630ba978ac13471a2e7465351d04416343a595c62b94badffcd02b3a

SHA512
8690e6180f6323a0b7eb935072eae295ed960f3c1755b3df319d9cd5ba44b55cc652874d098b3fe28c15b2bf4416615c93a6b2f06ecd17d37bea08bb3b371a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs

Filesize
186B

MD5
96d166f9530d94e1021916fd7c6e4a6f

SHA1
c641b873029c1c48f6c177319f3a5647d1b4685d

SHA256
253c417d94f7f5838807aa4fbbf64a5b197ffb65380234cdd40c48140ff0d961

SHA512
ba87107ab97aaa27e1f2bc5ceb024316c1d271dcc001e1427ca8c99e781da367c3709f00aaedcfbfb59cd91bed9b00dfd84de2abd279955dfda974515556c5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4938.bat

Filesize
5KB

MD5
3fb6b4a75bad859037842a61d3b7e4fa

SHA1
7dd9cb5f2f1011a245f1d1f0f1a64220748fc3eb

SHA256
450247f3de5a2a6797c2d281791e087ae4f20119844ba2c990e6ced694470e6e

SHA512
3342146c522319676543322a642dd1ee7cc4aeb78bed3e04981875c0938439627fc5c7597b8128303f172b40d927f3aaa7be0bd78f45b1d344381ea0e437ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4987.exe

Filesize
15B

MD5
3c52638971ead82b5929d605c1314ee0

SHA1
7318148a40faca203ac402dff51bbb04e638545c

SHA256
5614459ec05fdf6110fa8ce54c34e859671eeffba2b7bb4b1ad6c2c6706855ab

SHA512
46f85f730e3ca9a57f51416c6ab4d03f868f895568eee8f7943cd249b2f71d2a3e83c34e7132715c983d3efaa865a9cb599a4278c911130a0a6948a535c0573b

Download Submit
C:\Windows\SysWOW64\spoolss.dll

Filesize
44KB

MD5
629181c26a78eb66b0b4e774e5ac2882

SHA1
7fb19484c68be7a298647461d543a35c0b739664

SHA256
de39d01adc4123c81ef77b24d7fc2f66c27cc2d31248ef53c52cd31ac90a95ce

SHA512
13377149d4d68130efc148c13ab10480a2f320d4396f61ec7a4fa5e497637469f831401d9c57438fa3d85ca883767c7781bfe37ebf83923aaecab9bebd30e00d

Download Submit
C:\Windows\SysWOW64\spoolss.dll

Filesize
44KB

MD5
629181c26a78eb66b0b4e774e5ac2882

SHA1
7fb19484c68be7a298647461d543a35c0b739664

SHA256
de39d01adc4123c81ef77b24d7fc2f66c27cc2d31248ef53c52cd31ac90a95ce

SHA512
13377149d4d68130efc148c13ab10480a2f320d4396f61ec7a4fa5e497637469f831401d9c57438fa3d85ca883767c7781bfe37ebf83923aaecab9bebd30e00d

Download Submit
C:\Windows\SysWOW64\spoolsv.exe

Filesize
309KB

MD5
49b6dd6ab3715b7a67965f17194e98a9

SHA1
748cce9f0ddad553aad3e695f10d6249fde953c2

SHA256
331d69f3630ba978ac13471a2e7465351d04416343a595c62b94badffcd02b3a

SHA512
8690e6180f6323a0b7eb935072eae295ed960f3c1755b3df319d9cd5ba44b55cc652874d098b3fe28c15b2bf4416615c93a6b2f06ecd17d37bea08bb3b371a94

Download Submit
memory/396-139-0x0000000000000000-mapping.dmp

Download
memory/460-138-0x0000000000000000-mapping.dmp

Download
memory/740-142-0x0000000000000000-mapping.dmp

Download
memory/804-146-0x0000000000000000-mapping.dmp

Download
memory/828-180-0x0000000000000000-mapping.dmp

Download
memory/1048-154-0x0000000000000000-mapping.dmp

Download
memory/1068-175-0x0000000000000000-mapping.dmp

Download
memory/1612-178-0x0000000000000000-mapping.dmp

Download
memory/1752-191-0x0000000000000000-mapping.dmp

Download
memory/1816-172-0x0000000000000000-mapping.dmp

Download
memory/1988-145-0x0000000000000000-mapping.dmp

Download
memory/2116-137-0x0000000000000000-mapping.dmp

Download
memory/2160-134-0x0000000000000000-mapping.dmp

Download
memory/2268-151-0x0000000000000000-mapping.dmp

Download
memory/2348-150-0x0000000000000000-mapping.dmp

Download
memory/2472-144-0x0000000000000000-mapping.dmp

Download
memory/2476-188-0x0000000000000000-mapping.dmp

Download
memory/2808-162-0x0000000000000000-mapping.dmp

Download
memory/3088-192-0x0000000000000000-mapping.dmp

Download
memory/3152-170-0x0000000000000000-mapping.dmp

Download
memory/3232-136-0x0000000000000000-mapping.dmp

Download
memory/3260-160-0x0000000000000000-mapping.dmp

Download
memory/3304-193-0x0000000000000000-mapping.dmp

Download
memory/3356-194-0x0000000000000000-mapping.dmp

Download
memory/3368-184-0x0000000000000000-mapping.dmp

Download
memory/3396-141-0x0000000000000000-mapping.dmp

Download
memory/3624-197-0x0000000000000000-mapping.dmp

Download
memory/3624-135-0x0000000000000000-mapping.dmp

Download
memory/3816-174-0x0000000000000000-mapping.dmp

Download
memory/3836-156-0x0000000000000000-mapping.dmp

Download
memory/3956-195-0x0000000000000000-mapping.dmp

Download
memory/4032-176-0x0000000000000000-mapping.dmp

Download
memory/4160-181-0x0000000000000000-mapping.dmp

Download
memory/4224-147-0x0000000000000000-mapping.dmp

Download
memory/4308-140-0x0000000000000000-mapping.dmp

Download
memory/4348-158-0x0000000000000000-mapping.dmp

Download
memory/4352-189-0x0000000000000000-mapping.dmp

Download
memory/4428-166-0x0000000000000000-mapping.dmp

Download
memory/4568-187-0x0000000000000000-mapping.dmp

Download
memory/4572-186-0x0000000000000000-mapping.dmp

Download
memory/4704-149-0x0000000000000000-mapping.dmp

Download
memory/4772-179-0x0000000000000000-mapping.dmp

Download
memory/4780-148-0x0000000000000000-mapping.dmp

Download
memory/4860-182-0x0000000000000000-mapping.dmp

Download
memory/4932-196-0x0000000000000000-mapping.dmp

Download
memory/5016-132-0x0000000000000000-mapping.dmp

Download
memory/5040-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads