fbcc321f10e8ed9fbda3e9d9ce6cc03ad1fa3c83578a2b22ec7f6fd853412750

General

Target

tmp/SpotifySetup (6).exe
Size

901KB
MD5

6b4411127459dc891fc2fdecbf02ad23
SHA1

b3904dd4f88ec6fce4f806eef1acad40c75e68b8
SHA256

c85f5e46a80bf8658245f7409318a3e1a6894c5de5cfe321c0b1edb13a5e81e4
SHA512

b075b9a2d6b6573627afcd4112da3cb081204169e59172f16de8c8ac7c7ad3a1ae809e9252c58094dbfdb16b9b48c1b032b18397acfc372fa0487271feee77c0
SSDEEP

24576:bL3ZLvFFzsZ1nMdwOySKcgwkPIBu9mI+kVluU:bL3lsfMdwOySKkkPIY9z+kXj

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

SpWebInst0.exe

pid process

288 SpWebInst0.exe
Loads dropped DLL 1 IoCs

Processes:

SpotifySetup (6).exe

pid process

1740 SpotifySetup (6).exe

pid	process
288	SpWebInst0.exe

pid	process
1740	SpotifySetup (6).exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SpotifySetup (6).exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	SpotifySetup (6).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	SpotifySetup (6).exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

SpotifySetup (6).exe

description	pid	process	target process
PID 1740 wrote to memory of 288	1740	SpotifySetup (6).exe	SpWebInst0.exe
PID 1740 wrote to memory of 288	1740	SpotifySetup (6).exe	SpWebInst0.exe
PID 1740 wrote to memory of 288	1740	SpotifySetup (6).exe	SpWebInst0.exe
PID 1740 wrote to memory of 288	1740	SpotifySetup (6).exe	SpWebInst0.exe
PID 1740 wrote to memory of 288	1740	SpotifySetup (6).exe	SpWebInst0.exe
PID 1740 wrote to memory of 288	1740	SpotifySetup (6).exe	SpWebInst0.exe
PID 1740 wrote to memory of 288	1740	SpotifySetup (6).exe	SpWebInst0.exe

C:\Users\Admin\AppData\Local\Temp\tmp\SpotifySetup (6).exe
"C:\Users\Admin\AppData\Local\Temp\tmp\SpotifySetup (6).exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Roaming\Spotify\SpWebInst0.exe
  SpWebInst0.exe /webinstall
  2⤵
  - Executes dropped EXE
  PID:288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Spotify\SpWebInst0.exe

Filesize
83.7MB

MD5
ee1d13cf21498538ef56313571a382eb

SHA1
17e07380c4a01bc7ebbdf535040803ffd26b3072

SHA256
936a4774b2318bb99b6bf18606168bd593126f6a7ac8bc0590a2114abcff962a

SHA512
a494f7c3229f66effeae0b15c1e1ff18d79f61f7f05e9f2f750a4bb4ccc5052a75ae3f86373685851300e1f2041772b4aa57a2207b18ea9fa7f5c1760f37eb16

Download Submit
\Users\Admin\AppData\Roaming\Spotify\SpWebInst0.exe

Filesize
83.7MB

MD5
ee1d13cf21498538ef56313571a382eb

SHA1
17e07380c4a01bc7ebbdf535040803ffd26b3072

SHA256
936a4774b2318bb99b6bf18606168bd593126f6a7ac8bc0590a2114abcff962a

SHA512
a494f7c3229f66effeae0b15c1e1ff18d79f61f7f05e9f2f750a4bb4ccc5052a75ae3f86373685851300e1f2041772b4aa57a2207b18ea9fa7f5c1760f37eb16

Download Submit

Analysis

Sharing