spoolsv[.]exe[.]7z

Sharing

Copy URL Twitter E-mail

General

Target

spoolsv.exe.7z
Size

115KB
MD5

6515e697ce30a4ff2e0cb4b04381eb79
SHA1

117d055bfeff5aa2e6e84ac9e530582fc164c4a6
SHA256

4c434e083be4ecf099192d0498e79fa0a8054f678375c146929102db44f93af2
SHA512

059fc00a2ffd52f30fd28fc8461d66f5a2f90fe750105cd57092c2d5db49036d85b4ce134bac760730c146ae17ca89d6ca936f3889053382708de7f557f85a26
SSDEEP

3072:mMCwSDnKgeHN6n+t8p2ciclmte0QbZfyu5LHWomFP+uy3oD:mySDnKJ8+t8p2ZsO2ku1HuZW

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/spoolsv.exe

Files

spoolsv.exe.7z
.7z

Password: infected
spoolsv.exe
.exe windows x86

Password: infected

adb01f4ec6ad57c910f43a0c3af22d5f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

__CxxFrameHandler3
_onexit
_lock
__dllonexit
_unlock
_controlfp
?terminate@@YAXXZ
_except_handler4_common
__set_app_type
__p__fmode
__p__commode
__setusermatherr
_amsg_exit
_initterm
exit
_XcptFilter
_exit
_cexit
__getmainargs
_purecall
??3@YAXPAX@Z
_stricmp
_strnicmp
wcsncmp
_wcsnicmp
wcsstr
memcpy
wcschr
_vsnwprintf
towlower
towupper
memset
_wcsicmp
??2@YAPAXI@Z

ntdll

RtlIpv6AddressToStringW
RtlIpv4AddressToStringW
NtClose
NtOpenThreadToken
NtSetInformationThread
NtOpenProcessToken
RtlReportException
EtwEventEnabled
TpReleasePool
TpAllocTimer
TpSetTimer
TpAllocWork
TpPostWork
TpSimpleTryPost
TpAllocWait
TpAllocPool
TpSetPoolMaxThreads
TpSetPoolMinThreads
TpAllocAlpcCompletion
TpAllocIoCompletion
TpStartAsyncIoOperation
RtlNtStatusToDosError
TpCallbackMayRunLong
TpWaitForAlpcCompletion
TpReleaseAlpcCompletion
TpWaitForIoCompletion
TpReleaseIoCompletion
TpWaitForTimer
TpReleaseTimer
TpSetWait
TpWaitForWait
TpReleaseWait
TpWaitForWork
TpReleaseWork
RtlValidRelativeSecurityDescriptor
EtwEventWrite
EtwUnregisterTraceGuids
EtwRegisterTraceGuidsW
EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
EtwGetTraceEnableFlags
EtwTraceMessage
EtwEventUnregister
EtwEventRegister
WinSqmIsOptedIn
WinSqmAddToStreamEx
WinSqmSetDWORD
WinSqmIncrementDWORD

api-ms-win-core-localregistry-l1-1-0

RegQueryInfoKeyW
RegGetKeySecurity
RegSetKeySecurity
RegEnumValueW
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegEnumKeyExW
RegDeleteKeyExW
RegOpenCurrentUser
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegGetValueW

api-ms-win-service-core-l1-1-0

SetServiceStatus
RegisterServiceCtrlHandlerExW
StartServiceCtrlDispatcherW

rpcrt4

RpcServerInqBindings
RpcBindingToStringBindingW
RpcBindingVectorFree
RpcEpRegisterW
RpcServerRegisterIf
RpcServerRegisterIf2
RpcObjectSetType
RpcServerUseProtseqW
RpcServerUseProtseqEpA
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcBindingFree
RpcSmDestroyClientContext
I_RpcBindingInqTransportType
NdrAsyncClientCall
NdrClientCall2
RpcServerTestCancel
I_RpcExceptionFilter
RpcServerUnsubscribeForNotification
RpcServerSubscribeForNotification
RpcAsyncAbortCall
RpcSsContextLockExclusive
RpcStringFreeW
RpcRevertToSelfEx
RpcAsyncCompleteCall
RpcImpersonateClient
RpcRevertToSelf
RpcServerInqBindingHandle
I_RpcBindingIsClientLocal
I_RpcSessionStrictContextHandle
RpcRaiseException
NdrAsyncServerCall
NdrServerCall2
RpcMgmtSetServerStackSize
RpcServerInqDefaultPrincNameW
RpcServerRegisterAuthInfoW
RpcServerListen
RpcStringBindingParseW

kernel32

lstrcmpiW
QueueUserWorkItem
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
InitializeSRWLock
GetSystemTime
MoveFileExW
IsDebuggerPresent
AddVectoredExceptionHandler
DeleteFileW
GetCurrentProcessId
GetComputerNameW
WideCharToMultiByte
lstrlenW
LoadLibraryW
GetCurrentThread
LoadLibraryExW
SetErrorMode
SetPriorityClass
HeapDestroy
TlsFree
DisableThreadLibraryCalls
HeapCreate
TlsGetValue
SetConsoleCtrlHandler
InitializeCriticalSection
DuplicateHandle
ReadFile
CreateFileW
GetTempFileNameW
CompareStringW
ExitThread
GetLastError
CloseHandle
WaitForSingleObject
GetModuleHandleW
CreateEventW
CreateThread
GetTickCount
ExitProcess
Sleep
OpenEventW
HeapSetInformation
GetProcessHeap
InitializeCriticalSectionAndSpinCount
TlsAlloc
GetVersionExW
LeaveCriticalSection
EnterCriticalSection
SetEvent
SetLastError
TlsSetValue
InterlockedDecrement
OpenProcess
InterlockedIncrement
RaiseException
GetProcAddress
FreeLibrary
InterlockedCompareExchange
LoadLibraryExA
InterlockedExchange
SetUnhandledExceptionFilter
GetModuleHandleA
QueryPerformanceCounter
GetCurrentThreadId
DebugBreak
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetThreadpoolTimer
HeapAlloc
HeapFree
DeleteCriticalSection
ResetEvent
LocalFree

user32

SendNotifyMessageW
MsgWaitForMultipleObjects
TranslateMessage
DispatchMessageW
PeekMessageW
UnregisterDeviceNotification
RegisterDeviceNotificationW

powrprof

PowerDeterminePlatformRole
GetPwrCapabilities

dnsapi

DnsQuery_W
DnsFree

Exports

Exports

GetSpoolerTlsIndexes
PrvAbortPrinter
PrvAddFormW
PrvAddJobW
PrvAddMonitorW
PrvAddPerMachineConnectionW
PrvAddPortExW
PrvAddPortW
PrvAddPrintProcessorW
PrvAddPrintProvidorW
PrvAddPrinterConnectionW
PrvAddPrinterDriverExW
PrvAddPrinterDriverW
PrvAddPrinterExW
PrvAddPrinterW
PrvAdjustPointers
PrvAdjustPointersInStructuresArray
PrvAlignKMPtr
PrvAlignRpcPtr
PrvAllocSplStr
PrvAllowRemoteCalls
PrvAppendPrinterNotifyInfoData
PrvBuildOtherNamesFromMachineName
PrvCacheAddName
PrvCacheCreateAndAddNode
PrvCacheCreateAndAddNodeWithIPAddresses
PrvCacheDeleteNode
PrvCacheIsNameCluster
PrvCacheIsNameInNodeList
PrvCallDrvDevModeConversion
PrvCallRouterFindFirstPrinterChangeNotification
PrvCheckLocalCall
PrvClosePrinter
PrvClusterSplClose
PrvClusterSplIsAlive
PrvClusterSplOpen
PrvConfigurePortW
PrvCreatePrinterIC
PrvDeleteFormW
PrvDeleteMonitorW
PrvDeletePerMachineConnectionW
PrvDeletePortW
PrvDeletePrintProcessorW
PrvDeletePrintProvidorW
PrvDeletePrinter
PrvDeletePrinterConnectionW
PrvDeletePrinterDataExW
PrvDeletePrinterDataW
PrvDeletePrinterDriverExW
PrvDeletePrinterDriverW
PrvDeletePrinterIC
PrvDeletePrinterKeyW
PrvDllAllocSplMem
PrvDllAllocSplStr
PrvDllFreeSplMem
PrvDllFreeSplStr
PrvDllReallocSplMem
PrvDllReallocSplStr
PrvEndDocPrinter
PrvEndPagePrinter
PrvEnumFormsW
PrvEnumJobsW
PrvEnumMonitorsW
PrvEnumPerMachineConnectionsW
PrvEnumPortsW
PrvEnumPrintProcessorDatatypesW
PrvEnumPrintProcessorsW
PrvEnumPrinterDataExW
PrvEnumPrinterDataW
PrvEnumPrinterDriversW
PrvEnumPrinterKeyW
PrvEnumPrintersW
PrvFindClosePrinterChangeNotification
PrvFlushPrinter
PrvFormatPrinterForRegistryKey
PrvFormatRegistryKeyForPrinter
PrvFreeOtherNames
PrvGetFormW
PrvGetJobAttributes
PrvGetJobAttributesEx
PrvGetJobW
PrvGetNetworkId
PrvGetPrintProcessorDirectoryW
PrvGetPrinterDataExW
PrvGetPrinterDataW
PrvGetPrinterDriverDirectoryW
PrvGetPrinterDriverExW
PrvGetPrinterDriverW
PrvGetPrinterW
PrvGetServerPolicy
PrvGetShrinkedSize
PrvGetSpoolerTlsIndexes
PrvImpersonatePrinterClient
PrvInitializeRouter
PrvIsNameTheLocalMachineOrAClusterSpooler
PrvIsNamedPipeRpcCall
PrvMIDL_user_allocate
PrvMIDL_user_allocate1
PrvMIDL_user_free
PrvMIDL_user_free1
PrvMarshallDownStructure
PrvMarshallDownStructuresArray
PrvMarshallUpStructure
PrvMarshallUpStructuresArray
PrvOldGetPrinterDriverW
PrvOpenPrinter2W
PrvOpenPrinterExW
PrvOpenPrinterPort2W
PrvOpenPrinterW
PrvPackStrings
PrvPartialReplyPrinterChangeNotification
PrvPlayGdiScriptOnPrinterIC
PrvPrinterHandleRundown
PrvPrinterMessageBoxW
PrvProvidorFindClosePrinterChangeNotification
PrvProvidorFindFirstPrinterChangeNotification
PrvReadPrinter
PrvReallocSplMem
PrvReallocSplStr
PrvRemoteFindFirstPrinterChangeNotification
PrvReplyClosePrinter
PrvReplyOpenPrinter
PrvReplyPrinterChangeNotification
PrvReplyPrinterChangeNotificationEx
PrvReportJobProcessingProgress
PrvResetPrinterW
PrvRevertToPrinterSelf
PrvRouterAddPrinterConnection2
PrvRouterAllocBidiMem
PrvRouterAllocBidiResponseContainer
PrvRouterAllocPrinterNotifyInfo
PrvRouterBroadcastMessage
PrvRouterCorePrinterDriverInstalled
PrvRouterCreatePrintAsyncNotificationChannel
PrvRouterDeletePrinterDriverPackage
PrvRouterFindCompatibleDriver
PrvRouterFindFirstPrinterChangeNotification
PrvRouterFindNextPrinterChangeNotification
PrvRouterFreeBidiMem
PrvRouterFreeBidiResponseContainer
PrvRouterFreePrinterNotifyInfo
PrvRouterGetCorePrinterDrivers
PrvRouterGetPrintClassObject
PrvRouterGetPrinterDriverPackagePath
PrvRouterInstallPrinterDriverFromPackage
PrvRouterInternalGetPrinterDriver
PrvRouterRefreshPrinterChangeNotification
PrvRouterRegisterForPrintAsyncNotifications
PrvRouterReplyPrinter
PrvRouterSpoolerSetPolicy
PrvRouterUnregisterForPrintAsyncNotifications
PrvRouterUploadPrinterDriverPackage
PrvScheduleJob
PrvSeekPrinter
PrvSendRecvBidiData
PrvSetFormW
PrvSetJobW
PrvSetPortW
PrvSetPrinterDataExW
PrvSetPrinterDataW
PrvSetPrinterW
PrvSplCloseSpoolFileHandle
PrvSplCommitSpoolData
PrvSplDriverUnloadComplete
PrvSplGetClientUserHandle
PrvSplGetSpoolFileInfo
PrvSplGetUserSidStringFromToken
PrvSplInitializeWinSpoolDrv
PrvSplIsSessionZero
PrvSplIsUpgrade
PrvSplPowerEvent
PrvSplProcessPnPEvent
PrvSplProcessSessionEvent
PrvSplPromptUIInUsersSession
PrvSplQueryUserInfo
PrvSplReadPrinter
PrvSplRegisterForDeviceEvents
PrvSplRegisterForSessionEvents
PrvSplShutDownRouter
PrvSplUnregisterForDeviceEvents
PrvSplUnregisterForSessionEvents
PrvSpoolerFindClosePrinterChangeNotification
PrvSpoolerFindFirstPrinterChangeNotification
PrvSpoolerFindNextPrinterChangeNotification
PrvSpoolerFreePrinterNotifyInfo
PrvSpoolerHasInitialized
PrvSpoolerInit
PrvSpoolerRefreshPrinterChangeNotification
PrvStartDocPrinterW
PrvStartPagePrinter
PrvUndoAlignKMPtr
PrvUndoAlignRpcPtr
PrvUpdateBufferSize
PrvUpdatePrinterRegAll
PrvUpdatePrinterRegUser
PrvWaitForPrinterChange
PrvWaitForSpoolerInitialization
PrvWritePrinter
PrvXcvDataW
PrvbGetDevModePerUser
PrvbSetDevModePerUser
ServerGetPrintClassObject
YAbortPrinter
YAddJob
YDriverUnloadComplete
YEndDocPrinter
YEndPagePrinter
YFlushPrinter
YGetPrinter
YGetPrinterDriver2
YGetPrinterDriverDirectory
YReadPrinter
YSeekPrinter
YSetJob
YSetPort
YSetPrinter
YSplReadPrinter
YStartDocPrinter
YStartPagePrinter
YWritePrinter

Sections

.text
Size: 287KB - Virtual size: 286KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

adb01f4ec6ad57c910f43a0c3af22d5f

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

ntdll

api-ms-win-core-localregistry-l1-1-0

api-ms-win-service-core-l1-1-0

rpcrt4

kernel32

user32

powrprof

dnsapi

Exports

Exports

Sections

.text Size: 287KB - Virtual size: 286KB

.data Size: 4KB - Virtual size: 4KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 15KB - Virtual size: 15KB

.text
Size: 287KB - Virtual size: 286KB

.data
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 15KB - Virtual size: 15KB