Analysis
-
max time kernel
155s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
25-04-2023 12:45
General
-
Target
Spotify Premium/Setup.exe
-
Size
630.2MB
-
MD5
32a4d0a4ab16a702c4a00b41a6d1377e
-
SHA1
cf9935a37c5477fdd991f50078d0fbe0da51f8df
-
SHA256
6f895cd89dafd39df80e6cc7660f229e775c962ff249f56c9693ac16821cb9cf
-
SHA512
c6a327e8d33fbcabba45fe3a10572d5632b3addc094010f39a709cdb3367004b659f05954988c8ee6c87196790f84a77be1c4813bd2ce8174cdd74f9a4d36ebf
-
SSDEEP
6144:TfbOrBANQk+LQ9JfIzgPO6gsURuloFxdPQ:MO//AzgmuqO
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 28 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Spotify Premium\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Spotify Premium\Setup.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 7322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 8282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 8802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 8882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 9882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 9882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 12322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 12442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 12842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 13602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 10042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 9722⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\23e20ad4db\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\23e20ad4db\oneetx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 5843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 7243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 7323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 7923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 7603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 7083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 9803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 9883⤵
- Program crash
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\23e20ad4db\oneetx.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 9203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 12003⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\23e20ad4db" /P "Admin:N"&&CACLS "..\23e20ad4db" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\23e20ad4db" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\23e20ad4db" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 12403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 6683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 11883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 14963⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000001001\gookcom.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\gookcom.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 9202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 14282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5072 -ip 50721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5072 -ip 50721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5072 -ip 50721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5072 -ip 50721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5072 -ip 50721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5072 -ip 50721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5072 -ip 50721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5072 -ip 50721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5072 -ip 50721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5072 -ip 50721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5072 -ip 50721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5072 -ip 50721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5072 -ip 50721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5072 -ip 50721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5072 -ip 50721⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000001001\gookcom.exeFilesize
769KB
MD5c6fea3621cca858371f2d596c9723891
SHA148a23b6c768a4a4f8ba2864159f959c0e025f08a
SHA2560a4d7ed03798e5257a21afc76553e538486316389bd54c9b9bcc03699ae21cd3
SHA512c3c7973b774c9cbe0888ebf4858b617a4431cb614a38d260ebefa3717ee932ccb0e93a14159aa6856aa0094e13627a1c8a071fdfff3639f5b14194af3a3d1bf4
-
C:\Users\Admin\AppData\Local\Temp\23e20ad4db\oneetx.exeFilesize
630.2MB
MD532a4d0a4ab16a702c4a00b41a6d1377e
SHA1cf9935a37c5477fdd991f50078d0fbe0da51f8df
SHA2566f895cd89dafd39df80e6cc7660f229e775c962ff249f56c9693ac16821cb9cf
SHA512c6a327e8d33fbcabba45fe3a10572d5632b3addc094010f39a709cdb3367004b659f05954988c8ee6c87196790f84a77be1c4813bd2ce8174cdd74f9a4d36ebf
-
C:\Users\Admin\AppData\Local\Temp\23e20ad4db\oneetx.exeFilesize
630.2MB
MD532a4d0a4ab16a702c4a00b41a6d1377e
SHA1cf9935a37c5477fdd991f50078d0fbe0da51f8df
SHA2566f895cd89dafd39df80e6cc7660f229e775c962ff249f56c9693ac16821cb9cf
SHA512c6a327e8d33fbcabba45fe3a10572d5632b3addc094010f39a709cdb3367004b659f05954988c8ee6c87196790f84a77be1c4813bd2ce8174cdd74f9a4d36ebf
-
C:\Users\Admin\AppData\Local\Temp\23e20ad4db\oneetx.exeFilesize
630.2MB
MD532a4d0a4ab16a702c4a00b41a6d1377e
SHA1cf9935a37c5477fdd991f50078d0fbe0da51f8df
SHA2566f895cd89dafd39df80e6cc7660f229e775c962ff249f56c9693ac16821cb9cf
SHA512c6a327e8d33fbcabba45fe3a10572d5632b3addc094010f39a709cdb3367004b659f05954988c8ee6c87196790f84a77be1c4813bd2ce8174cdd74f9a4d36ebf
-
memory/400-134-0x0000000002C80000-0x0000000002CB3000-memory.dmpFilesize
204KB
-
memory/400-135-0x0000000000400000-0x0000000002BA9000-memory.dmpFilesize
39.7MB
-
memory/400-143-0x0000000000400000-0x0000000002BA9000-memory.dmpFilesize
39.7MB
-
memory/400-149-0x0000000000400000-0x0000000002BA9000-memory.dmpFilesize
39.7MB
-
memory/5072-150-0x0000000000400000-0x0000000002BA9000-memory.dmpFilesize
39.7MB
-
memory/5072-161-0x0000000000400000-0x0000000002BA9000-memory.dmpFilesize
39.7MB