fa7ff9975dce1fc26987f6457ee9ef5e9a9fbe4d21b68a34941343f5cb00651e

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Install_New_theme_2.bat
Size

277B
MD5

bf78a0583ee16de7cf3776c7c7ad23fc
SHA1

30d6cf358f8932007554e5a5ef2f3ccf83c90e8a
SHA256

fa7ff9975dce1fc26987f6457ee9ef5e9a9fbe4d21b68a34941343f5cb00651e
SHA512

8a154d83996fbf0ba5f3c13514c48484824238d5d42aa7bcb44e399b996c249b66edaf722080101db0a7b4e8b93ca6028ac27ef565b9dfc7169d62466cf8f5ab

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
12	2696	powershell.exe
19	2696	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3712	SpotifySetup.exe
1008	Spotify.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
19	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
1900	taskkill.exe
1620	taskkill.exe
4932	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeIncreaseQuotaPrivilege	2696	powershell.exe
Token: SeSecurityPrivilege	2696	powershell.exe
Token: SeTakeOwnershipPrivilege	2696	powershell.exe
Token: SeLoadDriverPrivilege	2696	powershell.exe
Token: SeSystemProfilePrivilege	2696	powershell.exe
Token: SeSystemtimePrivilege	2696	powershell.exe
Token: SeProfSingleProcessPrivilege	2696	powershell.exe
Token: SeIncBasePriorityPrivilege	2696	powershell.exe
Token: SeCreatePagefilePrivilege	2696	powershell.exe
Token: SeBackupPrivilege	2696	powershell.exe
Token: SeRestorePrivilege	2696	powershell.exe
Token: SeShutdownPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeSystemEnvironmentPrivilege	2696	powershell.exe
Token: SeRemoteShutdownPrivilege	2696	powershell.exe
Token: SeUndockPrivilege	2696	powershell.exe
Token: SeManageVolumePrivilege	2696	powershell.exe
Token: 33	2696	powershell.exe
Token: 34	2696	powershell.exe
Token: 35	2696	powershell.exe
Token: 36	2696	powershell.exe
Token: SeDebugPrivilege	4932	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 2696	3112	cmd.exe	96
PID 3112 wrote to memory of 2696	3112	cmd.exe	96
PID 2696 wrote to memory of 4932	2696	powershell.exe	106
PID 2696 wrote to memory of 4932	2696	powershell.exe	106
PID 2696 wrote to memory of 1900	2696	powershell.exe	108
PID 2696 wrote to memory of 1900	2696	powershell.exe	108
PID 2696 wrote to memory of 5052	2696	powershell.exe	109
PID 2696 wrote to memory of 5052	2696	powershell.exe	109
PID 2696 wrote to memory of 4360	2696	powershell.exe	110
PID 2696 wrote to memory of 4360	2696	powershell.exe	110
PID 2696 wrote to memory of 3668	2696	powershell.exe	111
PID 2696 wrote to memory of 3668	2696	powershell.exe	111
PID 2696 wrote to memory of 700	2696	powershell.exe	115
PID 2696 wrote to memory of 700	2696	powershell.exe	115
PID 3656 wrote to memory of 3712	3656	explorer.exe	118
PID 3656 wrote to memory of 3712	3656	explorer.exe	118
PID 3656 wrote to memory of 3712	3656	explorer.exe	118
PID 3712 wrote to memory of 1008	3712	SpotifySetup.exe	122
PID 3712 wrote to memory of 1008	3712	SpotifySetup.exe	122
PID 3712 wrote to memory of 1008	3712	SpotifySetup.exe	122
PID 2696 wrote to memory of 1620	2696	powershell.exe	123
PID 2696 wrote to memory of 1620	2696	powershell.exe	123

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Install_New_theme_2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "&{[Net.ServicePointManager]::SecurityProtocol = 3072}; """"& { $(Invoke-WebRequest -UseBasicParsing 'https://spotx-official.github.io/run.ps1')} -new_theme """" | Invoke-Expression"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /f /im Spotify.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /f /im Spotify.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -V
    3⤵
    PID:5052
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -Is -w "%{http_code} \n" -o /dev/null https://download.scdn.co/upgrade/client/win32-x86/spotify_installer-1.2.34.783.g923721d9-5822.exe --retry 2 --ssl-no-revoke
    3⤵
    PID:4360
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -q https://download.scdn.co/upgrade/client/win32-x86/spotify_installer-1.2.34.783.g923721d9-5822.exe -o C:\Users\Admin\AppData\Local\Temp\SpotX_Temp-2024-03-27_11-27-27\SpotifySetup.exe --progress-bar --retry 3 --ssl-no-revoke
    3⤵
    PID:3668
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" C:\Users\Admin\AppData\Local\Temp\SpotX_Temp-2024-03-27_11-27-27\SpotifySetup.exe
    3⤵
    PID:700
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /f /im Spotify.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Users\Admin\AppData\Local\Temp\SpotX_Temp-2024-03-27_11-27-27\SpotifySetup.exe
  "C:\Users\Admin\AppData\Local\Temp\SpotX_Temp-2024-03-27_11-27-27\SpotifySetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
    Spotify.exe
    3⤵
    - Executes dropped EXE
    PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SpotX_Temp-2024-03-27_11-27-27\SpotifySetup.exe

Filesize
704KB

MD5
27f9390e6016e5a8ef274302efa73e68

SHA1
17e78948f2e719fd0fe46ccd7ed9abb0c4223cf2

SHA256
0c866152e9e5e7da02eac505829211c6e2b3fa9ee4b2b37da0688dbdbbe2a96b

SHA512
1a0c311eb3db9fd48c6635dcd0445728780c5981ded4b669b1d920d0775b8a499f0cfe3bde78c0fb418e3fa4001f7711bc2a39200a5fbf6258352cd4fd6f2600

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpotX_Temp-2024-03-27_11-27-27\SpotifySetup.exe

Filesize
1.7MB

MD5
92288584c9e3ee8db8444fe436203349

SHA1
4c4d5fa08824c110598af22b6972a2aeaa8a9d23

SHA256
51ce932cc5096b705d48b871183be4edf1e255582e89469313130cfb9bfca7a5

SHA512
513abd2f62d9cabedd4b1411e2fabe728f41ae7d45e5450a89cd2878507c424ab4f6d5e3e4f3d278c89a52f067a3f4e9d81ea97df6eae8c08ef1f8c036f13511

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ivj3flv.qdt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe

Filesize
3.9MB

MD5
2d94ac42548ef0de11026949e424fd92

SHA1
7c3db0cf14969aca25df4a1c3b9d48de300640af

SHA256
1351208af08484133e739e71b92587fe4b62c4993b6bf50b6ac509e04b905ce6

SHA512
dcf574e70792ca5786898841d4d521047973df7fa9477b24c2d1a4cf5ecc66f534c4e2da571a611ff141ae92287ce89a8d5267c006d0c98d790eb89cceef16ba

Download Submit
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe

Filesize
3.6MB

MD5
af8571bd43226ab57344e64619572688

SHA1
823136c6d69f546d21c1f2d75ac2cd1bbf7d9e9f

SHA256
24e5356a77a71873515eeade4fb20f1abcb2f78483120a19a479b717f8b2535c

SHA512
edbd8ab9794b388303632ccafe587edfb7044ef951dba75c1792dbff69d7b0ffd02a1a7869419fd45cc3b60bf37273b7628db8e6d49ad29def3ac485a4423f13

Download Submit
C:\Users\Admin\AppData\Roaming\Spotify\libcef.dll

Filesize
22KB

MD5
4d82319be131502da30ea64959e7e946

SHA1
e00cb0aa90f285663336ad45f2e7e983f7218b52

SHA256
a293f409027572e9d173b907d97a17934966ff659959f8b79b40a38021d233de

SHA512
9cdc18e5c50dcd0638e78631b64bc87586180c44186611fadb1465ced98e657e0faffbb9f7f5303b7666ac96ea8c66664a98e771470162f743a5f49747d37feb

Download Submit
memory/1008-227-0x0000000000960000-0x0000000002273000-memory.dmp

Filesize
25.1MB

Download
memory/1008-223-0x0000000000960000-0x0000000002273000-memory.dmp

Filesize
25.1MB

Download
memory/2696-20-0x0000020232AB0000-0x0000020232AC4000-memory.dmp

Filesize
80KB

Download
memory/2696-24-0x0000020216510000-0x0000020216520000-memory.dmp

Filesize
64KB

Download
memory/2696-18-0x0000020232A30000-0x0000020232A56000-memory.dmp

Filesize
152KB

Download
memory/2696-19-0x00000202328A0000-0x00000202328C6000-memory.dmp

Filesize
152KB

Download
memory/2696-16-0x0000020232840000-0x0000020232856000-memory.dmp

Filesize
88KB

Download
memory/2696-21-0x00007FFE6D0C0000-0x00007FFE6DB81000-memory.dmp

Filesize
10.8MB

Download
memory/2696-15-0x0000020216510000-0x0000020216520000-memory.dmp

Filesize
64KB

Download
memory/2696-17-0x0000020232860000-0x000002023286A000-memory.dmp

Filesize
40KB

Download
memory/2696-25-0x0000020216510000-0x0000020216520000-memory.dmp

Filesize
64KB

Download
memory/2696-14-0x0000020232810000-0x0000020232834000-memory.dmp

Filesize
144KB

Download
memory/2696-27-0x0000020216510000-0x0000020216520000-memory.dmp

Filesize
64KB

Download
memory/2696-13-0x0000020232810000-0x000002023283A000-memory.dmp

Filesize
168KB

Download
memory/2696-12-0x0000020216510000-0x0000020216520000-memory.dmp

Filesize
64KB

Download
memory/2696-11-0x0000020216510000-0x0000020216520000-memory.dmp

Filesize
64KB

Download
memory/2696-10-0x00007FFE6D0C0000-0x00007FFE6DB81000-memory.dmp

Filesize
10.8MB

Download
memory/2696-9-0x0000020232450000-0x0000020232472000-memory.dmp

Filesize
136KB

Download