Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SpotifyWidgetProvider.exe

Overview

General Information

Sample name:	SpotifyWidgetProvider.exe
Analysis ID:	1529303
MD5:	96d69dea15c182edbbb8bd178e063959
SHA1:	392e8fe31010daf9ef6b648d0f3d67d43c4ef87d
SHA256:	fac4407a29441b55b19390114468ca109fa7eb081f14ec829fad386aa10b5263
Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file overlay found

Classification

×

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: SpotifyWidgetProvider.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: SpotifyWidgetProvider.pdbA source: SpotifyWidgetProvider.exe
Source:	Binary string: SpotifyWidgetProvider.pdb source: SpotifyWidgetProvider.exe

Source: SpotifyWidgetProvider.exe	String found in binary or memory: https://adaptivecards.io/schemas/adaptive-card.json
Source: SpotifyWidgetProvider.exe	String found in binary or memory: https://clienttoken.spotify.com/v1/clienttoken
Source: SpotifyWidgetProvider.exe	String found in binary or memory: https://clienttoken.spotify.com/v1/clienttokenapplication/x-protobuf
Source: SpotifyWidgetProvider.exe	String found in binary or memory: https://spclient.wg.spotify.com/
Source: SpotifyWidgetProvider.exe	String found in binary or memory: https://spclient.wg.spotify.com/application/x-protobufContent-Type
Source: SpotifyWidgetProvider.exe	String found in binary or memory: https://spclient.wg.spotify.com/gabo-receiver-service
Source: SpotifyWidgetProvider.exe	String found in binary or memory: https://spclient.wg.spotify.com/user-customization-service/v1/customize
Source: SpotifyWidgetProvider.exe	String found in binary or memory: https://widget-content.spotify.com/v2/layouthttps://widget-content.spotify.com/v1/datahttps://widget

Source: SpotifyWidgetProvider.exe

Static PE information: Data appended to the last section found

Source: classification engine

Classification label: unknown1.winEXE@0/0@0/0

Source: SpotifyWidgetProvider.exe	String found in binary or memory: -startupsend
Source: SpotifyWidgetProvider.exe	String found in binary or memory: 0123456789ABCDEFcppEvent sender failed to serialize context data for context %s-nopersistence-rl-sendinterval.0s-essopt-startupsend-onlinesend-bgsend-bcdsend-modern-payloadkB-batch-lmdbwindows

Source: SpotifyWidgetProvider.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SpotifyWidgetProvider.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SpotifyWidgetProvider.exe

Static file information: File size 3145728 > 1048576

Source: SpotifyWidgetProvider.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x253e00
Source: SpotifyWidgetProvider.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x611600

Source: SpotifyWidgetProvider.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SpotifyWidgetProvider.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: SpotifyWidgetProvider.pdbA source: SpotifyWidgetProvider.exe
Source:	Binary string: SpotifyWidgetProvider.pdb source: SpotifyWidgetProvider.exe

Source: SpotifyWidgetProvider.exe

Static PE information: real checksum: 0x90d7ba should be: 0x30aa19

Source: SpotifyWidgetProvider.exe

Static PE information: section name: _RDATA

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://spclient.wg.spotify.com/gabo-receiver-service	SpotifyWidgetProvider.exe	false		unknown
https://clienttoken.spotify.com/v1/clienttokenapplication/x-protobuf	SpotifyWidgetProvider.exe	false		unknown
https://widget-content.spotify.com/v2/layouthttps://widget-content.spotify.com/v1/datahttps://widget	SpotifyWidgetProvider.exe	false		unknown
https://adaptivecards.io/schemas/adaptive-card.json	SpotifyWidgetProvider.exe	false		unknown
https://clienttoken.spotify.com/v1/clienttoken	SpotifyWidgetProvider.exe	false		unknown
https://spclient.wg.spotify.com/	SpotifyWidgetProvider.exe	false		unknown
https://spclient.wg.spotify.com/user-customization-service/v1/customize	SpotifyWidgetProvider.exe	false		unknown
https://spclient.wg.spotify.com/application/x-protobufContent-Type	SpotifyWidgetProvider.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1529303
Start date and time:	2024-10-08 20:37:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SpotifyWidgetProvider.exe
Detection:	UNKNOWN
Classification:	unknown1.winEXE@0/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe Unable to launch sample, stop analysis

Errors

No process behavior to analyse as no analysis process or sample was found
Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
VT rate limit hit for: SpotifyWidgetProvider.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.552754335025239
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SpotifyWidgetProvider.exe
File size:	3'145'728 bytes
MD5:	96d69dea15c182edbbb8bd178e063959
SHA1:	392e8fe31010daf9ef6b648d0f3d67d43c4ef87d
SHA256:	fac4407a29441b55b19390114468ca109fa7eb081f14ec829fad386aa10b5263
SHA512:	e9d4712622652fa6ad9372f7f4196cbeafa142c4f52d962086a6771a19a069ab77d1840b153ce966388d8cc9f845c8b7951f3260de0af41202f0fa2334154232
SSDEEP:	49152:nRBbX0a5CPYnJOBI5Goh7RDrsPmQcSk6UJvugFO/6rQ5e0b8VTiXi+OKN84+M:nR3vjdxO/a2i+B
TLSH:	D9E56D9B62B801E9D0BBD178CA079D0BE7B678470262E74F13B446A72F676705F2E311
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.4.X.g.X.g.X.gw&.g.X.g. .f.X.g. .f.X.g. .f.X.gw&.f.X.gw&.f.X.gw&.f.X.g. .f.X.g. }g.X.gLP.g.X.g.X.g.Y.g.'.f.X.g.'.f.Y.g.'.f.X.

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400034b0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x520748C4 [Sun Aug 11 08:18:12 2013 UTC]
TLS Callbacks:	0x4009d3ac, 0x1, 0x40206798, 0x1, 0x4020d3d0, 0x1, 0x4020d4c0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	0ae6e9eecef3e749a967f66f624c4d12

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F5CD10ACE00h
dec eax
add esp, 28h
jmp 00007F5CD10ACA17h
int3
int3
dec eax
sub esp, 28h
call 00007F5CD10AD34Ch
test eax, eax
je 00007F5CD10ACBC3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F5CD10ACBA7h
dec eax
cmp ecx, eax
je 00007F5CD10ACBB6h
xor eax, eax
dec eax
cmpxchg dword ptr [008D9F58h], ecx
jne 00007F5CD10ACB90h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F5CD10ACB99h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [008D9F43h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [008D9F33h], al
call 00007F5CD10AD14Bh
call 00007F5CD10AD4F6h
test al, al
jne 00007F5CD10ACBA6h
xor al, al
jmp 00007F5CD10ACBB6h
call 00007F5CD10B57F5h
test al, al
jne 00007F5CD10ACBABh
xor ecx, ecx
call 00007F5CD10AD506h
jmp 00007F5CD10ACB8Ch
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [008D9EF8h], 00000000h
mov ebx, ecx
jne 00007F5CD10ACC09h
cmp ecx, 01h
jnbe 00007F5CD10ACC0Ch
call 00007F5CD10AD2B2h
test eax, eax
je 00007F5CD10ACBCAh
test ebx, ebx
jne 00007F5CD10ACBC6h
dec eax
lea ecx, dword ptr [008D9EE2h]
call 00007F5CD10ACC12h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2c98e8	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x621f0c	0x1eedc	.data
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8ffc00	0x2948	.pdata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x904000	0x4b88	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x299450	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x299500	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x299310	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x255000	0x8b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x253cd8	0x253e00	88f9330c99cb0873bee5a508126e20e0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x255000	0x76610	0x76800	7e546aa98ca42d59a404b7fd3a2b5968	False	0.4480794270833333	data	6.13787699067046	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2cc000	0x617f24	0x611600	ed0427cc297444b5cae30653ce395039	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x8e4000	0x1ed50	0x1ee00	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x903000	0x15c	0x200	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x904000	0x4b88	0x4c00	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
api-ms-win-core-winrt-string-l1-1-0.dll	WindowsCreateStringReference
api-ms-win-core-winrt-l1-1-0.dll	RoGetActivationFactory, RoActivateInstance
dbghelp.dll	SymFromAddr
ADVAPI32.dll	LookupAccountNameW, CryptEnumProvidersA, CryptGenRandom, CryptReleaseContext, CryptAcquireContextA, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, ConvertSidToStringSidW, GetCurrentHwProfileW
KERNEL32.dll	CompareStringEx, FreeLibraryAndExitThread, ExitThread, TrySubmitThreadpoolCallback, GetSystemTimePreciseAsFileTime, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, RtlUnwindEx, InterlockedPushEntrySList, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, RaiseException, RtlPcToFileHeader, RtlUnwind, GetStdHandle, WriteFile, GetModuleFileNameW, GetCurrentProcess, ExitProcess, TerminateProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetCurrentThread, OutputDebugStringW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, ReadFile, ReadConsoleW, CreateFileW, CloseHandle, WriteConsoleW, DebugBreak, GetModuleFileNameA, FormatMessageW, AllocConsole, AttachConsole, GetCurrentConsoleFont, Sleep, LocalFree, FormatMessageA, GetVersionExW, GetComputerNameW, GetFileInformationByHandle, GetFileSize, LockFile, LockFileEx, SetEndOfFile, SetFilePointer, UnlockFile, GetOverlappedResult, SetEvent, ReleaseMutex, WaitForSingleObject, CreateMutexA, CreateEventW, CreateThread, OpenProcess, GetSystemInfo, GetVersion, VirtualAlloc, CreateFileMappingW, MapViewOfFileEx, UnmapViewOfFile, OpenMutexA, VerSetConditionMask, GetNativeSystemInfo, GetModuleHandleA, LoadLibraryA, LoadLibraryW, VerifyVersionInfoW, CreateDirectoryW, DeleteFileW, FindFirstFileW, GetFileAttributesW, GetFileAttributesExW, RemoveDirectoryW, GetTempPathA, GetLocalTime, MapViewOfFile, MoveFileW, GetSystemPowerStatus, AreFileApisANSI, GetDiskFreeSpaceExW, SetFileAttributesW, DeviceIoControl, CreateDirectoryExW, CreateSemaphoreA, ReleaseSemaphore, CreateEventA, WaitForSingleObjectEx, DuplicateHandle, PostQueuedCompletionStatus, WaitForMultipleObjects, QueueUserAPC, TerminateThread, CreateIoCompletionPort, GetQueuedCompletionStatus, ResetEvent, SleepEx, OpenEventA, SetWaitableTimer, OutputDebugStringA, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, InitializeConditionVariable, WakeConditionVariable, SleepConditionVariableSRW, GetLogicalProcessorInformation, QueryPerformanceFrequency, GetProcessTimes, WriteConsoleA, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, WaitForMultipleObjectsEx, CreateWaitableTimerW, ResumeThread, SetThreadDescription, LCMapStringEx, DecodePointer, InitializeCriticalSectionEx, GetTimeZoneInformation, SwitchToThread, GetLocaleInfoEx, CloseThreadpoolWork, SubmitThreadpoolWork, CreateThreadpoolWork, FreeLibraryWhenCallbackReturns, InitOnceComplete, InitOnceBeginInitialize, WakeAllConditionVariable, TryAcquireSRWLockExclusive, GetExitCodeThread, ReplaceFileW
USER32.dll	GetSystemMetrics, CreateWindowExA, RegisterClassExA, DispatchMessageW, TranslateMessage, DefWindowProcW, GetMessageW, PostQuitMessage
SHELL32.dll	ShellExecuteW
ole32.dll	CoRevokeClassObject, CoInitialize, CoCreateInstance, CoSetProxyBlanket, CoUninitialize, CoRegisterClassObject, CoResumeClassObjects, CoTaskMemFree, CoCreateFreeThreadedMarshaler, CoGetObjectContext, CoGetApartmentType, CoTaskMemAlloc, CoInitializeEx
OLEAUT32.dll	SysAllocString, SysFreeString, SysStringLen, GetErrorInfo, SetErrorInfo, VariantClear
WS2_32.dll	accept, freeaddrinfo, getaddrinfo, WSAStringToAddressW, WSAAddressToStringW, getpeername, WSAGetLastError, WSASetLastError, socket, htons, connect, ntohl, htonl, getsockname, closesocket, WSACleanup, WSAStartup, listen, bind, setsockopt, WSAWaitForMultipleEvents, WSASend, WSARecv, WSAEventSelect, WSAEnumNetworkEvents, shutdown
bcrypt.dll	BCryptGenRandom, BCryptOpenAlgorithmProvider, BCryptCloseAlgorithmProvider

Network Behavior

⊘No network behavior found

Statistics

⊘No statistics

System Behavior

⊘No system behavior

Disassembly

⊘No disassembly