Overview

overview

8

Static

static

1

New folder...to.bat

windows7-x64

8

New folder...to.bat

windows10-2004-x64

8

New folder...up.exe

windows7-x64

1

New folder...up.exe

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    spotify no ads.zip

  • Size

    396KB

  • Sample

    240701-bsz44asbkb

  • MD5

    16403509ed0d601121fa0a073552df09

  • SHA1

    1f4efc9b38c02e4e1b905d101ffe5a3b6c2ad4d6

  • SHA256

    a3d66398045b5d0e1af48194f591bfb0cd2a2b51ddf2fbd93def502c6a0d989b

  • SHA512

    391f83855a0efc08b731b36eec23b2dd82a5b75885741c34eec8519bc0342a13be2de0b7af5b46d56117320f50c6e7131254992dcba45e33547af59df79f5151

  • SSDEEP

    12288:IhM7XABSBp/D2yvP7gvgxel5Viux5PJkD:qM7XAOCeCgOiq5RkD

Score
8/10
discoveryexecutionpersistence

Malware Config

Targets

    • Target

      New folder/Install_Auto.bat

    • Size

      481B

    • MD5

      4a2fc5b639477dd1c96cd75e09638a57

    • SHA1

      f9bf0cd572a26b0f3cb150952f28dee107699b87

    • SHA256

      50159f10ba5ff9bd70a553acd689f26bd980555c2d9cdb68f42b5f3d3b7fd351

    • SHA512

      8bf2924c22645931f270b4ef7d41897cdbb9eb8df26f6d9e973acd7be6a2739bb9ac061124fe8bc3b9cfe7910e86c9b99545fda24b80f6f5b4b3c943e7662e0f

    Score
    8/10
    execution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

    • Target

      New folder/SpotifySetup.exe

    • Size

      996KB

    • MD5

      ad3a0720f1f13cee556c39d0574b77cb

    • SHA1

      bce0681ba0026958c72e54b9c2945e158cdc4f79

    • SHA256

      e7d41f1cfb052067da58c21e81033381b372df8645983a7e29132fbad0677a0c

    • SHA512

      f9ba750e14490ba39c587cc6db6551728b473d95bf4eb38a5aa271dcd298554c12d95035f3354caf379f67f23af6959bbe937340656de26149900e8297fe2307

    • SSDEEP

      12288:xR4iEp29TvYnr9KIV9CJ8I/Ec3AqKhrHnLtvg1lkQPjO7PmsZ:o29byKC9CJ8I/ESKhvtSpK7PmsZ

    Score
    6/10
    discoverypersistence

    • Adds Run key to start application

      persistence

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks