Analysis
-
max time kernel
25s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
27-03-2023 12:34
Static task
static1
Behavioral task
behavioral1
Sample
ESPOTIFY SIN PUBLICIDAD/Spotify1-1-73-517.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ESPOTIFY SIN PUBLICIDAD/Spotify1-1-73-517.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
ESPOTIFY SIN PUBLICIDAD/install.bat
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
ESPOTIFY SIN PUBLICIDAD/install.bat
Resource
win10v2004-20230220-en
General
-
Target
ESPOTIFY SIN PUBLICIDAD/install.bat
-
Size
4KB
-
MD5
1e2f0cee168e9efbf71954a91c155356
-
SHA1
1da5b5d28d83b51ee58895b48488a22d1dc49897
-
SHA256
4cd8cc1a84521644561b76338aabcf7c1d7681564b0415b0a548b6a8e9700a73
-
SHA512
593cbc366c79e7f2b0dda7260363305e9cd112f665a7375998b34f9a8792f9fb2313e36b17b587010f7d29b24221da756dee1a84f65628e69037a40952d52c64
-
SSDEEP
96:qGQ9HHSDNcCMOQMYAMlVu7YOnMkycpy1Xq0RHqs0V:qGQ9nRY3YHXuMOMkycpy1XBqs0V
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1296 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1296 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exedescription pid process target process PID 1756 wrote to memory of 1196 1756 cmd.exe findstr.exe PID 1756 wrote to memory of 1196 1756 cmd.exe findstr.exe PID 1756 wrote to memory of 1196 1756 cmd.exe findstr.exe PID 1756 wrote to memory of 1296 1756 cmd.exe powershell.exe PID 1756 wrote to memory of 1296 1756 cmd.exe powershell.exe PID 1756 wrote to memory of 1296 1756 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ESPOTIFY SIN PUBLICIDAD\install.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\findstr.exefindstr /v "^;;;===,,," "C:\Users\Admin\AppData\Local\Temp\ESPOTIFY SIN PUBLICIDAD\install.bat"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -ExecutionPolicy Bypass -Command "& 'C:\Users\Admin\AppData\Local\Temp\ESPOTIFY SIN PUBLICIDAD\ps.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ESPOTIFY SIN PUBLICIDAD\ps.ps1Filesize
4KB
MD54d70184c5dadd0bb980a13aedab4988b
SHA1a8e17c70cba0911ca56b8f75f568082eb2849f9b
SHA256259ec34b25f4aa29f33322702b3d3a678b7f1109f03ba3b04e973d0c3092a49a
SHA5124475a858928fecbce18dbeb5463222020ab0848109e29afad9e0c72beb41941a9b60f1d8fdda073cd945846e0530ee9006c927bcd7af1e9d96828f18887f315f
-
memory/1296-59-0x000000001B260000-0x000000001B542000-memory.dmpFilesize
2.9MB
-
memory/1296-60-0x0000000002360000-0x0000000002368000-memory.dmpFilesize
32KB
-
memory/1296-61-0x0000000002840000-0x00000000028C0000-memory.dmpFilesize
512KB
-
memory/1296-62-0x0000000002840000-0x00000000028C0000-memory.dmpFilesize
512KB
-
memory/1296-63-0x0000000002840000-0x00000000028C0000-memory.dmpFilesize
512KB
-
memory/1296-65-0x000000000284B000-0x0000000002882000-memory.dmpFilesize
220KB