72ba35b22553101499e7aa001251d6b6b5eb645c7e907ebc256545e3ab1d5d83

Reason

Machine shutdown

General

Target

SpotifySetup.exe
Size

724KB
MD5

9b5c23d88dc01f2069ce85f1be2e040d
SHA1

27239f2ef7a9bf10e47a8eb0d5ff07f8c8244217
SHA256

72ba35b22553101499e7aa001251d6b6b5eb645c7e907ebc256545e3ab1d5d83
SHA512

2da74acbbcbab15b4dcf30da868aa99e116eaf21071f8a47dfa3f73a026b55baedb8374d6560be3cfc289f5fc6f6f9886b8cedcf0787e1d2a81a5ac20ebb0f06
SSDEEP

12288:M4jvnpbgd8+DxjVWAlwJ2yy85QbKIdNWXn6HKTCWl4KjrVR:MenWDxjIf5Q1NWXhlxR

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

SpWebInst0.exe

pid process

1548 SpWebInst0.exe
Loads dropped DLL 1 IoCs

Processes:

SpotifySetup.exe

pid process

1212 SpotifySetup.exe

pid	process
1548	SpWebInst0.exe

pid	process
1212	SpotifySetup.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SpotifySetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	SpotifySetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	SpotifySetup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1020	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1020	AUDIODG.EXE
Token: 33	1020	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1020	AUDIODG.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

SpotifySetup.exe

description	pid	process	target process
PID 1212 wrote to memory of 1548	1212	SpotifySetup.exe	SpWebInst0.exe
PID 1212 wrote to memory of 1548	1212	SpotifySetup.exe	SpWebInst0.exe
PID 1212 wrote to memory of 1548	1212	SpotifySetup.exe	SpWebInst0.exe
PID 1212 wrote to memory of 1548	1212	SpotifySetup.exe	SpWebInst0.exe
PID 1212 wrote to memory of 1548	1212	SpotifySetup.exe	SpWebInst0.exe
PID 1212 wrote to memory of 1548	1212	SpotifySetup.exe	SpWebInst0.exe
PID 1212 wrote to memory of 1548	1212	SpotifySetup.exe	SpWebInst0.exe

C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe
"C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Roaming\Spotify\SpWebInst0.exe
SpWebInst0.exe /webinstall
2⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1672

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x528
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Spotify\SpWebInst0.exe
Filesize
83.5MB

MD5
5e307b5182474dd37d18cd8ada1a0285

SHA1
4d70faf2e6e3b0b5a91ecf0470a42bb9afff44cf

SHA256
5f38b643d1adddd70ae034cb4dd6f567b267c04d7a77e51c6869718630cfee92

SHA512
e6e249218c46bce48c4e807ef88a81149d456f01e1234d9081525a5f8cb8c0689502315be2ee8c0f5b56572fa696a6474917f34e896f14b9b367feecd44f04da

Download Submit
\Users\Admin\AppData\Roaming\Spotify\SpWebInst0.exe
Filesize
83.5MB

MD5
5e307b5182474dd37d18cd8ada1a0285

SHA1
4d70faf2e6e3b0b5a91ecf0470a42bb9afff44cf

SHA256
5f38b643d1adddd70ae034cb4dd6f567b267c04d7a77e51c6869718630cfee92

SHA512
e6e249218c46bce48c4e807ef88a81149d456f01e1234d9081525a5f8cb8c0689502315be2ee8c0f5b56572fa696a6474917f34e896f14b9b367feecd44f04da

Download Submit
memory/1672-73-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/1928-74-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads