Analysis
-
max time kernel
64s -
max time network
69s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
10/08/2024, 14:29
General
-
Target
BlockTheSpot.bat
-
Size
265B
-
MD5
d2a6bb7593c8c2c054a65c6d2167197a
-
SHA1
721bc41054dfbdac908e11881e5c1885002a8183
-
SHA256
8b78d1071a5c9add21685f9607f42010ef8c04fd4a789a45fe8678fde6ab1d24
-
SHA512
48fbc3ef45ec6b1fe3fd6a6d832739308bcf84c4bd7fa83b7295e054a29dda15cc0b70d93ef43906c3c9fb4194e66eab02eb8863d2a1a5646c18d7b3a52984ca
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Powershell Invoke Web Request.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 17 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 13 IoCs
-
Modifies registry class 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 47 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -UseBasicParsing 'https://raw.githubusercontent.com/mrpond/BlockTheSpot/master/install.ps1' | Invoke-Expression}"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe"C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exeC:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe --type=crashpad-handler /prefetch:4 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Spotify\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win64 --annotation=product=spotify --annotation=version=1.2.43.420 --initial-client-data=0x3a0,0x3a4,0x3a8,0x39c,0x3ac,0x7ffce492aef0,0x7ffce492aefc,0x7ffce492af084⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe"C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe" --type=gpu-process --log-severity=disable --user-agent-product="Chrome/125.0.6422.112 Spotify/1.2.43.420" --lang=en --user-data-dir="C:\Users\Admin\AppData\Local\Spotify" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1696,i,7421327839931037462,777408286539134684,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=1688 /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe"C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --log-severity=disable --user-agent-product="Chrome/125.0.6422.112 Spotify/1.2.43.420" --lang=en --user-data-dir="C:\Users\Admin\AppData\Local\Spotify" --field-trial-handle=3284,i,7421327839931037462,777408286539134684,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=3280 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe"C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="Chrome/125.0.6422.112 Spotify/1.2.43.420" --lang=en --user-data-dir="C:\Users\Admin\AppData\Local\Spotify" --field-trial-handle=3412,i,7421327839931037462,777408286539134684,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=3408 /prefetch:34⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe"C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe" --type=renderer --log-severity=disable --user-agent-product="Chrome/125.0.6422.112 Spotify/1.2.43.420" --disable-spell-checking --user-data-dir="C:\Users\Admin\AppData\Local\Spotify" --autoplay-policy=no-user-gesture-required --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3996,i,7421327839931037462,777408286539134684,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=3992 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -Command & 'C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-2024-08-10_14-29-50\SpotifyFullSetup.exe'1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-2024-08-10_14-29-50\SpotifyFullSetup.exe"C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-2024-08-10_14-29-50\SpotifyFullSetup.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exeSpotify.exe3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
2KB
MD573c44bf55b361bb78589ca099b4c5d7b
SHA134dd91589afc3bb9f6bd63203bda6ec57b757fe3
SHA256512c968d86d63516286966534a142ee133524530e8382f74a43dc93bc2ad378a
SHA512f45685b8d5362b5efbbd8de7fe4321d4c33f7bdf38e51bca1169caaa7d3838a83205abf0a35c5a3eba5a3e666d94cd27722d2821a8a1ee8e7d09a0e058872ba4
-
Filesize
48B
MD5ce0761bd759297f3a15c39790c0546bd
SHA1db8ac4369a76e42a32f2b3783dba36256d6557bc
SHA2560ef9acf3961b9f0c828ef3953948f43722160fd1340b0ee91a130b9072031eec
SHA512563e47dbb99775a95a4bb4ec60742a919bbc9dc0e5770dc75c4e1e71a346b2e4747d3979a4a9b6dd0801e1166b57aabace5757d56e7e37558845cf668748ddae
-
Filesize
96B
MD56ec3d1e1df4bc84bc2b2ae90c5003082
SHA12c9d2c60fbebd0753a1bc4242edcbcfaf50fc425
SHA25612bd2d3fb2aad57baa3e3addff79b74190d68a15ff43a6c08ecbc1c8da9cfc3f
SHA512bd14262c867b6cbefb00f52500c6cb63ca173613c336a0bd836c502af5e4a3a5ebff332e3f1920c7e2c5be9e15065d08e22e5f4eed37f3e5b61225b16a687926
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
56B
MD51e8b9daa885f2821fa25de70028a127a
SHA11cb8ece148b21d0f175ca2bac4a63376f40fb3b1
SHA256d35951ad8cbd44acb12503fa405d79e3fc1466b23c04545e96229c392300092d
SHA5125465c93eb2c135cc46bbea3e311b21290a9dde4b65b2fdd8fc1a9fbff2f3b7b7bc0b39cb0e26b40d412e12d09601c8090a547317f46c6ce12e620a63ce58cea6
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
101B
MD572d74873a9d7f5905ffe33abbb83ce5c
SHA1bde774f7a4e2e0320a80e8b6bcfd3f1d496fd966
SHA25645c2bc29abefa7af80b4ae0bb3e67feb1c2ab2e54922915839099cc6fcf78b43
SHA512ce7fc7b3c39300fb8e7a438ecc21849e4f62055baace0e0c3f44db8fde905f057dd48c7cc41b28234e38154cb9a54d9d4c81c9fd5afb3a0e9964b5685867986b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.5MB
MD55c287b41538166fc2e012916fe49a6a2
SHA198b56ee955e15f5d5e619ed4fe47c7dbb2769a9d
SHA2562bda601b183fe79a4e8f0d7aaf8f19089978f4626660f984a2a43298e1ee559b
SHA512eb82b4e9d835d704e320f07420dbfe4132ba8848c31f6623fd0cb803f13885ad5ecd741b2d21a41b1a624758130276e1704cb8f8e6c1ab7fd0b85d21916eaa34
-
Filesize
33.7MB
MD5af33eb83fbf45abc1b55c9ee9a53290f
SHA12288e2f78a26ff4f3ba2c3d8632328eef260919e
SHA256e9553b44a5fce164fa475d42cb28aeacdf3c59e0e2a1d1b00804d5b72a8b29bf
SHA512e0df560215c5bc7b118766a03f8b9720d0acdb46295ba664a04aabf6dc3d16a145f2d44f549694b6ad0b6d160e311912404601d88011ef0d28d60735d6d15590
-
Filesize
667KB
MD56c66dfb43b302bb2f59bdb0941fee3f0
SHA1d150584a60b362d292d52b52b0ce0e81d3835d3b
SHA256adebb2921cc84e02bbf9417a16ebe18d84938fd27475b517b36a0da9da505ac1
SHA512f07b6c9008e4dc0e8aaa6b95a4d2b1a1fb437a8d646a973fc7b98f7bfac42df7a50bd83767daf9959976e720eb7dc9eb256838e1dda36c1700de9f1aea07390b
-
Filesize
1.0MB
MD5744ecf3e5f1b18e950533e0d42e6d4ad
SHA1bb9a9ee40649a3f5bd2e7f46e16c7e5e139b7e54
SHA256a3cf8aa391aad9d995670099cda3ec390956cd6eb97ac90ecd1d259ba466486e
SHA512189bfe2a3e5e5a2fdc46128745244c68a7a86fa9bc3af48753e9efdbc229ec3b01c800ee285713656ee93e51a9c4a0a13bf52bdbf818994624929938661d5323
-
Filesize
1.3MB
MD50d9fed30817d3a0271b96f26f4d114e6
SHA1bac667c772e048dbb14203e1eb423cb0c67753a1
SHA2561fb7f376e75cb07dea3585d3594473648d2eb637d5bd2db9c23f87f1274e963c
SHA51210124d6f07c8974a70f05fb72193e7a2935e73d70de383ed9552f29de638e814627649c04bb2923c7e8275d5671d7d03ab3c492e9f72f405b9460532cf8e583c
-
Filesize
656B
MD5424698b0b65b8efe880c3febb4e14f32
SHA1e2edf49c6b5b7cfebd33b992df1551b6da931653
SHA256b4e1deee4d7280b407ac62946f7ec1c507b2a2973f8e026abe11ac42aada6081
SHA512aacbd0d29d245a8642d0509c7c1a0f79d082ff4fda6d5d5fe8af00962ab9f379dd90f70550d7eec779e99ff375eda619864f9432a922c2a574803639d84b181d
-
Filesize
4.7MB
MD58bcf583884578e1d06fa23a7d9edd6f4
SHA141a95c4554c1cf6f95d8160376713b34850905cb
SHA2567322271eded814d5975bc59d673cf48361ff2a1810c1737a67ccf93f16998622
SHA512921e13e9ce4c4992d82dfcd6ec83eea2cdaeb3e46f4594c3115f2c3358141de7d8ddb0abab32002c984dd83c53291d1a719626ebb98263372dcebbf68296e9ad
-
Filesize
842KB
MD5304d94e5b265e29e87a5f38ece1a3630
SHA17bf6409cf69d969319ad5cba5fa47695c91ab2bb
SHA2569dceedac8397d8673c9588c638fa74581f3a5c5ad46867b5976fc487769b977b
SHA512ba0306c15792f2278dc88e8b1d1b125ddbdd6a7826f75cd1d79a69d913c9d6e022d0255ab9dc13331185f126c82e60d58e74cc637fbbbbcbb6808e37de734ab1
-
Filesize
10.0MB
MD5ffd67c1e24cb35dc109a24024b1ba7ec
SHA199f545bc396878c7a53e98a79017d9531af7c1f5
SHA2569ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92
SHA512e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79
-
Filesize
467KB
MD55376ee7b1dc29b374481cc8cc6d8a808
SHA154cce8eb81a636754655045c03f14c6b0de162dd
SHA256534d610c3420147060feffeb03d1033207936debb4e192db504cccff73ee678f
SHA5125ac210622860ff401641f9b2883ec5c7b71efbd1763a6c9e0b8380cb7af0379ad99c6bd05a85f14aefb11c02c9496445c762a88df303f32b94fbe8865a347c2a
-
Filesize
7.7MB
MD5609245170021cbe9f2307f4364222f16
SHA1f4b39328904b0f91d0ad95990d46f9713f175e1b
SHA2561f095076ba3900ff5420e0e586e1e892aa7b8c38adada16580a8596648fbf17b
SHA51239791a923a51660025f9b99900a193e2682557f632a719ab2ccb1241f6d007a7e9341f904540be5e766bd2fa5e4847a794aac5985e7021826b9ef2352919879d
-
Filesize
459KB
MD5d74fa66466d377a2e5ea85c7142895d6
SHA14976fa62b0fc60a92c4a84d7e4b1ab939ed7bfbb
SHA256dd2c824c1b8365c730fb91ae90f90d0e1115f444d36fd90097b2544e24822205
SHA5127010936923a8414ebff0197b647a387729f86e6e0fd5166726fed0c9410fcb7644fd3632aa4fe492428efff2e451119fc86e0f85df8a0a93ef071db1800df623
-
Filesize
16KB
MD52cfe980c0024751358360372fe4bc2b1
SHA14d926cf61c0e9d27ff847fc3446f049dbd1da192
SHA2563905cd0af0025adc86548e2f47d68461408a2e2800d66669c9fdf7829c53dee1
SHA5128bc0f5ee1ded4c693f0e239fdc308626da2d32cf86997d93e000d8c5bd89e42d77a3e058fe548e6f4aeeb5d1e9391f308071bad6b55212500d9dd7cc1bacc6e3
-
Filesize
8.1MB
MD55d169d0b80ebd3c7d3fc517d9e13f007
SHA1ab43a52fbbb3994f4c3a90688b14592353701f9b
SHA2568aa4a2089231bd8262e988b10d2cb0428a38fa3c6c28f90d00c4437e83cc6d3e
SHA512e39e0616ea3b904b2f0c512eb5c551aebe407a95baecaa73fa484211c347f128506c305986b26634d4fe3b4339f05251594a8ae2b167f65378aa7674edb5fab8
-
Filesize
652KB
MD5d7acfe5407bfc156b1dd134670eb8734
SHA1abcd7e124e5c4525f2888d4346b4e029f31fa77d
SHA2565c338e3e42c376f230e9764cbd97e1b4befae13d82ebd04318b5e42c94ff278f
SHA5129c1a1381e41a488924f3b7f5aa8dbef6f1a82c5a7eb6c958c0a0aea9ca2dea08ad3690b5d38bd2663108e8c58e687d3da090023b2ac8bdda92552d1c6aee171c
-
Filesize
5.0MB
MD557f9a132265935e4099d5319cc86349d
SHA19a760ab2dbff73d8897b43609190f05061b54f81
SHA256f2851e5732eea560b488d2e3ba2078ac26e7599d84e979a4d597576c590e2345
SHA51211760974aeeee12eaca2666ddb59674d3e084ed0643c9064215a009db749c73577b8abadf62482c62f5cca216eff46f840788697e647b1454079b074a8fb3ebc
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
152KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
80KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
152KB
-
Filesize
40KB
-
Filesize
7.2MB
-
Filesize
688KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.2MB
-
Filesize
688KB
-
Filesize
34.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
34.0MB
-
Filesize
64KB
-
Filesize
34.0MB