db5d4e3b0693ba3003de1321f61d9bd75886c54095ea3500cc95479a77258e54

General

Target

db5d4e3b0693ba3003de1321f61d9bd75886c54095ea3500cc95479a77258e54.dll
Size

137KB
MD5

41d39994598efec3cae644819893cb66
SHA1

41abed9c00de718d43df984029036404561e2109
SHA256

db5d4e3b0693ba3003de1321f61d9bd75886c54095ea3500cc95479a77258e54
SHA512

2241dd28d4f574d8969ff6fda359d980b19f220c8b3a035e9ef104ee0df517cc63a3298b6616a315ba60d7d03fbc32accf9a370d850137fc1595958b8365a74f
SSDEEP

3072:WR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUu:T25GgFny61mra

Score

8^/10

Malware Config

Signatures

Boot or Logon Autostart Execution: Port Monitors 1 TTPs 7 IoCs

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

persistence

Port Monitors

T1547.010

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor\Driver = "scsimon.dll"	rundll32.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Spooler\ImagePath = "Spoolsv.exe"	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\com\comb.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Miscson.dll	rundll32.exe
File created	C:\Windows\SysWOW64\Miscson.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\scsimon.dll	rundll32.exe
File created	C:\Windows\SysWOW64\scsimon.dll	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\ComBack.Dll	rundll32.exe
File created	C:\Windows\AppPatch\ComBack.Dll	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2988	2700	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	Spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	Spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	Spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices	Spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45"	Spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices	Spoolsv.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2116	Spoolsv.exe
Token: SeRestorePrivilege	2116	Spoolsv.exe
Token: SeRestorePrivilege	2116	Spoolsv.exe
Token: SeRestorePrivilege	2116	Spoolsv.exe
Token: SeRestorePrivilege	2116	Spoolsv.exe
Token: SeRestorePrivilege	2116	Spoolsv.exe
Token: SeRestorePrivilege	2116	Spoolsv.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2700	2656	rundll32.exe	30
PID 2656 wrote to memory of 2700	2656	rundll32.exe	30
PID 2656 wrote to memory of 2700	2656	rundll32.exe	30
PID 2656 wrote to memory of 2700	2656	rundll32.exe	30
PID 2656 wrote to memory of 2700	2656	rundll32.exe	30
PID 2656 wrote to memory of 2700	2656	rundll32.exe	30
PID 2656 wrote to memory of 2700	2656	rundll32.exe	30
PID 2700 wrote to memory of 2988	2700	rundll32.exe	31
PID 2700 wrote to memory of 2988	2700	rundll32.exe	31
PID 2700 wrote to memory of 2988	2700	rundll32.exe	31
PID 2700 wrote to memory of 2988	2700	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\db5d4e3b0693ba3003de1321f61d9bd75886c54095ea3500cc95479a77258e54.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\db5d4e3b0693ba3003de1321f61d9bd75886c54095ea3500cc95479a77258e54.dll,#1
  2⤵
  - Boot or Logon Autostart Execution: Port Monitors
  - Sets service image path in registry
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 320
    3⤵
    - Program crash
    PID:2988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:2796

C:\Windows\system32\Spoolsv.exe
Spoolsv.exe
1⤵
- Boot or Logon Autostart Execution: Port Monitors
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2116