757b9bf24289dcac58ca0f123b2bf7f7f411fc202bcaeef9f108032017c355ec

Analysis

max time kernel
149s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
22/02/2024, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install.ps1
Size

6KB
MD5

f504c7cf8f8d99dc29d239f6b7d6abcf
SHA1

b1ffa96272a8776d81787489711193a4c37d5b65
SHA256

757b9bf24289dcac58ca0f123b2bf7f7f411fc202bcaeef9f108032017c355ec
SHA512

ec6c778554026a7cebb996920b91f78bb48b3ff0576e67b69f193c486a46afcf72198cfd33f2b8c05f02d2338640e17d3f0dc4521fa56ce7dd60dae8836fe17d
SSDEEP

192:D+VvVL04b5sTwVNyXoUuvrTByIJFocnTPwX:S9J6kzy4UaAIYcTPwX

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
12	3236	powershell.exe
13	3236	powershell.exe
14	3236	powershell.exe
15	3236	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2368	spicetify.exe
2352	spicetify.exe
4996	spicetify.exe
240	spicetify.exe
1432	spicetify.exe
3092	spicetify.exe
400	spicetify.exe
1340	spicetify.exe
1200	spicetify.exe
1436	spicetify.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
1	raw.githubusercontent.com

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3236	powershell.exe
3236	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3236	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 2368	3236	powershell.exe	81
PID 3236 wrote to memory of 2368	3236	powershell.exe	81
PID 3236 wrote to memory of 2352	3236	powershell.exe	82
PID 3236 wrote to memory of 2352	3236	powershell.exe	82
PID 3236 wrote to memory of 4996	3236	powershell.exe	83
PID 3236 wrote to memory of 4996	3236	powershell.exe	83
PID 3236 wrote to memory of 240	3236	powershell.exe	84
PID 3236 wrote to memory of 240	3236	powershell.exe	84
PID 3236 wrote to memory of 1432	3236	powershell.exe	85
PID 3236 wrote to memory of 1432	3236	powershell.exe	85
PID 3236 wrote to memory of 3092	3236	powershell.exe	86
PID 3236 wrote to memory of 3092	3236	powershell.exe	86
PID 3236 wrote to memory of 400	3236	powershell.exe	90
PID 3236 wrote to memory of 400	3236	powershell.exe	90
PID 3236 wrote to memory of 1340	3236	powershell.exe	89
PID 3236 wrote to memory of 1340	3236	powershell.exe	89
PID 3236 wrote to memory of 1200	3236	powershell.exe	88
PID 3236 wrote to memory of 1200	3236	powershell.exe	88
PID 3236 wrote to memory of 1436	3236	powershell.exe	87
PID 3236 wrote to memory of 1436	3236	powershell.exe	87

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\install.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
  "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" path userdata
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
  "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" path userdata
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
  "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" path -s
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
  "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" config current_theme
  2⤵
  - Executes dropped EXE
  PID:240
- C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
  "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" config custom_apps spicetify-marketplace- -q
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
  "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" config custom_apps marketplace
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
  "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" apply
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
  "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" backup
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
  "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" config current_theme marketplace
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
  "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" config inject_css 1 replace_colors 1
  2⤵
  - Executes dropped EXE
  PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wjuxstsu.xaa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
2.8MB

MD5
702fcf0c770631c0f59f216490991197

SHA1
6e03db218309b68cebaba3d5b377b744a2897052

SHA256
d78b2edf5ca426133bf49433bb500a7ef228469479abc813ce8617ecd03e3e7e

SHA512
3422bab3b0e9654a009fe410f97c301aea217ed9a5b66795a82f84f35bdcbe44d7fa28e849f42f374e05347b1f8ac3222233bf40a495299c91065a2c465fba36

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
3.1MB

MD5
2fb98541e7eb7db3b496e0a6d3b89393

SHA1
fab16d5bfafc79e66c801ad33563477bac731389

SHA256
fea48f91be7140d20fa3f9bd9b102aa44e14d37dc5a2ed641d480ecf6ac080e2

SHA512
acd8ada654477985b8d3ecdfb68d9c18215e2ae3d87dfa0a7d3bc2bb8e2f613bf4861a165eb15a7e9da9e13eed523e0362eddf000d5f1e0f26a69b89ab4d2d6e

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
2.8MB

MD5
3677f66f3fa36af0f7c0e836a5b0f97d

SHA1
4e34cf4279d88203a433bfc85214be0c85d842f1

SHA256
d1c0a382388157da74d1128dfe6c6c1145ce543b19880495b43648765087627d

SHA512
f2b2bbdda479487c2a543eb2fc4ede0a12251779f9bd9e9894daaf380e92db0d3bc1830f555041a45f1ff1998776dcdafc7104230e496bbfc664279c1543bc11

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
2.4MB

MD5
d8065be152ec184cd2662e85ed8399cb

SHA1
ee97e8eddf37ba965dff5067e41828d3bf4513e8

SHA256
2d003db0aa5090d8849bbbf9d830775d21532d969242d70adaf451df90c39851

SHA512
90ceadadb7c2f0f67aa545742fa3581ea311bd8fa09cc010450c07eafd19b96add51aeff3649961608a4875c8853685e066d8ae8e018b4dfe7adf4a15b2fec37

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
3.0MB

MD5
1a7898bd04d7025e7d6af6b2be08d265

SHA1
193c97cf8bbfee3f1d51ff2d760ce592df2c0d8e

SHA256
cd202b512b166edd42f6738ade485760136478282039c7220b655f6fbe02464b

SHA512
e69752af0d8383dc98f1d45d5e341794e91d82fb43af4fb59e87a7c02673525159e50d5da5e96555d678c73f8ba6076f8c62ac73dcca7f59d3c0e2a7aca3833c

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
2.7MB

MD5
0a112f873e93a26ca915cb218811834c

SHA1
da1785cf24fc39d6d8d0aad410a79c7205f29100

SHA256
81e845ee6e4435189cbaca470f70df5bfed4562606f519fc6a3aef7df1ec04ec

SHA512
3b4842535898100f295a21c709f41b991f33f88e7d4c4ce2261f8e7c7a016a3b5fa396804947bc5c1a320606c09abd8f2b5421831fa4e93d8ef58e62b77acd49

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
2.1MB

MD5
ccd29679ee26854daf42b4a7b7b4844d

SHA1
94a67c75b447ed0a015dd4823e7178d05dd06cea

SHA256
b1bde6df6f83dbf8d032e8f6e1a1799d26c9a83c67b4a414e3a2db49ebde88be

SHA512
840460a4e971a8b0391b95627b39ba16251b6ef38783e1dd9f7b59107faa55fd0a6b0d681c3c1d8587876dbc0d87292db4597c7d9af198edeec61823d4661dcb

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
1.9MB

MD5
9c4b0380bfcd43afb4e3ffb4a42a0f13

SHA1
316c7658dd8caf3344d76face2ffa019dc72c1b3

SHA256
7172cb4d2c3de6c08ba2e3df55417c94e244df8fb4176fe136ebabc44fe22942

SHA512
b7caf5b1b4dc79bdf6f6bd0946f3c92e9253f088d14d128e6628891657964082e9b5fc7fd38a017961119949842e5f73c81bb36788b0fc79087a737410a2f6c3

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
1.1MB

MD5
b7b8978fb8899f3ae3e176ce36df84ca

SHA1
8b8ca16a7da264b01b00c4be4e7901617f18fdf7

SHA256
8ff26cfca865820732ff1ec746b7441b52c16366eeeca1ab124bb7b11bdce3bc

SHA512
86438ebde098e0ea6ffa57a5c1bfe511f805e48c95fb009592c8168d3aba6b77cecec3891d49aa3ec44a74cc9b89e2e9f24991c2fa9ad7f1bbde3130637b6563

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
960KB

MD5
5b7c766ecb5c5ca2eb5340be17d2d872

SHA1
66bf8346c578122b38bca273a07e80d8c96712f3

SHA256
965327bffd0969d4114f99888e361399a726924e05bdbf33944070f43d90304c

SHA512
657776a7988caea40d45ed77d8cb1b96c16ec571a150044320b122fd157ccc9ceeee34cb584b97087ee3953cf3f2df2adbe56429593bb284139cb77ae00d7973

Download Submit
C:\Users\Admin\AppData\Roaming\spicetify\config-xpui.ini

Filesize
649B

MD5
2460b379632b6a994c9194ed872ad535

SHA1
687fc4cb28f6ba9283db87e7a361d0ac1a240df2

SHA256
0b8282d094c01a39362a355d6ba9f53c1edc2bb315956df82c45662483c72c57

SHA512
c2ff030d1e75f8e7169a33552e879550d12e7196f1d714b91d0575f3fc867cccf770b7d107f5a76b649df3084039b595ba092a5fb22ec5355ac6dbd64407a43c

Download Submit
memory/3236-13-0x00000266B41B0000-0x00000266B4372000-memory.dmp

Filesize
1.8MB

Download
memory/3236-14-0x00000266B48B0000-0x00000266B4DD8000-memory.dmp

Filesize
5.2MB

Download
memory/3236-96-0x000002669B5B0000-0x000002669B5C0000-memory.dmp

Filesize
64KB

Download
memory/3236-95-0x000002669B5B0000-0x000002669B5C0000-memory.dmp

Filesize
64KB

Download
memory/3236-18-0x00000266B3BC0000-0x00000266B3BCA000-memory.dmp

Filesize
40KB

Download
memory/3236-17-0x00000266B3BE0000-0x00000266B3BF2000-memory.dmp

Filesize
72KB

Download
memory/3236-15-0x00007FFC3B170000-0x00007FFC3BC32000-memory.dmp

Filesize
10.8MB

Download
memory/3236-132-0x000002669B5B0000-0x000002669B5C0000-memory.dmp

Filesize
64KB

Download
memory/3236-12-0x000002669B5B0000-0x000002669B5C0000-memory.dmp

Filesize
64KB

Download
memory/3236-11-0x000002669B5B0000-0x000002669B5C0000-memory.dmp

Filesize
64KB

Download
memory/3236-10-0x000002669B5B0000-0x000002669B5C0000-memory.dmp

Filesize
64KB

Download
memory/3236-9-0x00007FFC3B170000-0x00007FFC3BC32000-memory.dmp

Filesize
10.8MB

Download
memory/3236-169-0x00007FFC3B170000-0x00007FFC3BC32000-memory.dmp

Filesize
10.8MB

Download
memory/3236-8-0x00000266B3B30000-0x00000266B3B52000-memory.dmp

Filesize
136KB

Download