56a19e0fb6b02d11d6ba2a8ba43a0d649f918b1bc880202e38ac6b172e63f89e

Analysis

max time kernel
27s
max time network
27s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spotify.exe
Size

2.0MB
MD5

c619774435d8720df59cb75b8c80e73a
SHA1

25cbf4ae545d37edf9ba1960a325a6aadd2cf6df
SHA256

56a19e0fb6b02d11d6ba2a8ba43a0d649f918b1bc880202e38ac6b172e63f89e
SHA512

6f7e8fd68c0ebec1de9d94b4e4cff58c931ed9b2d77b2ce889bc48ddd4625ceac857504892013895e7a9d97e511e838add57e7f18d7872a3cc5e1addecb2a138
SSDEEP

49152:ckQBBdBbeJdDjnlxrWXyXFWsmZ4kq7bGp:cRBVC/jlxayosa4P3Gp

Score

10^/10

execution

Malware Config

Signatures

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2296	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2296	schtasks.exe	28

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
976	powershell.exe
568	powershell.exe
488	powershell.exe
676	powershell.exe
540	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3044	taskhost.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\dllhost.exe	Spotify.exe
File created	C:\Program Files\7-Zip\Lang\5940a34987c991	Spotify.exe
File created	C:\Program Files (x86)\Uninstall Information\spoolsv.exe	Spotify.exe
File created	C:\Program Files (x86)\Uninstall Information\f3b6ecef712a24	Spotify.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\taskhost.exe	Spotify.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\b75386f1303e64	Spotify.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\taskhost.exe	Spotify.exe
File opened for modification	C:\Windows\assembly\taskhost.exe	Spotify.exe
File created	C:\Windows\assembly\b75386f1303e64	Spotify.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
348	schtasks.exe
1644	schtasks.exe
2780	schtasks.exe
2756	schtasks.exe
1688	schtasks.exe
2464	schtasks.exe
2200	schtasks.exe
2548	schtasks.exe
2680	schtasks.exe
1736	schtasks.exe
2564	schtasks.exe
1844	schtasks.exe
1016	schtasks.exe
1588	schtasks.exe
2900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe
1220	Spotify.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	Spotify.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	488	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	3044	taskhost.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 540	1220	Spotify.exe	44
PID 1220 wrote to memory of 540	1220	Spotify.exe	44
PID 1220 wrote to memory of 540	1220	Spotify.exe	44
PID 1220 wrote to memory of 676	1220	Spotify.exe	45
PID 1220 wrote to memory of 676	1220	Spotify.exe	45
PID 1220 wrote to memory of 676	1220	Spotify.exe	45
PID 1220 wrote to memory of 488	1220	Spotify.exe	46
PID 1220 wrote to memory of 488	1220	Spotify.exe	46
PID 1220 wrote to memory of 488	1220	Spotify.exe	46
PID 1220 wrote to memory of 568	1220	Spotify.exe	47
PID 1220 wrote to memory of 568	1220	Spotify.exe	47
PID 1220 wrote to memory of 568	1220	Spotify.exe	47
PID 1220 wrote to memory of 976	1220	Spotify.exe	48
PID 1220 wrote to memory of 976	1220	Spotify.exe	48
PID 1220 wrote to memory of 976	1220	Spotify.exe	48
PID 1220 wrote to memory of 1276	1220	Spotify.exe	54
PID 1220 wrote to memory of 1276	1220	Spotify.exe	54
PID 1220 wrote to memory of 1276	1220	Spotify.exe	54
PID 1276 wrote to memory of 2740	1276	cmd.exe	56
PID 1276 wrote to memory of 2740	1276	cmd.exe	56
PID 1276 wrote to memory of 2740	1276	cmd.exe	56
PID 1276 wrote to memory of 1704	1276	cmd.exe	57
PID 1276 wrote to memory of 1704	1276	cmd.exe	57
PID 1276 wrote to memory of 1704	1276	cmd.exe	57
PID 1276 wrote to memory of 3044	1276	cmd.exe	58
PID 1276 wrote to memory of 3044	1276	cmd.exe	58
PID 1276 wrote to memory of 3044	1276	cmd.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Spotify.exe
"C:\Users\Admin\AppData\Local\Temp\Spotify.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Pictures\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1XwV9Yu1OZ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2740
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1704
- - C:\Program Files (x86)\Windows NT\TableTextService\taskhost.exe
    "C:\Program Files (x86)\Windows NT\TableTextService\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\assembly\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Pictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Uninstall Information\spoolsv.exe

Filesize
2.0MB

MD5
c619774435d8720df59cb75b8c80e73a

SHA1
25cbf4ae545d37edf9ba1960a325a6aadd2cf6df

SHA256
56a19e0fb6b02d11d6ba2a8ba43a0d649f918b1bc880202e38ac6b172e63f89e

SHA512
6f7e8fd68c0ebec1de9d94b4e4cff58c931ed9b2d77b2ce889bc48ddd4625ceac857504892013895e7a9d97e511e838add57e7f18d7872a3cc5e1addecb2a138

Download Submit
C:\Users\Admin\AppData\Local\Temp\1XwV9Yu1OZ.bat

Filesize
239B

MD5
aede9b9a76d78ba37d22db5b2f732c41

SHA1
d58cd51c8c13a62b2f3b54dd0a1c31136d04e4b3

SHA256
7258f978f88622b84394ca4793231379896513c5586be80bec97ea53368f5f38

SHA512
b304707354ea2d0ac5483c2e0e8326f28f94728fc484c4e8d23a62326a2555ff16a91c106a1d8732296850b84c11dacd583955c678589db9d82d9d9628bef237

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c3cdcb20c948139b2f394090e4b35b66

SHA1
caef8731a98bd053befe422324db3d86f730479f

SHA256
8ca0739a03f81d570df38f2bd4f8dbc5ece45f0fc30cdc2c77cb6b968bdea744

SHA512
c73494e3744e5ee645f4e88f96c11cb24b0cb0cb719bdd1022acd9d7cea865cdc9f9e56eb5792ea4efd4206da841851772c2824d871bc5afec9ce20d79e87063

Download Submit
memory/676-51-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/676-62-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1220-13-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/1220-24-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-9-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-23-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/1220-21-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-20-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/1220-18-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/1220-16-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/1220-14-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-0-0x000007FEF5683000-0x000007FEF5684000-memory.dmp

Filesize
4KB

Download
memory/1220-11-0x0000000000560000-0x0000000000578000-memory.dmp

Filesize
96KB

Download
memory/1220-8-0x0000000000540000-0x000000000055C000-memory.dmp

Filesize
112KB

Download
memory/1220-25-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-6-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/1220-36-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-37-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-50-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-4-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-3-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-2-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-1-0x0000000000F70000-0x0000000001174000-memory.dmp

Filesize
2.0MB

Download
memory/1220-69-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/3044-73-0x0000000000B90000-0x0000000000D94000-memory.dmp

Filesize
2.0MB

Download