spoolsv.exe

Status: finished

Submission Time: 2024-12-08 15:06:10 +01:00

Malicious

Ransomware

Trojan

Spyware

Evader

RedLine, StormKitty, XWorm

Comments

Details

Analysis ID:
1570972
API (Web) ID:
1570972
Analysis Started:

2024-12-08 15:06:10 +01:00
Analysis Finished:

2024-12-08 15:18:05 +01:00
MD5:
fcfae4fdcc273f8a46c51d49fa8a4a03
SHA1:
3a0e314b7bbdf5467df8b92a348c1b464fd502b0
SHA256:
49ff687dbb13ed84815f3f57c660a0a4fc5cb21c82b605ce53338538a864586d
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious

Score: 21/24

malicious

IPs

IP	Country	Detection
78.70.235.238	Sweden
208.95.112.1	United States
149.154.167.220	United Kingdom

Domains

Name	IP	Detection
f8terat.ddns.net	78.70.235.238
ip-api.com	208.95.112.1
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.58.100
Click to see the 1 hidden entries
api.telegram.org	149.154.167.220

URLs

Name	Detection
78.70.235.238:1912
78.70.235.238
https://github.com/Pester/Pester
Click to see the 97 hidden entries
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
http://schemas.xmlsoap.org/wsdl/
http://schemas.xmlsoap.org/ws/2004/08/addressing
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
https://contoso.com/Icon
http://tempuri.org/Entity/Id1Response
http://tempuri.org/Entity/Id24Response
https://slickdeals.net/?cno=6959959&sdtrk=bing
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
http://tempuri.org/Entity/Id24
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
http://tempuri.org/Entity/Id23
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
http://tempuri.org/Entity/Id22
http://tempuri.org/Entity/Id21
http://tempuri.org/Entity/Id20
http://crl.mic
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
https://api.telegram.org/bot7742194912:AAGSH51C4BpkbbvEQlO-cv-lDoJZMVxqyN4/sendMessage?chat_id=5456205643&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A1BE7C2BE68B9D4CE53EB%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20VPWLLKOO%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20HawkEye%20V1.0
https://api.retailmenot.com/security/public/out/5V4O3ZVBGJBZLEJTSCCWGL5B4Y?marketingcampaign=5V4O3ZV
http://tempuri.org/Entity/Id8Response
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
http://tempuri.org/Entity/Id10Response
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
http://tempuri.org/Entity/Id19
http://tempuri.org/Entity/Id5Response
http://tempuri.org/Entity/Id18
http://tempuri.org/Entity/Id17
http://schemas.xmlsoap.org/ws/2004/04/trust
https://www.savings.com/m/p/32073281/12104416/c?afsrc=1&up=2022-10-24-16-43&auto_show_edge_shopping_
http://tempuri.org/Entity/Id16
http://tempuri.org/Entity/Id15
http://tempuri.org/Entity/Id14
http://tempuri.org/Entity/Id13
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
http://tempuri.org/Entity/Id16Response
http://tempuri.org/Entity/Id12
http://tempuri.org/Entity/Id11
http://tempuri.org/Entity/Id10
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
http://tempuri.org/Entity/Id19Response
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
http://tempuri.org/Entity/Id6
http://tempuri.org/Entity/Id7
http://tempuri.org/Entity/Id4
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
http://tempuri.org/Entity/Id5
http://tempuri.org/Entity/Id8
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
http://tempuri.org/Entity/Id9
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
http://tempuri.org/Entity/Id21Response
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
http://tempuri.org/Entity/Id2Response
http://tempuri.org/
https://api.retailmenot.com/security/public/out/3RWA3MREY5DRNIWOCMG7AH4FOY?marketingcampaign=3RWA3MR
http://www.microsoft.co
http://tempuri.org/Entity/Id12Response
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
http://crl.microsoft
http://tempuri.org/Entity/Id23ResponseD
https://api.telegram.org/bot
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
http://schemas.xmlsoap.org/ws/2005/02/sc/sct
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
http://tempuri.org/Entity/Id9Response
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
http://tempuri.org/Entity/Id1ResponseD
http://schemas.xmlsoap.org/ws/2004/04/sc
http://www.apache.org/licenses/LICENSE-2.0.html
http://schemas.xmlsoap.org/soap/encoding/
http://pesterbdd.com/images/Pester.png
https://api.ip.sb/ip
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
http://tempuri.org/Entity/Id6Response
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://tempuri.org/Entity/Id15Response
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
http://schemas.xmlsoap.org/ws/2004/10/wsat
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
https://nuget.org/nuget.exe
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
https://github.com/LimerBoy/StormKitty
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx.ENC	data	#
C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00001.jrs.ENC	Alpha compressed COFF	#
C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00002.jrs.ENC	Alpha compressed COFF	#
Click to see the 100 hidden entries
C:\Users\user\AppData\Local\Comms\UnistoreDB\USStmp.jtx.ENC	Alpha compressed COFF	#
C:\Users\user\AppData\Local\Comms\UnistoreDB\store.jfm.ENC	DOS executable (COM, 0x8C-variant)	#
C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol.ENC	data	#
C:\Users\user\AppData\Local\D3DSCache\f4d41c5d09ae781\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-651E6B08-3C.pma.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation Database.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\index.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Favicons.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\index.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\InterestGroups.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Trust Tokens.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PrivateAggregation.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shortcuts.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Visited Links.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\index.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State.ENC	data	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log	CSV text	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8\v1FieldTypes.json.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2023.8.1\crl-set.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.2.33\data.txt.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_driver.js.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\product_page.js.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shopping.js.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shoppingfre.js.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Safe Browsing\ChromeExtMalware.store.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-cu.hyb.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-cy.hyb.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-de-1901.hyb.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-de-1996.hyb.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-de-ch-1901.hyb.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-en-gb.hyb.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-en-us.hyb.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-et.hyb.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-ga.hyb.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-hu.hyb.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-nb.hyb.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-nn.hyb.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Display\23001069669.ttf.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Display\28367963232.ttf.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Display\29442803203.ttf.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Display\30264859306.ttf.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Narrow\24153076628.ttf.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Narrow\30284701761.ttf.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Narrow\31558910439.ttf.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Narrow\37262344671.ttf.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_35.ttf.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\GameDVR\KnownGameList.bin.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule230170v1.xml.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule230172v1.xml.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule230170v1.xml.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule230172v1.xml.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Safety\edge\remote\topTraffic_638004170464094982.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log.ENC	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01res00001.jrs.ENC	Alpha compressed COFF	#
C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01res00002.jrs.ENC	Alpha compressed COFF	#
C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat.ENC	data	#
C:\Users\user\AppData\Local\Temp\10f5ef49-b826-4bae-a469-4fe1cdaa885f.tmp.ENC	data	#
C:\Users\user\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db.ENC	data	#
C:\Users\user\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db.session64.ENC	data	#
C:\Users\user\AppData\Local\Temp\user-PC-20231005-0843.log.ENC	data	#
C:\Users\user\AppData\Local\Temp\user-PC-20231005-0844.log.ENC	data	#
C:\Users\user\AppData\Local\Temp\user-PC-20231005-0847.log.ENC	data	#
C:\Users\user\AppData\Local\Temp\JSAMSIProvider32.dll.ENC	data	#
C:\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll.ENC	data	#
C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt.ENC	data	#
C:\Users\user\AppData\Local\Temp\edge_BITS_3244_1097730144\873489b1-33b2-480a-baa2-641b9e09edcd.ENC	data	#
C:\Users\user\AppData\Local\Temp\edge_BITS_3244_1414705840\e8d11bd0-b939-446e-b741-2c68ed471a53.ENC	data	#
C:\Users\user\AppData\Local\Temp\edge_BITS_3244_1974482915\01d00eb7-ae22-4601-b5b4-6bd76494c105.ENC	data	#
C:\Users\user\AppData\Local\Temp\edge_BITS_3244_1990501612\1187695d-8276-4e31-8de1-9e57768989bd.ENC	data	#
C:\Users\user\AppData\Local\Temp\edge_BITS_3244_2117939348\c78f9967-7a8c-44b0-ad94-732b63c89638.ENC	data	#
C:\Users\user\AppData\Local\Temp\edge_BITS_3244_308048737\12ed7c6f-b741-47d7-afa5-30f752dc978b.ENC	data	#
C:\Users\user\AppData\Local\Temp\edge_BITS_3244_492380506\2132f61f-f790-4ae6-a355-8cf9a1533800.ENC	data	#
C:\Users\user\AppData\Local\Temp\edge_BITS_3244_529259725\9e51170b-7adf-40ab-83b6-5f97b13bedcb.ENC	data	#
C:\Users\user\AppData\Local\Temp\edge_BITS_3244_669696935\c50698d5-282c-4c8d-9fa6-c155f2d8d379.ENC	data	#
C:\Users\user\AppData\Local\Temp\edge_BITS_3244_677372717\84fb0759-2f62-4b78-b3f8-d06ffbe5ed10.ENC	data	#
C:\Users\user\AppData\Local\Temp\f92dd30f-d70e-4c79-98e6-b827a8bb342f.tmp.ENC	data	#
C:\Users\user\AppData\Local\Temp\prep_foundation_win32_bundle_V8_perf.cache.ENC	data	#
C:\Users\user\AppData\Local\Temp\prep_privacy-sdx_win32_bundle_js_V8_perf.cache.ENC	data	#
C:\Users\user\AppData\Local\Temp\scoped_dir5952_991612011\CRX_INSTALL\common\analytics.js.ENC	data	#
C:\Users\user\AppData\Local\Temp\scoped_dir5952_991612011\CRX_INSTALL\libs\jquery-3.1.1.js.ENC	data	#
C:\Users\user\AppData\Local\Temp\scoped_dir5952_991612011\CRX_INSTALL\libs\jquery-3.1.1.min.js.ENC	data	#
C:\Users\user\AppData\Local\Temp\wct7120.tmp.ENC	data	#
C:\Users\user\AppData\Local\Temp\wctB366.tmp.ENC	data	#
C:\Users\user\AppData\Local\Temp\wctDE6E.tmp.ENC	data	#

Deep Malware Analysis

spoolsv.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Deep Malware Analysis

spoolsv.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

spoolsv.exe