General

  • Target

    uTorrent.exe

  • Size

    3.2MB

  • Sample

    210727-qntdjzdjpj

  • MD5

    0f07ba2b4d0fa0ccbc028c44157e04d5

  • SHA1

    d5955adb7807db88d55525e9d87bbd606f8555b8

  • SHA256

    6dc89df370e5425a0197173ee7aefef430a1e79fbe9008a572a66ee1199c00f4

  • SHA512

    9c3dee458da4a04c6c43ca7a05482ae56a7ae992d415fff7f0765c393dc36483ddd43a8b2b2c660ea0cb7a78c55c8b53040983bd935b677b04e1f5655c98caa4

Malware Config

Targets

    • Target

      uTorrent.exe

    • Size

      3.2MB

    • MD5

      0f07ba2b4d0fa0ccbc028c44157e04d5

    • SHA1

      d5955adb7807db88d55525e9d87bbd606f8555b8

    • SHA256

      6dc89df370e5425a0197173ee7aefef430a1e79fbe9008a572a66ee1199c00f4

    • SHA512

      9c3dee458da4a04c6c43ca7a05482ae56a7ae992d415fff7f0765c393dc36483ddd43a8b2b2c660ea0cb7a78c55c8b53040983bd935b677b04e1f5655c98caa4

    • Registers COM server for autorun

    • suricata: ET MALWARE AntiVirus exe Download Likely FakeAV Install

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

3
T1060

New Service

1
T1050

Bootkit

1
T1067

Privilege Escalation

New Service

1
T1050

Defense Evasion

Modify Registry

5
T1112

Virtualization/Sandbox Evasion

1
T1497

Disabling Security Tools

1
T1089

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

Security Software Discovery

1
T1063

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Tasks