Overview
overview
10Static
static
1Spotify/Bl...ot.bat
windows7-x64
1Spotify/Bl...ot.bat
windows10-2004-x64
8Spotify/Bl...ME.ps1
windows7-x64
1Spotify/Bl...ME.ps1
windows10-2004-x64
1Spotify/Bl...ll.ps1
windows7-x64
8Spotify/Bl...ll.ps1
windows10-2004-x64
10Spotify/Bl...ll.bat
windows7-x64
1Spotify/Bl...ll.bat
windows10-2004-x64
1Spotify/Bl...x.html
windows7-x64
1Spotify/Bl...x.html
windows10-2004-x64
1Spotify/Bl...dle.js
windows7-x64
1Spotify/Bl...dle.js
windows10-2004-x64
1Spotify/Se...up.exe
windows7-x64
8Spotify/Se...up.exe
windows10-2004-x64
10Analysis
-
max time kernel
262s -
max time network
265s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2023 13:21
Static task
static1
Behavioral task
behavioral1
Sample
Spotify/Block/BlockTheSpot.bat
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Spotify/Block/BlockTheSpot.bat
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Spotify/Block/README.ps1
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
Spotify/Block/README.ps1
Resource
win10v2004-20230221-en
Behavioral task
behavioral5
Sample
Spotify/Block/install.ps1
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
Spotify/Block/install.ps1
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
Spotify/Block/uninstall.bat
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Spotify/Block/uninstall.bat
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Spotify/Block/zlink/index.html
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Spotify/Block/zlink/index.html
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
Spotify/Block/zlink/zlink.bundle.js
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
Spotify/Block/zlink/zlink.bundle.js
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
Spotify/Setup/SpotifySetup.exe
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
Spotify/Setup/SpotifySetup.exe
Resource
win10v2004-20230220-en
General
-
Target
Spotify/Block/install.ps1
-
Size
4KB
-
MD5
d6391efb89ccc420774799bb0185e609
-
SHA1
63d2b12fad84b0391cbfe00b485261f9d76ec139
-
SHA256
0930f42793685aaa781840f88b91b8115ad3787ebb394f29799b8266fc422eb1
-
SHA512
114f133f766ee0e3eebd238dfc805223f45784313ada4eb66f1e1769074cefd19bf7fedce1ede7a505e9082679678c29cab0a74ff952fa8baf58e372bb6f9435
-
SSDEEP
96:LwehM7b5L50xpkc6IGKcLfLpUyPsNZuy3eW22Nx6YJ:LwrbR50xpG1btEZuGNoYJ
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 9 3356 powershell.exe 20 3356 powershell.exe 23 3356 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
SpotifyFullSetup.exeSpotify.exeSpotify.exepid process 2572 SpotifyFullSetup.exe 5088 Spotify.exe 540 Spotify.exe -
Loads dropped DLL 1 IoCs
Processes:
Spotify.exepid process 540 Spotify.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3436 540 WerFault.exe Spotify.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepid process 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3356 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
powershell.exedescription pid process target process PID 3356 wrote to memory of 2572 3356 powershell.exe SpotifyFullSetup.exe PID 3356 wrote to memory of 2572 3356 powershell.exe SpotifyFullSetup.exe PID 3356 wrote to memory of 2572 3356 powershell.exe SpotifyFullSetup.exe PID 3356 wrote to memory of 540 3356 powershell.exe Spotify.exe PID 3356 wrote to memory of 540 3356 powershell.exe Spotify.exe PID 3356 wrote to memory of 540 3356 powershell.exe Spotify.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Spotify\Block\install.ps11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-2023-03-26_15-21-35\SpotifyFullSetup.exe"C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-2023-03-26_15-21-35\SpotifyFullSetup.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exeSpotify.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe"C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 9163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 540 -ip 5401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-2023-03-26_15-21-35\SpotifyFullSetup.exeFilesize
83.5MB
MD55e307b5182474dd37d18cd8ada1a0285
SHA14d70faf2e6e3b0b5a91ecf0470a42bb9afff44cf
SHA2565f38b643d1adddd70ae034cb4dd6f567b267c04d7a77e51c6869718630cfee92
SHA512e6e249218c46bce48c4e807ef88a81149d456f01e1234d9081525a5f8cb8c0689502315be2ee8c0f5b56572fa696a6474917f34e896f14b9b367feecd44f04da
-
C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-2023-03-26_15-21-35\SpotifyFullSetup.exeFilesize
83.5MB
MD55e307b5182474dd37d18cd8ada1a0285
SHA14d70faf2e6e3b0b5a91ecf0470a42bb9afff44cf
SHA2565f38b643d1adddd70ae034cb4dd6f567b267c04d7a77e51c6869718630cfee92
SHA512e6e249218c46bce48c4e807ef88a81149d456f01e1234d9081525a5f8cb8c0689502315be2ee8c0f5b56572fa696a6474917f34e896f14b9b367feecd44f04da
-
C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-2023-03-26_15-21-35\SpotifyFullSetup.exeFilesize
83.5MB
MD55e307b5182474dd37d18cd8ada1a0285
SHA14d70faf2e6e3b0b5a91ecf0470a42bb9afff44cf
SHA2565f38b643d1adddd70ae034cb4dd6f567b267c04d7a77e51c6869718630cfee92
SHA512e6e249218c46bce48c4e807ef88a81149d456f01e1234d9081525a5f8cb8c0689502315be2ee8c0f5b56572fa696a6474917f34e896f14b9b367feecd44f04da
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h2eilchv.5j3.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exeFilesize
18.4MB
MD513dc9f455543556daaeed3b918992789
SHA15c3d8aea2499fa402bc5951dada102ebb776df68
SHA2561fb2753dccaff558db3150b3bc87b9adf91cec85bb9001d7ca0ce1f7145437ba
SHA5128ac3f52ffb36580564ab6a33d7dc639b367ca0b1ffd5f0c9162b146081527defa55826d758f8e0eb6898f2bb2d13f76fc6faa042c704cf1d0e9c5e1ca6036d42
-
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exeFilesize
18.4MB
MD513dc9f455543556daaeed3b918992789
SHA15c3d8aea2499fa402bc5951dada102ebb776df68
SHA2561fb2753dccaff558db3150b3bc87b9adf91cec85bb9001d7ca0ce1f7145437ba
SHA5128ac3f52ffb36580564ab6a33d7dc639b367ca0b1ffd5f0c9162b146081527defa55826d758f8e0eb6898f2bb2d13f76fc6faa042c704cf1d0e9c5e1ca6036d42
-
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exeFilesize
18.4MB
MD513dc9f455543556daaeed3b918992789
SHA15c3d8aea2499fa402bc5951dada102ebb776df68
SHA2561fb2753dccaff558db3150b3bc87b9adf91cec85bb9001d7ca0ce1f7145437ba
SHA5128ac3f52ffb36580564ab6a33d7dc639b367ca0b1ffd5f0c9162b146081527defa55826d758f8e0eb6898f2bb2d13f76fc6faa042c704cf1d0e9c5e1ca6036d42
-
C:\Users\Admin\AppData\Roaming\Spotify\chrome_elf.dllFilesize
1.1MB
MD57b49c99fe56efafc81f9b1cf64671a78
SHA193f33c050541258777804da7446ce431b1601adc
SHA256f3602b4f12c9bb2ef69c475c85d29138794f92e89149eba2bf1265d29e68fe3c
SHA5129ccb36a165d86ed746425303a94de511d53ee878f4cb489f9d72c49d8d1dc48605444aeffb52a60b21eb11cfdf04c1fd919328259b7b48ac2d22b2a02c90bc2f
-
C:\Users\Admin\AppData\Roaming\Spotify\config.iniFilesize
42B
MD54603a71d0e41d91635b2445cd4d81fba
SHA11366d959ac7be698a588ae59947e137475c3dd43
SHA256f00682b6192bd464770a1a1ccd31d90919a94bbdb1da149816de15fe54bf4990
SHA51293e4840c975200280115cda3f49be0c4c0f2106198cddd4bac3d6138ac5eea7889be78d9060ae22b6f07c456fd4d969c0987e84084112cfbf0659ef4e9da0e25
-
C:\Users\Admin\AppData\Roaming\Spotify\libcef.dllFilesize
158.4MB
MD515529475ac91826af75d06b6c1ba1ecc
SHA13d8bc5e0e800e90ccfba6c6195843e0803b9fab4
SHA256cd8602d1ce348d5ae2c301060992d1f12030101d820cfcca7c61a7b540ad4b91
SHA512f43aca2adf5c3227867cac35493af60a31d9a00722f15a99e35bf3889ec74f6bc9451f1f60e1a0e52e85c04f0015ab3d8c0598ef9d33d3043f04636d8d054c9a
-
C:\Users\Admin\AppData\Roaming\Spotify\libcef.dllFilesize
158.4MB
MD515529475ac91826af75d06b6c1ba1ecc
SHA13d8bc5e0e800e90ccfba6c6195843e0803b9fab4
SHA256cd8602d1ce348d5ae2c301060992d1f12030101d820cfcca7c61a7b540ad4b91
SHA512f43aca2adf5c3227867cac35493af60a31d9a00722f15a99e35bf3889ec74f6bc9451f1f60e1a0e52e85c04f0015ab3d8c0598ef9d33d3043f04636d8d054c9a
-
memory/540-356-0x0000000000400000-0x0000000001690000-memory.dmpFilesize
18.6MB
-
memory/3356-166-0x000001E7D4B90000-0x000001E7D4BA0000-memory.dmpFilesize
64KB
-
memory/3356-168-0x000001E7D4B90000-0x000001E7D4BA0000-memory.dmpFilesize
64KB
-
memory/3356-167-0x000001E7D4B90000-0x000001E7D4BA0000-memory.dmpFilesize
64KB
-
memory/3356-151-0x000001E7D7080000-0x000001E7D708A000-memory.dmpFilesize
40KB
-
memory/3356-150-0x000001E7D7290000-0x000001E7D72A2000-memory.dmpFilesize
72KB
-
memory/3356-148-0x000001E7D7230000-0x000001E7D7256000-memory.dmpFilesize
152KB
-
memory/3356-147-0x000001E7D7070000-0x000001E7D707A000-memory.dmpFilesize
40KB
-
memory/3356-146-0x000001E7D7050000-0x000001E7D7066000-memory.dmpFilesize
88KB
-
memory/3356-145-0x000001E7D4B90000-0x000001E7D4BA0000-memory.dmpFilesize
64KB
-
memory/3356-144-0x000001E7D4B90000-0x000001E7D4BA0000-memory.dmpFilesize
64KB
-
memory/3356-143-0x000001E7D4B90000-0x000001E7D4BA0000-memory.dmpFilesize
64KB
-
memory/3356-138-0x000001E7D4B60000-0x000001E7D4B82000-memory.dmpFilesize
136KB
-
memory/5088-344-0x0000000000400000-0x0000000001690000-memory.dmpFilesize
18.6MB