923bd812f9d21fe2313521a314168e7d99339fe9c9272c5dba6f49db932aa5f1

Analysis

max time kernel
156s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 17:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

923bd812f9d21fe2313521a314168e7d99339fe9c9272c5dba6f49db932aa5f1.exe
Size

914KB
MD5

8c59095b55a49af14df67e31ee6d60f3
SHA1

13eb6e1dd1487b63fab0f514b65f4c07b7f668f1
SHA256

923bd812f9d21fe2313521a314168e7d99339fe9c9272c5dba6f49db932aa5f1
SHA512

5fd23904a103a78aa617028f4d7665641ac175c3859832a730988a42b4ef03f81a57b23abedb754c9638d90bf110ea5f3e763e4dd37e9eaa4926afefe69a64e4
SSDEEP

24576:TwT+mZ4Nj9KRpRoUWmmKKR+Pz3VZcwZ60PX0wS7fLIznJwD25:TwTDSNj4fWm/KUPDVZnZfPtELOh5

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5056	spoolsv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	923bd812f9d21fe2313521a314168e7d99339fe9c9272c5dba6f49db932aa5f1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\temp\\spoolsv\\spoolsv.exe\""	regedit.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"C:\\Windows\\temp\\spoolsv\\spoolsv.exe\""	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	spoolsv.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	spoolsv.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "svchost"	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	spoolsv.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "svchost"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"C:\\Windows\\temp\\spoolsv\\spoolsv.exe\" -noconnect"	spoolsv.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"C:\\Windows\\temp\\spoolsv\\spoolsv.exe\" -noconnect"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	spoolsv.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	spoolsv.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"C:\\Windows\\temp\\spoolsv\\spoolsv.exe\""	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	spoolsv.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	spoolsv.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4300	regedit.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5056	spoolsv.exe
5056	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 1820	3924	923bd812f9d21fe2313521a314168e7d99339fe9c9272c5dba6f49db932aa5f1.exe	79
PID 3924 wrote to memory of 1820	3924	923bd812f9d21fe2313521a314168e7d99339fe9c9272c5dba6f49db932aa5f1.exe	79
PID 3924 wrote to memory of 1820	3924	923bd812f9d21fe2313521a314168e7d99339fe9c9272c5dba6f49db932aa5f1.exe	79
PID 1820 wrote to memory of 4300	1820	cmd.exe	81
PID 1820 wrote to memory of 4300	1820	cmd.exe	81
PID 1820 wrote to memory of 4300	1820	cmd.exe	81
PID 1820 wrote to memory of 5056	1820	cmd.exe	82
PID 1820 wrote to memory of 5056	1820	cmd.exe	82
PID 1820 wrote to memory of 5056	1820	cmd.exe	82
PID 1820 wrote to memory of 4988	1820	cmd.exe	83
PID 1820 wrote to memory of 4988	1820	cmd.exe	83
PID 1820 wrote to memory of 4988	1820	cmd.exe	83

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4988	attrib.exe

C:\Users\Admin\AppData\Local\Temp\923bd812f9d21fe2313521a314168e7d99339fe9c9272c5dba6f49db932aa5f1.exe
"C:\Users\Admin\AppData\Local\Temp\923bd812f9d21fe2313521a314168e7d99339fe9c9272c5dba6f49db932aa5f1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\temp\spoolsv\run.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Windows\Temp\spoolsv\a.reg
    3⤵
    - Adds Run key to start application
    - Runs .reg file with regedit
    PID:4300
- - C:\Windows\temp\spoolsv\spoolsv.exe
    C:\Windows\temp\spoolsv\spoolsv.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5056
- - C:\Windows\SysWOW64\attrib.exe
    attrib +H +S C:\Windows\temp\spoolsv
    3⤵
    - Views/modifies file attributes
    PID:4988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\spoolsv\a.reg

Filesize
1KB

MD5
3a6124b67b70cfc076115d6c03a46555

SHA1
ff32ea635fbc7e246edb1ef30fd2146702137200

SHA256
e3113e9a9fb5e3be2e3ef4580767a78c7be92faf7d71d333619d65e7cd2669f5

SHA512
93cdffa7f738ccf15eae7f611233a1a60985a3a95d80236ddbe0eef83e4deeee191e400eec8a8b927491a7f8e7e7ed548a4554f57ce975ce2213146d02a74449

Download Submit
C:\Windows\Temp\spoolsv\spoolsv.exe

Filesize
1.7MB

MD5
b766003f431cad186bd115f5761592d1

SHA1
33cdfe6f7fa6b321f9a51cc051c32ba924164b10

SHA256
22bdb2606020b82349a629248b599b64235c91e8b450e355a245ef09ece57e1d

SHA512
d03cabf713c14a40588ec3d5d7c89be91a0bc2e7b472464ed058b2cce0afe58eaaf7386ce5e6297218b3e677e290625506760ad883412b7f94c3330aa9b9f834

Download Submit
C:\Windows\temp\spoolsv\aliases.ini

Filesize
11B

MD5
2218df9cdffc814a3dc25c81dd8619dd

SHA1
0290f796218937f61331adc8803788e7cd4c2299

SHA256
455831b583cfa9549746bcd296a60f5191d2eff7829d469e029b68768c5e56d1

SHA512
7aa4c745dfce7b2c38c4930e8275885727a19480597f685f89ab0e536175c31a2d5ee61cfd84b483f73eb211970a1a4fefcc59d8ef97b9af7bf09b7dcf932efa

Download Submit
C:\Windows\temp\spoolsv\com.mrc

Filesize
9KB

MD5
be80fa7c85a901cc3eb57e86264633db

SHA1
5011e7f3df556dca6095a5fadb1de5186d2d82e3

SHA256
1a86061fd824e13579f964ad522784a5b0dbbabb1b21f1f56e35361efcb289cd

SHA512
4caf8d2ed912fc1a7668923787c148c6dafb0cbae2a6878025a6f24a662b11caa66dc1f2d740cee0d0ef3e947c3bfe6808475952f66c1333e5f5e87a0fc9a4ee

Download Submit
C:\Windows\temp\spoolsv\control.ini

Filesize
42B

MD5
405d882eed0cab5b915aa470a265dcc5

SHA1
7adfa3476bfc1c248619f0f78da6791faa7aa360

SHA256
32680a610219e4de3cdfb104e71a9b3b1c86d3fb6c3f18328e6e161d2e3dff8b

SHA512
03a5ce9a968196c605330e8e41a8df57ff86b1b60b60b38a453c13f469bd372679ff55f325cb336cb9c43db6d15b7554c7474fcc1f7515d8e4ef748d278ee723

Download Submit
C:\Windows\temp\spoolsv\fullname.txt

Filesize
16KB

MD5
8a6976e0f0d3e5e847347fcdc3db86b6

SHA1
504b1ac0061b60cd209656b0be4a56efe3da9323

SHA256
cb5086d0a60964f8a0483de42988a9bc493278cfd1229602eff33bdca564d39c

SHA512
8ae31cef4fee7990cea6eef80fc187363f2542ae865982b52cbba6ef7058fc22a4a40db0a4f738c188874bc3e0fc499cca8238576aac2763c7ff59e7f1bed216

Download Submit
C:\Windows\temp\spoolsv\ident.txt

Filesize
7KB

MD5
f8d12e03c35f4b5bba9c8802a1b36c76

SHA1
c086dd22ad0290a52218326702150f688ff6b3a4

SHA256
3c17749f901433daca0013102405e4d7428edd26fbddc80fa4919b2c1c4ae1c8

SHA512
a9c6a6b74d62caf603dc0a8146ca85dad2636c000251f955d5182ffda09a72c09f3ec90d22ce5ebb9fab747d6c3c75ab282051b0b6f9bcb0560cccea11762f8f

Download Submit
C:\Windows\temp\spoolsv\mirc.ico

Filesize
5KB

MD5
e09aa9787af5cc53fd7525dd6693cf10

SHA1
57445d0779a66c61741822c0a7988573efee13d7

SHA256
c7f023fc4c85680f5c334fef09155e81861634108140a5716a1395dd7cd62266

SHA512
b71a8c0939d545afa173f107f99314848c6104928b77d6f39d6e4486ca2b65797cecff0f877160edf6ca1d21dca95b7f1be53221811c945f7c4be6e77a4d1f8c

Download Submit
C:\Windows\temp\spoolsv\mirc.ini

Filesize
3KB

MD5
87936a9b0919481d9baa1d0558e4f1a1

SHA1
47ef40abe63df40652ed8042af1c9d4621ba94fd

SHA256
a98025c7359767eb52ec3f9e68b944d136d62b664b330e8ce83ec6f85fd7b200

SHA512
95860c85febad2577889aab17b52f61124e46954d9effd7b027f5a8180310c4fa492afb865d241b7cc755169e6ba1b1eed3dfc9321208bcdfa9225a2caad0354

Download Submit
C:\Windows\temp\spoolsv\run.bat

Filesize
194B

MD5
08fd9592bfa14c19955fc760be2bb98a

SHA1
2cdc2fa19727df675eee0f8951b0333dbc6f4b81

SHA256
deaa3c0b75540d56d93087aeae32798a82862748056f26ae09f62760805207cf

SHA512
def22fe649aa143929d30f4d159e7b1cf43f2cde2f967648122f191a01f517e151f639abfee8d9270f939a26cf66636c57ffa93022f0223e08b3b61d03b31858

Download Submit
C:\Windows\temp\spoolsv\s.mrc

Filesize
1KB

MD5
579e0f87c272c666ced9eda444e4953e

SHA1
62c50ca0b83f58bd922c1272a182c3cec5c3c919

SHA256
25403d7439b56e2c1e61e1aabd36016fd9d926673c2876c8910d092e56f140a1

SHA512
a5c8b856a1cff5f22114d4bd9d9449bb44fc66c9ebd77d77174bc7f46b55942a52ad3916905774a93bc69ea8a7ded81410ece41afb83c793191cf360375092f5

Download Submit
C:\Windows\temp\spoolsv\servers.ini

Filesize
789B

MD5
e325f9fa0d24be0c4c13d6148b7adc94

SHA1
74942195e292d2e62bb6d01cd6c54445365d0b51

SHA256
07fed1aafcd1e3acfbc910a673601ae9c008fac616ea3376a9310d575b9573d1

SHA512
f8de5bba8a00276e3a8037f33f8f940e217a05068e3f20e6b4d85d0eadd53a6e4f677fbf7b6712def19ac4ce2aa623a3ff29255a2996d742d28a368a6ea2b511

Download Submit
C:\Windows\temp\spoolsv\spoolsv.exe

Filesize
1.7MB

MD5
b766003f431cad186bd115f5761592d1

SHA1
33cdfe6f7fa6b321f9a51cc051c32ba924164b10

SHA256
22bdb2606020b82349a629248b599b64235c91e8b450e355a245ef09ece57e1d

SHA512
d03cabf713c14a40588ec3d5d7c89be91a0bc2e7b472464ed058b2cce0afe58eaaf7386ce5e6297218b3e677e290625506760ad883412b7f94c3330aa9b9f834

Download Submit
C:\Windows\temp\spoolsv\users.ini

Filesize
147B

MD5
a12ee11f355d955769d9baf06478fe63

SHA1
d236d2ce492eed047768256aa181f53c97f9e6b3

SHA256
fb771787dd8b86c5059989cd8b725456beb480bb4091371a570774f4d064286b

SHA512
dd3301d79f6df5f549c9fd086fd5938803fcb80ceb60af5cb3c367b4eb1c0a01ba95b3256758c586bd42e500df786f974372fa0432a667cdb16b7ac0ab06afaf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads