Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/05/2024, 18:16
Behavioral task
behavioral1
Sample
cracked-premium-spotify.rar
Resource
win11-20240508-en
Behavioral task
behavioral2
Sample
Spotify-Mod.exe
Resource
win11-20240508-en
Behavioral task
behavioral3
Sample
Spotify-Mod.pyc
Resource
win11-20240419-en
General
-
Target
cracked-premium-spotify.rar
-
Size
15.9MB
-
MD5
488d0651494c0055ad54d53a60b0bfd1
-
SHA1
b8c4398e9dcb0a7e822d1e1cf99e1453d1850212
-
SHA256
d6a3c410b9c13da9d82ceeb2a1471afcfc9d9679599c3dce795027e38e63e59e
-
SHA512
f7b87a7dc472375e7e1bfa3a9def5067db9adce514c34553ada803a3b68c04673c318fb555b56dcf5fa32ab619c563945a3898b5ebb341f1f6c87c8a02560f23
-
SSDEEP
393216:L/iGozh1lcrnyfrU1pZ04wqbyGc9x1JqHcb3kDzQ:L/iGodWyfrU1rIqbyr9bb3kHQ
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Winword.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Winword.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3020 Winword.exe 3020 Winword.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4760 OpenWith.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 4760 OpenWith.exe 4760 OpenWith.exe 4760 OpenWith.exe 4760 OpenWith.exe 4760 OpenWith.exe 4760 OpenWith.exe 4760 OpenWith.exe 4760 OpenWith.exe 4760 OpenWith.exe 4760 OpenWith.exe 4760 OpenWith.exe 4760 OpenWith.exe 4760 OpenWith.exe 4760 OpenWith.exe 4760 OpenWith.exe 3020 Winword.exe 3020 Winword.exe 3020 Winword.exe 3020 Winword.exe 3020 Winword.exe 3020 Winword.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4760 wrote to memory of 3020 4760 OpenWith.exe 82 PID 4760 wrote to memory of 3020 4760 OpenWith.exe 82
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cracked-premium-spotify.rar1⤵
- Modifies registry class
PID:72
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Program Files\Microsoft Office\root\Office16\Winword.exe"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Local\Temp\cracked-premium-spotify.rar"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3020
-