Overview

overview

8

Static

static

1

Install_New_theme.bat

windows10-2004-x64

8

Install_New_theme.bat

windows11-21h2-x64

8

Analysis

  • max time kernel
    92s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 13:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Install_New_theme.bat

  • Size

    277B

  • MD5

    bf78a0583ee16de7cf3776c7c7ad23fc

  • SHA1

    30d6cf358f8932007554e5a5ef2f3ccf83c90e8a

  • SHA256

    fa7ff9975dce1fc26987f6457ee9ef5e9a9fbe4d21b68a34941343f5cb00651e

  • SHA512

    8a154d83996fbf0ba5f3c13514c48484824238d5d42aa7bcb44e399b996c249b66edaf722080101db0a7b4e8b93ca6028ac27ef565b9dfc7169d62466cf8f5ab

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

    execution
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Install_New_theme.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "&{[Net.ServicePointManager]::SecurityProtocol = 3072}; """"& { $(Invoke-WebRequest -UseBasicParsing 'https://spotx-official.github.io/run.ps1')} -new_theme """" | Invoke-Expression"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4480
      • C:\Windows\system32\curl.exe
        "C:\Windows\system32\curl.exe" -V
        3⤵
          PID:2428
        • C:\Windows\system32\curl.exe
          "C:\Windows\system32\curl.exe" -Is -w "%{http_code} \n" -o /dev/null -k https://download.scdn.co/upgrade/client/win32-x86/spotify_installer-1.2.46.462.gf57913e0-290.exe --retry 2 --ssl-no-revoke
          3⤵
            PID:2052
          • C:\Windows\system32\curl.exe
            "C:\Windows\system32\curl.exe" -q -k https://download.scdn.co/upgrade/client/win32-x86/spotify_installer-1.2.46.462.gf57913e0-290.exe -o C:\Users\Admin\AppData\Local\Temp\SpotX_Temp-2024-09-19_13-28-14\SpotifySetup.exe --progress-bar --retry 3 --ssl-no-revoke
            3⤵
              PID:720
            • C:\Windows\explorer.exe
              "C:\Windows\explorer.exe" C:\Users\Admin\AppData\Local\Temp\SpotX_Temp-2024-09-19_13-28-14\SpotifySetup.exe
              3⤵
                PID:4848
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:1552
            • C:\Users\Admin\AppData\Local\Temp\SpotX_Temp-2024-09-19_13-28-14\SpotifySetup.exe
              "C:\Users\Admin\AppData\Local\Temp\SpotX_Temp-2024-09-19_13-28-14\SpotifySetup.exe"
              2⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3168
              • C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
                Spotify.exe
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:364

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jdohgdit.xxx.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
            Filesize

            26.2MB

            MD5

            e07767b6ed9e6ee625ef3f7a2b82d87f

            SHA1

            5340cff6c742009c1887a9005f0c068c29c48dbc

            SHA256

            29a0b72792522e9dea170527ede9ebc909ee84d0c6a918cb66098bf1fea645c8

            SHA512

            574cb1dcac9c0be3cebc2586e875a69ba495bdbf3a687cac75a11b0797e59ddd2ad6b4f6ee1ae1aea11ba45a75035701c3992843042d9fcb53add3b6a3123589

            Download Submit

          • memory/364-226-0x0000000000F60000-0x00000000029B6000-memory.dmp

            Filesize

            26.3MB

            Download

          • memory/364-225-0x0000000000F60000-0x00000000029B6000-memory.dmp

            Filesize

            26.3MB

            Download

          • memory/4480-18-0x000001D84EBD0000-0x000001D84EBDA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4480-19-0x000001D84EFA0000-0x000001D84EFC6000-memory.dmp

            Filesize

            152KB

            Download

          • memory/4480-14-0x00007FFE65090000-0x00007FFE65B51000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4480-15-0x000001D84EBB0000-0x000001D84EBDA000-memory.dmp

            Filesize

            168KB

            Download

          • memory/4480-16-0x000001D84EBB0000-0x000001D84EBD4000-memory.dmp

            Filesize

            144KB

            Download

          • memory/4480-17-0x000001D84EBB0000-0x000001D84EBC6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4480-0-0x00007FFE65093000-0x00007FFE65095000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4480-13-0x00007FFE65090000-0x00007FFE65B51000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4480-20-0x000001D84EF70000-0x000001D84EF96000-memory.dmp

            Filesize

            152KB

            Download

          • memory/4480-21-0x000001D84F020000-0x000001D84F034000-memory.dmp

            Filesize

            80KB

            Download

          • memory/4480-22-0x00007FFE65093000-0x00007FFE65095000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4480-23-0x00007FFE65090000-0x00007FFE65B51000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4480-24-0x00007FFE65090000-0x00007FFE65B51000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4480-12-0x00007FFE65090000-0x00007FFE65B51000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4480-11-0x00007FFE65090000-0x00007FFE65B51000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4480-10-0x000001D84EA40000-0x000001D84EA62000-memory.dmp

            Filesize

            136KB

            Download