Analysis
-
max time kernel
781s -
max time network
746s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
12-10-2023 12:35
General
-
Target
SpotifySetup.exe
-
Size
2.8MB
-
MD5
da56532db7d8cb67270fc27697bb524e
-
SHA1
d127c343cc8e7484997f541aeeebec8b63fa39a0
-
SHA256
75ce00349f364e34ca9744edff81d8e7e4237b035a0bea0ab2cf3e5c29e55af9
-
SHA512
6e856cb531dc6752872c7beadf0b6fa24e2457c8d9afa4d240c12b8d297eb6263b34726d8c720458e99d6958ce9917933356bd43f165c936d1304e6c1df85377
-
SSDEEP
49152:y2My0eKmxEyFNfjLmIUlOu7QtmZWNWwG6/MhmdWWjkCIj+yNyRS0b4t4TxCejhzq:
Malware Config
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe"C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Start Menu\3D7OX7XQ.exe"C:\ProgramData\Start Menu\3D7OX7XQ.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Spotify\SpWebInst0.exeSpWebInst0.exe /webinstall3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\OP33M0OZ.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\OP33M0OZ.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4224 -s 19603⤵
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
992KB
MD56469f63b99f50f188793dc299a452d97
SHA134a1a95f61b52fb9abe41ff317eb36760fd25c65
SHA256e939a8b97ffd09604a1569fcc4017a7d34b2d852b1f775f2e6e5d7e8b34da178
SHA51206c19ca4a557e019e869db1739adfe437657adb4527fedce004792ad8a6ce9baa38702d2e8ac9b9c51072fabb812287d6510abdcd7072f0b25d677fce335295f
-
Filesize
992KB
MD56469f63b99f50f188793dc299a452d97
SHA134a1a95f61b52fb9abe41ff317eb36760fd25c65
SHA256e939a8b97ffd09604a1569fcc4017a7d34b2d852b1f775f2e6e5d7e8b34da178
SHA51206c19ca4a557e019e869db1739adfe437657adb4527fedce004792ad8a6ce9baa38702d2e8ac9b9c51072fabb812287d6510abdcd7072f0b25d677fce335295f
-
Filesize
992KB
MD56469f63b99f50f188793dc299a452d97
SHA134a1a95f61b52fb9abe41ff317eb36760fd25c65
SHA256e939a8b97ffd09604a1569fcc4017a7d34b2d852b1f775f2e6e5d7e8b34da178
SHA51206c19ca4a557e019e869db1739adfe437657adb4527fedce004792ad8a6ce9baa38702d2e8ac9b9c51072fabb812287d6510abdcd7072f0b25d677fce335295f
-
Filesize
83KB
MD5051c8b584ffde2a373d4a54d038bc46c
SHA1d58abcb0d3875094b51e6836036bf65ff96b8b40
SHA256711de934bbdb56f4335d776819d4059222f8b3376fcb4a72ac2fca0a38e45801
SHA5128f28ce2467b8accba63be5a4983df4c8faed25a7f79c1f04560f47009969cbf84fc2afe4e08c2903c17f895afe29e397a91ed579d012f68fe08f0b4261552063
-
Filesize
83KB
MD5051c8b584ffde2a373d4a54d038bc46c
SHA1d58abcb0d3875094b51e6836036bf65ff96b8b40
SHA256711de934bbdb56f4335d776819d4059222f8b3376fcb4a72ac2fca0a38e45801
SHA5128f28ce2467b8accba63be5a4983df4c8faed25a7f79c1f04560f47009969cbf84fc2afe4e08c2903c17f895afe29e397a91ed579d012f68fe08f0b4261552063
-
Filesize
83KB
MD5051c8b584ffde2a373d4a54d038bc46c
SHA1d58abcb0d3875094b51e6836036bf65ff96b8b40
SHA256711de934bbdb56f4335d776819d4059222f8b3376fcb4a72ac2fca0a38e45801
SHA5128f28ce2467b8accba63be5a4983df4c8faed25a7f79c1f04560f47009969cbf84fc2afe4e08c2903c17f895afe29e397a91ed579d012f68fe08f0b4261552063
-
Filesize
94.2MB
MD507f3ea187e143fa50bbbc510fbb9a820
SHA1562afaedc47e02e51163e51fb8c6d77b610a3302
SHA256742053aeee73a54fd5bd1eb093c3388c63b32368959487c09c7cdbce9823c6df
SHA5120fb8d876aad66665b315091b3e8ccdbb2758c0cee09cfdf5aa8805c1c86138a8d428696a55f3a4f2144ea0b8c67ae4d26c337e14d9651065ef638f69ffb197d2
-
Filesize
94.2MB
MD507f3ea187e143fa50bbbc510fbb9a820
SHA1562afaedc47e02e51163e51fb8c6d77b610a3302
SHA256742053aeee73a54fd5bd1eb093c3388c63b32368959487c09c7cdbce9823c6df
SHA5120fb8d876aad66665b315091b3e8ccdbb2758c0cee09cfdf5aa8805c1c86138a8d428696a55f3a4f2144ea0b8c67ae4d26c337e14d9651065ef638f69ffb197d2
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
2.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
112KB