analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Spotify 1.1.4.zip

Full analysis: https://app.any.run/tasks/9727dd30-1f28-408e-aaef-dbe3015211e9
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 14:03:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

C9BEBE0EDAD47DD2902C2049FD818013

SHA1:

49C9B4799265AA8113AC818291573426FBFFB6FC

SHA256:

016E6A77D49F9520690EFC0A24CCD6BC489DD8C36B9C5A9861092D0D48EBA6BF

SSDEEP:

12288:1vXdhlthsiiG1yvXdhlthsiiG1AvXdhlthsiiG1D:1tsiioytsiioAtsiioD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs injected code in another process

      • cmd.exe (PID: 3012)

    • Executes PowerShell scripts

      • cmd.exe (PID: 3012)
      • cmd.exe (PID: 608)

    • Loads dropped or rewritten executable

      • Spotify.exe (PID: 3388)
      • Spotify.exe (PID: 1872)
      • Spotify.exe (PID: 2376)
      • Spotify.exe (PID: 3980)

    • Application was injected by another process

      • dllhost.exe (PID: 3960)

    • Changes the autorun value in the registry

      • Spotify.exe (PID: 3388)

    • Application was dropped or rewritten from another process

      • Spotify.exe (PID: 3388)
      • Spotify.exe (PID: 3980)
      • Spotify.exe (PID: 2376)
      • Spotify.exe (PID: 1872)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 1236)

  • SUSPICIOUS

    • Uses ICACLS.EXE to modify access control list

      • cmd.exe (PID: 2604)

    • Creates files in the user directory

      • powershell.exe (PID: 1480)
      • powershell.exe (PID: 3556)
      • powershell.exe (PID: 1236)
      • cmd.exe (PID: 3012)
      • powershell.exe (PID: 3008)
      • Spotify.exe (PID: 3388)
      • powershell.exe (PID: 2248)
      • spotify_installer-1.1.4.197.g92d52c4f-13.exe (PID: 3960)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 3556)
      • WinRAR.exe (PID: 1332)
      • cmd.exe (PID: 608)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3012)
      • cmd.exe (PID: 608)

    • Modifies the open verb of a shell class

      • Spotify.exe (PID: 3388)

    • Application launched itself

      • Spotify.exe (PID: 3388)
      • cmd.exe (PID: 608)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3012)
      • spotify_installer-1.1.4.197.g92d52c4f-13.exe (PID: 3960)
      • cmd.exe (PID: 608)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 1496)

  • INFO

    • Modifies the open verb of a shell class

      • rundll32.exe (PID: 2548)

    • Reads the hosts file

      • Spotify.exe (PID: 3388)

    • Dropped object may contain Bitcoin addresses

      • spotify_installer-1.1.4.197.g92d52c4f-13.exe (PID: 3960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0808
ZipCompression: None
ZipModifyDate: 2020:06:06 10:33:05
ZipCRC: 0xc87cf666
ZipCompressedSize: 367801
ZipUncompressedSize: 367801
ZipFileName: Spotify 1.1.4/downgrade.bat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
27
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start inject rundll32.exe no specs winrar.exe no specs cmd.exe taskkill.exe no specs powershell.exe no specs findstr.exe no specs powershell.exe powershell.exe no specs cmd.exe icacls.exe no specs findstr.exe no specs dllhost.exe icacls.exe no specs spotify_installer-1.1.4.197.g92d52c4f-13.exe powershell.exe no specs spotify.exe spotify.exe no specs spotify.exe no specs spotify.exe no specs cmd.exe taskkill.exe no specs taskkill.exe no specs powershell.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs findstr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2548"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\Spotify 1.1.4.zip.xpiC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1332"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Spotify 1.1.4.zip.xpi"C:\Program Files\WinRAR\WinRAR.exerundll32.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3012cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa1332.48170\downgrade.bat" "C:\Windows\system32\cmd.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1496taskkill /f /im Spotify.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1480powershell Get-AppxPackage -Name "SpotifyAB.SpotifyMusic" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2608findstr "PackageFullName" C:\Windows\system32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1236powershell.exe -ExecutionPolicy Bypass -Command (new-object System.Net.WebClient).DownloadFile('http://upgrade.spotify.com/upgrade/client/win32-x86/spotify_installer-1.1.4.197.g92d52c4f-13.exe','spotify_installer-1.1.4.197.g92d52c4f-13.exe')C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3556powershell "saps -wait -filepath '"C:\Users\admin\AppData\Local\Temp\Rar$DIa1332.48170\downgrade.bat"' -verb runas -argumentlist 'patch'" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2604"C:\Windows\System32\cmd.exe" /C "C:\Users\admin\AppData\Local\Temp\Rar$DIa1332.48170\downgrade.bat" patch C:\Windows\System32\cmd.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4056icacls "C:\Users\admin\AppData\Local\Spotify\Update" /reset /T C:\Windows\system32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 150
Read events
2 679
Write events
0
Delete events
0

Modification events

No data
Executable files
12
Suspicious files
65
Text files
6
Unknown types
87

Dropped files

PID
Process
Filename
Type
1480powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\05C9815HNSW2R0W8DYGR.temp
MD5:
SHA256:
1236powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OBLA2D6QTDTM307CPDLD.temp
MD5:
SHA256:
1236powershell.exeC:\Users\admin\Desktop\spotify_installer-1.1.4.197.g92d52c4f-13.exe
MD5:
SHA256:
3556powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C36KDBI1EYNHV26ZE95W.temp
MD5:
SHA256:
1236powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:36FE326E12493E805B62142553A1E43C
SHA256:3DD6ACC81930940EC26CE9794D473AC8869FCDB0D48BC71A20C27D80FF693B9F
3960spotify_installer-1.1.4.197.g92d52c4f-13.exeC:\Users\admin\AppData\Roaming\Spotify\~TMP_3960_8_~compressed
MD5:F0E953D82A6F20732E1BCEC605D622C4
SHA256:76CABBE6C61468AC893F1075753E186432566B58BE7143F01E2CCCD1F4FF0BE8
3960spotify_installer-1.1.4.197.g92d52c4f-13.exeC:\Users\admin\AppData\Roaming\Spotify\~TMP_3960_12_~compressed
MD5:AF9BFC59EBE305CC6F58A08FBE060F99
SHA256:8E10CD1194A695B903FF9A0E8D228E830FF11E2F61BF1DD9DBBFE16DC703AB04
1480powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1b6156.TMPbinary
MD5:36FE326E12493E805B62142553A1E43C
SHA256:3DD6ACC81930940EC26CE9794D473AC8869FCDB0D48BC71A20C27D80FF693B9F
3960spotify_installer-1.1.4.197.g92d52c4f-13.exeC:\Users\admin\AppData\Roaming\Spotify\~TMP_3960_20_~compressed
MD5:1AF29D380F4D7A0402F22D37022121D0
SHA256:44D6F270EDB7259D682682FD7525B2EB4FCB0E013F82E46222D748CF374AA98F
3960spotify_installer-1.1.4.197.g92d52c4f-13.exeC:\Users\admin\AppData\Roaming\Spotify\~TMP_3960_4_~compressed
MD5:D4A3CC3EC72B6A5E52637FF47440D24C
SHA256:ACB2C22EE92102738958ADC7D6294D6B09954DAD275201BA6A836602064E71EC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1236
powershell.exe
GET
200
151.101.2.133:80
http://upgrade.spotify.com/upgrade/client/win32-x86/spotify_installer-1.1.4.197.g92d52c4f-13.exe
US
executable
66.2 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1236
powershell.exe
151.101.2.133:80
upgrade.spotify.com
Fastly
US
malicious

DNS requests

Domain
IP
Reputation
upgrade.spotify.com
  • 151.101.2.133
  • 151.101.66.133
  • 151.101.130.133
  • 151.101.194.133
malicious

Threats

PID
Process
Class
Message
1236
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1236
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Process
Message
Spotify.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Spotify directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Spotify 1.1.4.zip