Analysis Overview
score
8/10
SHA256
da9219a43018e51c0a27617ea30035cf99dedfafebeddcdada50babbf7ae7cfd
Threat Level: Likely malicious
The file da9219a43018e51c0a27617ea30035cf99dedfafebeddcdada50babbf7ae7cfd was found to be: Likely malicious.
Malicious Activity Summary
Registers new Print Monitor
Possible privilege escalation attempt
Registers COM server for autorun
Modifies file permissions
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Modifies registry class
Runs net.exe
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Modifies data under HKEY_USERS
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 13:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
55s
Command Line
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2012\win32spl.dll",#1
Signatures
N/A
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2012\win32spl.dll",#1
Network
Files
N/A
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win10v2004-20240508-en
Max time kernel
127s
Max time network
56s
Command Line
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\printerfix\win7\Fix_PrintSpooler.bat"
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Registers new Print Monitor
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor | C:\Windows\System32\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\printerfix\win7\Fix_PrintSpooler.bat"
C:\Windows\system32\net.exe
net stop spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spooler
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\takeown.exe
Takeown /A /F C:\Windows\System32\win32spl.dll
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant "administrators":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant SYSTEM:F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v RpcAuthnLevelPrivacyEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\net.exe
net start spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start spooler
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
Network
Files
C:\Windows\System32\win32spl.dll
| MD5 | 6fc904493f366f0a10d6cd03a8c4b933 |
| SHA1 | c8cac1aa85ac7417ea64d3ad77b7c13ebc02f1f4 |
| SHA256 | 81be67de5cbff88e8b950fc28a786dc64c8de80e9aba4438432ab9f1776af1aa |
| SHA512 | ab438ed0b4c87825b0219050185892fbc1831c3343ef6bb03276fa02615b0e9ea8adb844a5f5fd617ba62560d99fc325246ad29c3e774840342f814c9a0dbfb7 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:18
Platform
win7-20240220-en
Max time kernel
126s
Max time network
119s
Command Line
cmd /c "C:\Users\Admin\AppData\Local\Temp\printerfix\win7\Fix_PrintSpooler.bat"
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Registers new Print Monitor
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port | C:\Windows\System32\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\printerfix\win7\Fix_PrintSpooler.bat"
C:\Windows\system32\net.exe
net stop spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spooler
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\takeown.exe
Takeown /A /F C:\Windows\System32\win32spl.dll
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant "administrators":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant SYSTEM:F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v RpcAuthnLevelPrivacyEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\net.exe
net start spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start spooler
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
Network
N/A
Files
C:\Windows\System32\win32spl.dll
| MD5 | 6fc904493f366f0a10d6cd03a8c4b933 |
| SHA1 | c8cac1aa85ac7417ea64d3ad77b7c13ebc02f1f4 |
| SHA256 | 81be67de5cbff88e8b950fc28a786dc64c8de80e9aba4438432ab9f1776af1aa |
| SHA512 | ab438ed0b4c87825b0219050185892fbc1831c3343ef6bb03276fa02615b0e9ea8adb844a5f5fd617ba62560d99fc325246ad29c3e774840342f814c9a0dbfb7 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win7-20240221-en
Max time kernel
120s
Max time network
126s
Command Line
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2012\win32spl.dll",#1
Signatures
N/A
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2012\win32spl.dll",#1
Network
N/A
Files
N/A
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
154s
Command Line
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2012\Fix_PrintSpooler.bat"
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Registers new Print Monitor
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port | C:\Windows\System32\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2012\Fix_PrintSpooler.bat"
C:\Windows\system32\net.exe
net stop spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spooler
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\takeown.exe
Takeown /A /F C:\Windows\System32\win32spl.dll
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant "administrators":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant SYSTEM:F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v RpcAuthnLevelPrivacyEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\net.exe
net start spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start spooler
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3808,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:8
Network
Files
C:\Windows\System32\win32spl.dll
| MD5 | 501ff59564283bd160341c7f99c6c81a |
| SHA1 | fdc6d92a23f3d75dd9ae4ab613a7f052d526114d |
| SHA256 | f04fc42a91b517b6b6f57fea03e9c1b23ccde3b9fdc9bcb537ee09d552c602b9 |
| SHA512 | d4c0174ace128d976432a7264c9f4a1c74305f9ba00d1127feb479ebf9ac5fd056ffcab91275d2a0fa4dd46018a55546a8a8b7073b497528819c39d81e476904 |
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win7-20240611-en
Max time kernel
117s
Max time network
122s
Command Line
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\printerfix\win7\win32spl.dll
Signatures
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32\ThreadingModel = "Free" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\printerfix\\win7\\win32spl.dll" | C:\Windows\system32\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32\ThreadingModel = "Free" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManager\CLSID\ = "{36DC67DC-D792-49B7-BC53-BE67D4D86493}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManage.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManage.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManager | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\printerfix\\win7" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\TypeLib\ = "{052A1799-2BD5-4ED6-A254-8E850C48F41A}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManager\ = "Client Side Rendering Cache Manager" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManage.1\ = "Client Side Rendering Cache Manager" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\FLAGS | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\printerfix\\win7\\win32spl.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\ProgID\ = "ClientSideRenderingCacheManager.ClientSideRenderingCacheManage.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\VersionIndependentProgID\ = "ClientSideRenderingCacheManager.ClientSideRenderingCacheManager" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManage.1\CLSID\ = "{36DC67DC-D792-49B7-BC53-BE67D4D86493}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\ = "csrspl 1.0 Cache Manager Type Library" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\printerfix\\win7\\win32spl.dll\\2" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\0 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\0\win64 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\ = "Client Side Rendering Cache Manager" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManager\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\FLAGS\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\printerfix\win7\win32spl.dll
Network
N/A
Files
N/A
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
164s
Command Line
"C:\Users\Admin\AppData\Local\Temp\printerfix\_____\spoolsv.exe"
Signatures
N/A
Processes
C:\Users\Admin\AppData\Local\Temp\printerfix\_____\spoolsv.exe
"C:\Users\Admin\AppData\Local\Temp\printerfix\_____\spoolsv.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.23.48.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.246.116.51.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win10v2004-20240611-en
Max time kernel
129s
Max time network
135s
Command Line
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2016\Fix_PrintSpooler.bat"
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Registers new Print Monitor
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP | C:\Windows\System32\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2016\Fix_PrintSpooler.bat"
C:\Windows\system32\net.exe
net stop spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spooler
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=1328 /prefetch:8
C:\Windows\system32\takeown.exe
Takeown /A /F C:\Windows\System32\win32spl.dll
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant "administrators":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant SYSTEM:F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v RpcAuthnLevelPrivacyEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\net.exe
net start spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start spooler
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BE | 88.221.83.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 185.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.23.48.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.162.192.69.in-addr.arpa | udp |
Files
C:\Windows\System32\win32spl.dll
| MD5 | 14e5d5013d1c11eafad5aff79795fce2 |
| SHA1 | 33dbeb7cc68fd6fe048b2d5d505d105e9cbaaf52 |
| SHA256 | cdca1b6a9a10a594bf5a7d48c0fe480d8116145739c78ff2af7cbbbafb9aea06 |
| SHA512 | ba2593927eb76b8141eded1cb33671e115b000c899ee281569500b857300ef5105191c6399727c9cf3068b40e4081393dc5a7a51fd54850a975e5c290b06dccc |
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:18
Platform
win10v2004-20240611-en
Max time kernel
91s
Max time network
95s
Command Line
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\当下软件å›.url
Signatures
N/A
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\当下软件å›.url
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| BE | 88.221.83.225:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 225.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win10v2004-20240611-en
Max time kernel
129s
Max time network
134s
Command Line
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\printerfix\__win10-20H___\Fix_PrintSpooler.bat"
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Registers new Print Monitor
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\printerfix\__win10-20H___\Fix_PrintSpooler.bat"
C:\Windows\system32\net.exe
net stop spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spooler
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\takeown.exe
Takeown /A /F C:\Windows\System32\win32spl.dll
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant "administrators":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant SYSTEM:F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v RpcAuthnLevelPrivacyEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\net.exe
net start spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start spooler
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| BE | 88.221.83.218:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 218.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.162.192.69.in-addr.arpa | udp |
Files
C:\Windows\System32\win32spl.dll
| MD5 | 2e9581b7b9cd276a5ab115e4df69f6f9 |
| SHA1 | 800cdb03e4f2125200974a72f43653110426e56d |
| SHA256 | d417f0b2c3d9cc2bcae46358a391d308993ae537325663647ffb2d2c4679018a |
| SHA512 | c3e39ada472a82a707a6e3e79590c40cfc4fe5f46462fd7bd324ec682505a63be413e3453d703942985a73437d21ba6fac5b19ad96c4b55d524716fdf9257bd9 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:18
Platform
win7-20240221-en
Max time kernel
126s
Max time network
123s
Command Line
cmd /c "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2016\Fix_PrintSpooler.bat"
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Registers new Print Monitor
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port | C:\Windows\System32\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2016\Fix_PrintSpooler.bat"
C:\Windows\system32\net.exe
net stop spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spooler
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\takeown.exe
Takeown /A /F C:\Windows\System32\win32spl.dll
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant "administrators":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant SYSTEM:F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v RpcAuthnLevelPrivacyEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\net.exe
net start spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start spooler
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
Network
N/A
Files
C:\Windows\System32\win32spl.dll
| MD5 | 14e5d5013d1c11eafad5aff79795fce2 |
| SHA1 | 33dbeb7cc68fd6fe048b2d5d505d105e9cbaaf52 |
| SHA256 | cdca1b6a9a10a594bf5a7d48c0fe480d8116145739c78ff2af7cbbbafb9aea06 |
| SHA512 | ba2593927eb76b8141eded1cb33671e115b000c899ee281569500b857300ef5105191c6399727c9cf3068b40e4081393dc5a7a51fd54850a975e5c290b06dccc |
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win7-20240508-en
Max time kernel
126s
Max time network
126s
Command Line
cmd /c "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2019\Fix_PrintSpooler.bat"
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Registers new Print Monitor
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port | C:\Windows\System32\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2019\Fix_PrintSpooler.bat"
C:\Windows\system32\net.exe
net stop spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spooler
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\takeown.exe
Takeown /A /F C:\Windows\System32\win32spl.dll
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant "administrators":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant SYSTEM:F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v RpcAuthnLevelPrivacyEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\net.exe
net start spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start spooler
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
Network
N/A
Files
C:\Windows\System32\win32spl.dll
| MD5 | 26327b93ebcad7bf061b63894923a78f |
| SHA1 | 4fc07b0cf4a9a54e5fdd71c33e329abe05b88823 |
| SHA256 | 258058689cef565f5ab1938e1cfed2753bbf5ef2325ad5f8501afd932d42b53e |
| SHA512 | fe0ac07985793ba1a0682ffc0375e07782b63588458d839293eeb5aa8d1cb0809f90051864f7620025bc49a67fd87720523fecaffb62ea895bec7f255a88199b |
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win10v2004-20240508-en
Max time kernel
79s
Max time network
104s
Command Line
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\printerfix\win7\win32spl.dll
Signatures
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\printerfix\\win7\\win32spl.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32\ThreadingModel = "Free" | C:\Windows\system32\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManager\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManage.1\CLSID\ = "{36DC67DC-D792-49B7-BC53-BE67D4D86493}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\FLAGS | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\0\win64 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\printerfix\\win7\\win32spl.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\TypeLib\ = "{052A1799-2BD5-4ED6-A254-8E850C48F41A}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManage.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\ = "csrspl 1.0 Cache Manager Type Library" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\ProgID\ = "ClientSideRenderingCacheManager.ClientSideRenderingCacheManage.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\VersionIndependentProgID\ = "ClientSideRenderingCacheManager.ClientSideRenderingCacheManager" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManage.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\printerfix\\win7\\win32spl.dll\\2" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\FLAGS\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManager\ = "Client Side Rendering Cache Manager" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManager\CLSID\ = "{36DC67DC-D792-49B7-BC53-BE67D4D86493}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\0 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\ = "Client Side Rendering Cache Manager" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManager | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\printerfix\\win7" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32\ThreadingModel = "Free" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManage.1\ = "Client Side Rendering Cache Manager" | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\printerfix\win7\win32spl.dll
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.29:443 | tcp |
Files
N/A
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:18
Platform
win7-20240508-en
Max time kernel
126s
Max time network
121s
Command Line
cmd /c "C:\Users\Admin\AppData\Local\Temp\printerfix\__win10-20H___\Fix_PrintSpooler.bat"
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Registers new Print Monitor
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port | C:\Windows\System32\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\printerfix\__win10-20H___\Fix_PrintSpooler.bat"
C:\Windows\system32\net.exe
net stop spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spooler
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\takeown.exe
Takeown /A /F C:\Windows\System32\win32spl.dll
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant "administrators":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant SYSTEM:F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v RpcAuthnLevelPrivacyEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\net.exe
net start spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start spooler
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
Network
N/A
Files
C:\Windows\System32\win32spl.dll
| MD5 | 2e9581b7b9cd276a5ab115e4df69f6f9 |
| SHA1 | 800cdb03e4f2125200974a72f43653110426e56d |
| SHA256 | d417f0b2c3d9cc2bcae46358a391d308993ae537325663647ffb2d2c4679018a |
| SHA512 | c3e39ada472a82a707a6e3e79590c40cfc4fe5f46462fd7bd324ec682505a63be413e3453d703942985a73437d21ba6fac5b19ad96c4b55d524716fdf9257bd9 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:18
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
94s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\printerfix\__win10-20H___\win32spl.dll,#1
Signatures
N/A
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\printerfix\__win10-20H___\win32spl.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 88.221.83.210:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.23.48.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win7-20240611-en
Max time kernel
127s
Max time network
124s
Command Line
cmd /c "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2012\Fix_PrintSpooler.bat"
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Registers new Print Monitor
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor | C:\Windows\System32\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2012\Fix_PrintSpooler.bat"
C:\Windows\system32\net.exe
net stop spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spooler
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\takeown.exe
Takeown /A /F C:\Windows\System32\win32spl.dll
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant "administrators":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant SYSTEM:F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v RpcAuthnLevelPrivacyEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\net.exe
net start spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start spooler
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
Network
N/A
Files
C:\Windows\System32\win32spl.dll
| MD5 | 501ff59564283bd160341c7f99c6c81a |
| SHA1 | fdc6d92a23f3d75dd9ae4ab613a7f052d526114d |
| SHA256 | f04fc42a91b517b6b6f57fea03e9c1b23ccde3b9fdc9bcb537ee09d552c602b9 |
| SHA512 | d4c0174ace128d976432a7264c9f4a1c74305f9ba00d1127feb479ebf9ac5fd056ffcab91275d2a0fa4dd46018a55546a8a8b7073b497528819c39d81e476904 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
161s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\printerfix\LTSC\win32spl.dll,#1
Signatures
N/A
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\printerfix\LTSC\win32spl.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.201.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.23.48.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:18
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
153s
Command Line
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2019\win32spl.dll",#1
Signatures
N/A
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2019\win32spl.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.23.48.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win7-20240508-en
Max time kernel
118s
Max time network
125s
Command Line
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\当下软件å›.url
Signatures
N/A
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\当下软件å›.url
Network
N/A
Files
memory/2980-0-0x00000000023B0000-0x00000000023B1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win10v2004-20240226-en
Max time kernel
136s
Max time network
149s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\printerfix\_____\localspl.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4884 wrote to memory of 1972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4884 wrote to memory of 1972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4884 wrote to memory of 1972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\printerfix\_____\localspl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\printerfix\_____\localspl.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3964 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.162.192.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.23.48.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win10v2004-20240226-en
Max time kernel
136s
Max time network
146s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\printerfix\_____\win32spl.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3152 wrote to memory of 4528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3152 wrote to memory of 4528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3152 wrote to memory of 4528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\printerfix\_____\win32spl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\printerfix\_____\win32spl.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.23.48.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.246.116.51.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:18
Platform
win10v2004-20240611-en
Max time kernel
129s
Max time network
133s
Command Line
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\printerfix\LTSC\Fix_PrintSpooler.bat"
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Registers new Print Monitor
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port | C:\Windows\System32\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\printerfix\LTSC\Fix_PrintSpooler.bat"
C:\Windows\system32\net.exe
net stop spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spooler
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\takeown.exe
Takeown /A /F C:\Windows\System32\win32spl.dll
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant "administrators":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant SYSTEM:F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v RpcAuthnLevelPrivacyEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\net.exe
net start spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start spooler
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.226:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 226.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.23.48.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.162.192.69.in-addr.arpa | udp |
Files
C:\Windows\System32\win32spl.dll
| MD5 | 937dddf8be82ae84d207b7dea83ec6fd |
| SHA1 | df86817c4a95283fe19d3be966cbc37282b5cbdc |
| SHA256 | 40bc894b387c867e8264bf9a3d3910cd1693fc1c8cb557f1a460607bf67d53d0 |
| SHA512 | 0c5641f3e3d6cac2bfd12a258d45d4270d43a5b89ca50ffb2a414a1b3aa24ae0d0319f21ed90776cd2d00fac59c29b80ba0fb5372c585df99805bdca04f1c4b8 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:18
Platform
win7-20240508-en
Max time kernel
126s
Max time network
123s
Command Line
cmd /c "C:\Users\Admin\AppData\Local\Temp\printerfix\LTSC\Fix_PrintSpooler.bat"
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Registers new Print Monitor
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\printerfix\LTSC\Fix_PrintSpooler.bat"
C:\Windows\system32\net.exe
net stop spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spooler
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\takeown.exe
Takeown /A /F C:\Windows\System32\win32spl.dll
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant "administrators":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant SYSTEM:F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v RpcAuthnLevelPrivacyEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\net.exe
net start spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start spooler
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
Network
N/A
Files
\Windows\System32\win32spl.dll
| MD5 | 937dddf8be82ae84d207b7dea83ec6fd |
| SHA1 | df86817c4a95283fe19d3be966cbc37282b5cbdc |
| SHA256 | 40bc894b387c867e8264bf9a3d3910cd1693fc1c8cb557f1a460607bf67d53d0 |
| SHA512 | 0c5641f3e3d6cac2bfd12a258d45d4270d43a5b89ca50ffb2a414a1b3aa24ae0d0319f21ed90776cd2d00fac59c29b80ba0fb5372c585df99805bdca04f1c4b8 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
155s
Command Line
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2016\win32spl.dll",#1
Signatures
N/A
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2016\win32spl.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-14 13:16
Reported
2024-06-14 13:19
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
153s
Command Line
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2019\Fix_PrintSpooler.bat"
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Registers new Print Monitor
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port | C:\Windows\System32\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\spoolsv.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\win32spl.dll | C:\Windows\system32\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 | C:\Windows\System32\spoolsv.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices | C:\Windows\System32\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" | C:\Windows\System32\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" | C:\Windows\System32\spoolsv.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\printerfix\Win 2019\Fix_PrintSpooler.bat"
C:\Windows\system32\net.exe
net stop spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spooler
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\takeown.exe
Takeown /A /F C:\Windows\System32\win32spl.dll
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant "administrators":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\win32spl.dll" /grant SYSTEM:F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v RpcAuthnLevelPrivacyEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\net.exe
net start spooler
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start spooler
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| BE | 2.17.107.121:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 121.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.162.192.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Windows\System32\win32spl.dll
| MD5 | 26327b93ebcad7bf061b63894923a78f |
| SHA1 | 4fc07b0cf4a9a54e5fdd71c33e329abe05b88823 |
| SHA256 | 258058689cef565f5ab1938e1cfed2753bbf5ef2325ad5f8501afd932d42b53e |
| SHA512 | fe0ac07985793ba1a0682ffc0375e07782b63588458d839293eeb5aa8d1cb0809f90051864f7620025bc49a67fd87720523fecaffb62ea895bec7f255a88199b |