1c6261cd2e6ff6ea6b00e925b0f83d609e20d7cf81efbd09042eb59163224fec

Resubmissions

28/12/2022, 00:00

221228-aatzpaca31 8

Analysis

max time kernel
90s
max time network
92s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
28/12/2022, 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install.bat
Size

4KB
MD5

32ffc32151a2ded23d9a72018460e768
SHA1

80fd5e4fae4407f155e7a56d210c78e33d04e37d
SHA256

1c6261cd2e6ff6ea6b00e925b0f83d609e20d7cf81efbd09042eb59163224fec
SHA512

a39f3fedbb4d64612ab7c82f4885015d2fd930b1f88a8c9052f6b1d89c0ed13dd1618f937b2850dca685147228329f206d708b68f2164cf1d9fa3ca8474a0e04
SSDEEP

96:qGQ9HHSDNcCMOQMYAMlVu7YOnMkycpy1Xq0RHqs06j:qGQ9nRY3YHXuMOMkycpy1XBqs06j

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	416	powershell.exe
4	416	powershell.exe
6	416	powershell.exe
8	416	powershell.exe
11	416	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
3160	spicetify.exe
2884	spicetify.exe
4116	spicetify.exe
5008	spicetify.exe
4704	spicetify.exe
4420	spicetify.exe
3232	spicetify.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
416	powershell.exe
416	powershell.exe
416	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
812	powershell.exe
812	powershell.exe
812	powershell.exe
4776	powershell.exe
4776	powershell.exe
4776	powershell.exe
1468	powershell.exe
1468	powershell.exe
1468	powershell.exe
4452	powershell.exe
4452	powershell.exe
4452	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	416	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 4832	3972	cmd.exe	67
PID 3972 wrote to memory of 4832	3972	cmd.exe	67
PID 3972 wrote to memory of 416	3972	cmd.exe	68
PID 3972 wrote to memory of 416	3972	cmd.exe	68
PID 416 wrote to memory of 3160	416	powershell.exe	70
PID 416 wrote to memory of 3160	416	powershell.exe	70
PID 416 wrote to memory of 2884	416	powershell.exe	71
PID 416 wrote to memory of 2884	416	powershell.exe	71
PID 416 wrote to memory of 4116	416	powershell.exe	72
PID 416 wrote to memory of 4116	416	powershell.exe	72
PID 416 wrote to memory of 5008	416	powershell.exe	73
PID 416 wrote to memory of 5008	416	powershell.exe	73
PID 416 wrote to memory of 4704	416	powershell.exe	74
PID 416 wrote to memory of 4704	416	powershell.exe	74
PID 4704 wrote to memory of 3928	4704	spicetify.exe	75
PID 4704 wrote to memory of 3928	4704	spicetify.exe	75
PID 4704 wrote to memory of 812	4704	spicetify.exe	76
PID 4704 wrote to memory of 812	4704	spicetify.exe	76
PID 4704 wrote to memory of 4776	4704	spicetify.exe	77
PID 4704 wrote to memory of 4776	4704	spicetify.exe	77
PID 416 wrote to memory of 4420	416	powershell.exe	78
PID 416 wrote to memory of 4420	416	powershell.exe	78
PID 4420 wrote to memory of 1468	4420	spicetify.exe	79
PID 4420 wrote to memory of 1468	4420	spicetify.exe	79
PID 416 wrote to memory of 3232	416	powershell.exe	80
PID 416 wrote to memory of 3232	416	powershell.exe	80
PID 3232 wrote to memory of 4452	3232	spicetify.exe	81
PID 3232 wrote to memory of 4452	3232	spicetify.exe	81

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\install.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\system32\findstr.exe
  findstr /v "^;;;===,,," "C:\Users\Admin\AppData\Local\Temp\install.bat"
  2⤵
  PID:4832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe -ExecutionPolicy Bypass -Command "& 'C:\Users\Admin\AppData\Local\Temp\ps.ps1'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
    "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" -c
    3⤵
    - Executes dropped EXE
    PID:3160
- - C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
    "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" -c
    3⤵
    - Executes dropped EXE
    PID:2884
- - C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
    "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" -c
    3⤵
    - Executes dropped EXE
    PID:4116
- - C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
    "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" -c
    3⤵
    - Executes dropped EXE
    PID:5008
- - C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
    "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" config current_theme SpotifyNoPremium
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive "(Get-AppxPackage | Where-Object -Property Name -Eq \"SpotifyAB.SpotifyMusic\").InstallLocation"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive "(Get-AppxPackage | Where-Object -Property Name -Eq \"SpotifyAB.SpotifyMusic\").InstallLocation"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive "(Get-AppxPackage | Where-Object -Property Name -Eq \"SpotifyAB.SpotifyMusic\").InstallLocation"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4776
- - C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
    "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" config extensions adblock.js
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive "(Get-AppxPackage | Where-Object -Property Name -Eq \"SpotifyAB.SpotifyMusic\").InstallLocation"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1468
- - C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
    "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" backup apply
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive "(Get-AppxPackage | Where-Object -Property Name -Eq \"SpotifyAB.SpotifyMusic\").InstallLocation"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
7acc138b99daa8e81dd26808e1e76109

SHA1
157b15ece0d90cf50b9e48b2098ae6325fc0fff6

SHA256
aa44bb92381aefd7060e67de93fc285be4e666b31a8ddda23b80f987b8aa75e5

SHA512
9e66657b8543ff91c0ec5d48a12fadf41ca06fa3195780ecb25775eb2c63d4f0739622d4c2d6d9ce57d0b248ca35c9a94db137cf8d9935479a583264304e234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c67c25562c73eb03527efb4c6e1bea65

SHA1
3ac4d5343cf9139c5febc4a603c510a79e8385e8

SHA256
96b40de74446f754363077cfaf59d0c616db09230d8774859d0fe3052f116fef

SHA512
6ad4031219aefc377b339e1f5db480187ae7083229eb337682fc58c254a1321bfc04f74ed10f69a8fd40fb77232c3e83f1b974f95a0543c73da09fba65206bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2324f7505fbf3b27efe8f545cc832545

SHA1
8141be18f09d316862685e35a959c6f0dc94dd27

SHA256
776e96d81b1bfc76a47869cb348336a243b4924bbee14e4fb3b81d87823a4529

SHA512
d6d92efc5fba8a39ec3f5f059a36a150acc0b1d033576c979a41837730d2ee654dd754fe0d96596e779c8c2c4b9b37a33a5600561280202e7a4e19414a4733fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
70d12413bbd0d2ff9be6e88f90c752ad

SHA1
5e0917ae792368d175efb8d30dd593c61f494853

SHA256
37c507fb81ca353aa872de97aa21e7f39876abc333e45d59e1aa986763cc6477

SHA512
1552bd6f912cea9815197dcef996836160b82f7a97bc6d82c51b670e7da421361e95e395bf97e5414b4c57af0de1f657dae484818b7fc4f7af1d8a5b584df93f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3f1dacd6ed75f6517d143439865a297c

SHA1
f5bb44352cdfce991b929d9216149c937cc96268

SHA256
9d960a5295bcc69ae7c7d54f7a164d1b19d982819a64a742c12ba279ba982a81

SHA512
b64d68218994c2de2e4941a6a71953165fc44b2aa17ff1ff36b00f302d5e7e9855074c5c15e8d24f909bb649e6933ab1a5a7daafea44dafdda4bfeea66307aff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ef29b6d266cfbb7ecefc7656f8291fb8

SHA1
6f48b2371f3bb6b2f040f209e76a7e9b943f8643

SHA256
0099db88244289908757cb8fe46b0bd2ae340075f929982e9e8fb8922e9c04d5

SHA512
bac0c81932110ff8702ca9c94cf4ef553d614f9c4b794b6dedc86d7dc2725b132c0dd17b1bfcc2f0a942de2ca0d4824aff44988c00d3fbe5997d0bcc6b81c5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ps.ps1

Filesize
4KB

MD5
a127e8cfd47195e2a12ec8e10807cc71

SHA1
78854fe63f288ae12ecc79f0ae8829a0895bc077

SHA256
58cb781320c2cf5246a4e01a9ba8d2687ac2961f3087772cdf3cdf31f6848967

SHA512
36aab1f0c1bb56bd18e5ea6bed140aff4d029869c216bb5b099c912675c2aee164d8bd087676f1339dfe4fa07254d103b056f9a122f462ad6bc3e6edef44e457

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
7.8MB

MD5
608a96b6ce57f6d76e054f68984b7b81

SHA1
35b73788d313c605b290106e426e8a1005ce86c4

SHA256
f7080f106e4aed8aad49317306307bbd3818433bcfe07f8a353c429847b8d97c

SHA512
6ab58380cbc9bff4dce6337150169e50d19be1838841e00dd88b5b869b71cb67fded0c0c344478ac07779840f60461b602f14b48a8ef04965a7f437c144a1e1d

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
7.8MB

MD5
608a96b6ce57f6d76e054f68984b7b81

SHA1
35b73788d313c605b290106e426e8a1005ce86c4

SHA256
f7080f106e4aed8aad49317306307bbd3818433bcfe07f8a353c429847b8d97c

SHA512
6ab58380cbc9bff4dce6337150169e50d19be1838841e00dd88b5b869b71cb67fded0c0c344478ac07779840f60461b602f14b48a8ef04965a7f437c144a1e1d

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
7.8MB

MD5
608a96b6ce57f6d76e054f68984b7b81

SHA1
35b73788d313c605b290106e426e8a1005ce86c4

SHA256
f7080f106e4aed8aad49317306307bbd3818433bcfe07f8a353c429847b8d97c

SHA512
6ab58380cbc9bff4dce6337150169e50d19be1838841e00dd88b5b869b71cb67fded0c0c344478ac07779840f60461b602f14b48a8ef04965a7f437c144a1e1d

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
7.8MB

MD5
608a96b6ce57f6d76e054f68984b7b81

SHA1
35b73788d313c605b290106e426e8a1005ce86c4

SHA256
f7080f106e4aed8aad49317306307bbd3818433bcfe07f8a353c429847b8d97c

SHA512
6ab58380cbc9bff4dce6337150169e50d19be1838841e00dd88b5b869b71cb67fded0c0c344478ac07779840f60461b602f14b48a8ef04965a7f437c144a1e1d

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
7.8MB

MD5
608a96b6ce57f6d76e054f68984b7b81

SHA1
35b73788d313c605b290106e426e8a1005ce86c4

SHA256
f7080f106e4aed8aad49317306307bbd3818433bcfe07f8a353c429847b8d97c

SHA512
6ab58380cbc9bff4dce6337150169e50d19be1838841e00dd88b5b869b71cb67fded0c0c344478ac07779840f60461b602f14b48a8ef04965a7f437c144a1e1d

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
7.8MB

MD5
608a96b6ce57f6d76e054f68984b7b81

SHA1
35b73788d313c605b290106e426e8a1005ce86c4

SHA256
f7080f106e4aed8aad49317306307bbd3818433bcfe07f8a353c429847b8d97c

SHA512
6ab58380cbc9bff4dce6337150169e50d19be1838841e00dd88b5b869b71cb67fded0c0c344478ac07779840f60461b602f14b48a8ef04965a7f437c144a1e1d

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
7.8MB

MD5
608a96b6ce57f6d76e054f68984b7b81

SHA1
35b73788d313c605b290106e426e8a1005ce86c4

SHA256
f7080f106e4aed8aad49317306307bbd3818433bcfe07f8a353c429847b8d97c

SHA512
6ab58380cbc9bff4dce6337150169e50d19be1838841e00dd88b5b869b71cb67fded0c0c344478ac07779840f60461b602f14b48a8ef04965a7f437c144a1e1d

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
7.8MB

MD5
608a96b6ce57f6d76e054f68984b7b81

SHA1
35b73788d313c605b290106e426e8a1005ce86c4

SHA256
f7080f106e4aed8aad49317306307bbd3818433bcfe07f8a353c429847b8d97c

SHA512
6ab58380cbc9bff4dce6337150169e50d19be1838841e00dd88b5b869b71cb67fded0c0c344478ac07779840f60461b602f14b48a8ef04965a7f437c144a1e1d

Download Submit
C:\Users\Admin\AppData\Roaming\spicetify\config-xpui.ini

Filesize
641B

MD5
5604cea52a51eccfb7c3d1879bac2856

SHA1
85e8eca184f39dde92bdb37b67d1b7dadc18857c

SHA256
4e761f0e7efab906623a2c6d2c9a2a6ee344152f0cd46a69e66b2687011e083b

SHA512
577006d0025e7d7f2d76e4176f742b4f17db5334bdeb8512299490d09bfca077b67441504d9511c908e3d31d40b467b3944f0dcb2e45a79dcf5c80b0aa2e4476

Download Submit
memory/416-226-0x0000022200840000-0x0000022200852000-memory.dmp

Filesize
72KB

Download
memory/416-201-0x000002227DBF0000-0x000002227DC04000-memory.dmp

Filesize
80KB

Download
memory/416-122-0x000002227DB80000-0x000002227DBA2000-memory.dmp

Filesize
136KB

Download
memory/416-125-0x000002227DE80000-0x000002227DEF6000-memory.dmp

Filesize
472KB

Download
memory/416-202-0x000002227DC10000-0x000002227DC1A000-memory.dmp

Filesize
40KB

Download
memory/416-204-0x000002227FC50000-0x000002227FE12000-memory.dmp

Filesize
1.8MB

Download
memory/416-205-0x0000022200D30000-0x0000022201256000-memory.dmp

Filesize
5.1MB

Download
memory/416-239-0x0000022200830000-0x000002220083A000-memory.dmp

Filesize
40KB

Download