Overview

overview

10

Static

static

1

Spotify Ac...do.rar

windows7-x64

3

Spotify Ac...do.rar

windows10-2004-x64

3

Spotify/Bl...ibutes

windows7-x64

3

Spotify/Bl...ibutes

windows10-2004-x64

3

Spotify/Bl...ort.md

windows7-x64

3

Spotify/Bl...ort.md

windows10-2004-x64

3

Spotify/Bl...ignore

windows7-x64

3

Spotify/Bl...ignore

windows10-2004-x64

3

Spotify/Bl...ot.bat

windows7-x64

1

Spotify/Bl...ot.bat

windows10-2004-x64

8

Spotify/Block/LICENSE

windows7-x64

1

Spotify/Block/LICENSE

windows10-2004-x64

1

Spotify/Bl...ME.ps1

windows7-x64

1

Spotify/Bl...ME.ps1

windows10-2004-x64

1

Spotify/Bl...ig.ini

windows7-x64

1

Spotify/Bl...ig.ini

windows10-2004-x64

1

Spotify/Bl...ll.ps1

windows7-x64

8

Spotify/Bl...ll.ps1

windows10-2004-x64

10

Spotify/Bl...ot.cpp

windows7-x64

3

Spotify/Bl...ot.cpp

windows10-2004-x64

3

Spotify/Bl...cxproj

windows7-x64

3

Spotify/Bl...cxproj

windows10-2004-x64

3

Spotify/Bl...ilters

windows7-x64

3

Spotify/Bl...ilters

windows10-2004-x64

3

Spotify/Bl...j.user

windows7-x64

3

Spotify/Bl...j.user

windows10-2004-x64

3

Spotify/Bl...nfig.h

windows7-x64

3

Spotify/Bl...nfig.h

windows10-2004-x64

3

Spotify/Bl...gger.h

windows7-x64

3

Spotify/Bl...gger.h

windows10-2004-x64

3

Spotify/Bl...fy.cpp

windows7-x64

3

Spotify/Bl...fy.cpp

windows10-2004-x64

3

Analysis

  • max time kernel
    1793s
  • max time network
    1581s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2023 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Spotify/Block/install.ps1

  • Size

    4KB

  • MD5

    d6391efb89ccc420774799bb0185e609

  • SHA1

    63d2b12fad84b0391cbfe00b485261f9d76ec139

  • SHA256

    0930f42793685aaa781840f88b91b8115ad3787ebb394f29799b8266fc422eb1

  • SHA512

    114f133f766ee0e3eebd238dfc805223f45784313ada4eb66f1e1769074cefd19bf7fedce1ede7a505e9082679678c29cab0a74ff952fa8baf58e372bb6f9435

  • SSDEEP

    96:LwehM7b5L50xpkc6IGKcLfLpUyPsNZuy3eW22Nx6YJ:LwrbR50xpG1btEZuGNoYJ

Score
10/10
lummadiscoverystealer

Malware Config

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Spotify\Block\install.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-2023-03-26_15-24-31\SpotifyFullSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-2023-03-26_15-24-31\SpotifyFullSetup.exe"
      2⤵
      • Executes dropped EXE
      PID:2784
      • C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
        Spotify.exe
        3⤵
        • Executes dropped EXE
        PID:1900
    • C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
      "C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:3892
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 900
        3⤵
        • Program crash
        PID:3988
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3892 -ip 3892
    1⤵
      PID:3844

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-2023-03-26_15-24-31\SpotifyFullSetup.exe
      Filesize

      83.5MB

      MD5

      5e307b5182474dd37d18cd8ada1a0285

      SHA1

      4d70faf2e6e3b0b5a91ecf0470a42bb9afff44cf

      SHA256

      5f38b643d1adddd70ae034cb4dd6f567b267c04d7a77e51c6869718630cfee92

      SHA512

      e6e249218c46bce48c4e807ef88a81149d456f01e1234d9081525a5f8cb8c0689502315be2ee8c0f5b56572fa696a6474917f34e896f14b9b367feecd44f04da

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-2023-03-26_15-24-31\SpotifyFullSetup.exe
      Filesize

      83.5MB

      MD5

      5e307b5182474dd37d18cd8ada1a0285

      SHA1

      4d70faf2e6e3b0b5a91ecf0470a42bb9afff44cf

      SHA256

      5f38b643d1adddd70ae034cb4dd6f567b267c04d7a77e51c6869718630cfee92

      SHA512

      e6e249218c46bce48c4e807ef88a81149d456f01e1234d9081525a5f8cb8c0689502315be2ee8c0f5b56572fa696a6474917f34e896f14b9b367feecd44f04da

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-2023-03-26_15-24-31\SpotifyFullSetup.exe
      Filesize

      83.5MB

      MD5

      5e307b5182474dd37d18cd8ada1a0285

      SHA1

      4d70faf2e6e3b0b5a91ecf0470a42bb9afff44cf

      SHA256

      5f38b643d1adddd70ae034cb4dd6f567b267c04d7a77e51c6869718630cfee92

      SHA512

      e6e249218c46bce48c4e807ef88a81149d456f01e1234d9081525a5f8cb8c0689502315be2ee8c0f5b56572fa696a6474917f34e896f14b9b367feecd44f04da

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tc5enp40.kh3.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
      Filesize

      18.4MB

      MD5

      13dc9f455543556daaeed3b918992789

      SHA1

      5c3d8aea2499fa402bc5951dada102ebb776df68

      SHA256

      1fb2753dccaff558db3150b3bc87b9adf91cec85bb9001d7ca0ce1f7145437ba

      SHA512

      8ac3f52ffb36580564ab6a33d7dc639b367ca0b1ffd5f0c9162b146081527defa55826d758f8e0eb6898f2bb2d13f76fc6faa042c704cf1d0e9c5e1ca6036d42

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
      Filesize

      18.4MB

      MD5

      13dc9f455543556daaeed3b918992789

      SHA1

      5c3d8aea2499fa402bc5951dada102ebb776df68

      SHA256

      1fb2753dccaff558db3150b3bc87b9adf91cec85bb9001d7ca0ce1f7145437ba

      SHA512

      8ac3f52ffb36580564ab6a33d7dc639b367ca0b1ffd5f0c9162b146081527defa55826d758f8e0eb6898f2bb2d13f76fc6faa042c704cf1d0e9c5e1ca6036d42

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
      Filesize

      18.4MB

      MD5

      13dc9f455543556daaeed3b918992789

      SHA1

      5c3d8aea2499fa402bc5951dada102ebb776df68

      SHA256

      1fb2753dccaff558db3150b3bc87b9adf91cec85bb9001d7ca0ce1f7145437ba

      SHA512

      8ac3f52ffb36580564ab6a33d7dc639b367ca0b1ffd5f0c9162b146081527defa55826d758f8e0eb6898f2bb2d13f76fc6faa042c704cf1d0e9c5e1ca6036d42

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Spotify\chrome_elf.dll
      Filesize

      1.1MB

      MD5

      7b49c99fe56efafc81f9b1cf64671a78

      SHA1

      93f33c050541258777804da7446ce431b1601adc

      SHA256

      f3602b4f12c9bb2ef69c475c85d29138794f92e89149eba2bf1265d29e68fe3c

      SHA512

      9ccb36a165d86ed746425303a94de511d53ee878f4cb489f9d72c49d8d1dc48605444aeffb52a60b21eb11cfdf04c1fd919328259b7b48ac2d22b2a02c90bc2f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Spotify\config.ini
      Filesize

      42B

      MD5

      4603a71d0e41d91635b2445cd4d81fba

      SHA1

      1366d959ac7be698a588ae59947e137475c3dd43

      SHA256

      f00682b6192bd464770a1a1ccd31d90919a94bbdb1da149816de15fe54bf4990

      SHA512

      93e4840c975200280115cda3f49be0c4c0f2106198cddd4bac3d6138ac5eea7889be78d9060ae22b6f07c456fd4d969c0987e84084112cfbf0659ef4e9da0e25

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Spotify\libcef.dll
      Filesize

      158.4MB

      MD5

      15529475ac91826af75d06b6c1ba1ecc

      SHA1

      3d8bc5e0e800e90ccfba6c6195843e0803b9fab4

      SHA256

      cd8602d1ce348d5ae2c301060992d1f12030101d820cfcca7c61a7b540ad4b91

      SHA512

      f43aca2adf5c3227867cac35493af60a31d9a00722f15a99e35bf3889ec74f6bc9451f1f60e1a0e52e85c04f0015ab3d8c0598ef9d33d3043f04636d8d054c9a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Spotify\libcef.dll
      Filesize

      158.4MB

      MD5

      15529475ac91826af75d06b6c1ba1ecc

      SHA1

      3d8bc5e0e800e90ccfba6c6195843e0803b9fab4

      SHA256

      cd8602d1ce348d5ae2c301060992d1f12030101d820cfcca7c61a7b540ad4b91

      SHA512

      f43aca2adf5c3227867cac35493af60a31d9a00722f15a99e35bf3889ec74f6bc9451f1f60e1a0e52e85c04f0015ab3d8c0598ef9d33d3043f04636d8d054c9a

      Download Submit
    • memory/1900-354-0x0000000000400000-0x0000000001690000-memory.dmp
      Filesize

      18.6MB

      Download
    • memory/2092-147-0x00000165C96C0000-0x00000165C96CA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2092-168-0x00000165C96E0000-0x00000165C96F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2092-167-0x00000165C96E0000-0x00000165C96F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2092-166-0x00000165C96E0000-0x00000165C96F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2092-151-0x00000165C96D0000-0x00000165C96DA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2092-150-0x00000165CA9A0000-0x00000165CA9B2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2092-148-0x00000165CA970000-0x00000165CA996000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2092-146-0x00000165C96A0000-0x00000165C96B6000-memory.dmp
      Filesize

      88KB

      Download
    • memory/2092-144-0x00000165C96E0000-0x00000165C96F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2092-145-0x00000165C96E0000-0x00000165C96F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2092-143-0x00000165C96E0000-0x00000165C96F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2092-142-0x00000165B1160000-0x00000165B1182000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3892-356-0x0000000000400000-0x0000000001690000-memory.dmp
      Filesize

      18.6MB

      Download