Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2022, 23:39
Behavioral task
behavioral1
Sample
017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe
Resource
win7-20220812-en
windows7-x64
27 signatures
150 seconds
General
-
Target
017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe
-
Size
657KB
-
MD5
6a1304af0bdb3a90423021ea9b607f31
-
SHA1
b3a8fea4b7a35a5e2461f261e05148481aa19443
-
SHA256
017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e
-
SHA512
79e4e10172cf4f86ddfc340ff77dfdc7a51683b2d42dbbeee94ae2488d5b27f1149c3c846fb8bd71800eacd9c3f00280c269eba6c3e63e21948290d76a567576
-
SSDEEP
12288:iARDO0MVcRoSK6wTx9/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeen:pDO0MWiTx9/eeeeeeeeeeeeeeeeeeee3
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" BitTorrent.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" BitTorrent.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" BitTorrent.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BitTorrent.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" BitTorrent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" BitTorrent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" BitTorrent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" BitTorrent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" BitTorrent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" BitTorrent.exe -
Executes dropped EXE 1 IoCs
pid Process 3996 BitTorrent.exe -
resource yara_rule behavioral2/memory/1300-133-0x0000000000400000-0x0000000000552000-memory.dmp upx behavioral2/memory/1300-132-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral2/files/0x0006000000022de7-137.dat upx behavioral2/files/0x0006000000022de7-135.dat upx behavioral2/memory/1300-138-0x0000000000400000-0x0000000000552000-memory.dmp upx behavioral2/memory/3996-139-0x0000000000400000-0x0000000000552000-memory.dmp upx behavioral2/memory/1300-140-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral2/memory/3996-141-0x0000000005350000-0x00000000063DE000-memory.dmp upx behavioral2/memory/3996-143-0x0000000000400000-0x0000000000552000-memory.dmp upx behavioral2/memory/3996-144-0x0000000005350000-0x00000000063DE000-memory.dmp upx behavioral2/memory/3996-145-0x0000000005350000-0x00000000063DE000-memory.dmp upx -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Wine BitTorrent.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Wine BitTorrent.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" BitTorrent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" BitTorrent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" BitTorrent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" BitTorrent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" BitTorrent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" BitTorrent.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc BitTorrent.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run BitTorrent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BitTorrent.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: BitTorrent.exe File opened (read-only) \??\Y: BitTorrent.exe File opened (read-only) \??\E: 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe File opened (read-only) \??\F: 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe File opened (read-only) \??\E: BitTorrent.exe File opened (read-only) \??\P: BitTorrent.exe File opened (read-only) \??\S: BitTorrent.exe File opened (read-only) \??\T: BitTorrent.exe File opened (read-only) \??\G: BitTorrent.exe File opened (read-only) \??\I: BitTorrent.exe File opened (read-only) \??\J: BitTorrent.exe File opened (read-only) \??\L: BitTorrent.exe File opened (read-only) \??\R: BitTorrent.exe File opened (read-only) \??\W: BitTorrent.exe File opened (read-only) \??\F: BitTorrent.exe File opened (read-only) \??\K: BitTorrent.exe File opened (read-only) \??\O: BitTorrent.exe File opened (read-only) \??\Q: BitTorrent.exe File opened (read-only) \??\U: BitTorrent.exe File opened (read-only) \??\H: BitTorrent.exe File opened (read-only) \??\M: BitTorrent.exe File opened (read-only) \??\N: BitTorrent.exe File opened (read-only) \??\X: BitTorrent.exe File opened (read-only) \??\Z: BitTorrent.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf BitTorrent.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe BitTorrent.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe BitTorrent.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe BitTorrent.exe File opened for modification C:\PROGRAM FILES\ClearConfirm.exe BitTorrent.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe BitTorrent.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe BitTorrent.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe BitTorrent.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe BitTorrent.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe BitTorrent.exe File created C:\Program Files (x86)\BitTorrent\BitTorrent.exe 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe BitTorrent.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe BitTorrent.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe BitTorrent.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 17 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications\BitTorrent.exe 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\BitTorrent\shell\open\command 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications\BitTorrent.exe\shell 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications\BitTorrent.exe\shell\open 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications\BitTorrent.exe\shell\open\command\ = "\"C:\\Program Files (x86)\\BitTorrent\\BitTorrent.exe\" \"%1\"" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.torrent\ = "BitTorrent" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\BitTorrent\shell 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\BitTorrent\shell\open 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.torrent\OpenWithProgids 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\BitTorrent\shell\open\command\ = "\"C:\\Program Files (x86)\\BitTorrent\\BitTorrent.exe\" \"%1\"" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\BitTorrent\shell\ = "open" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.torrent\OpenWithProgids\BitTorrent 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications\BitTorrent.exe\shell\ = "open" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications\BitTorrent.exe\shell\open\command 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.torrent 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\BitTorrent 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe 3996 BitTorrent.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3996 BitTorrent.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Token: SeDebugPrivilege 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3996 BitTorrent.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3996 BitTorrent.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 3996 BitTorrent.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1300 wrote to memory of 772 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 2 PID 1300 wrote to memory of 780 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 78 PID 1300 wrote to memory of 1020 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 3 PID 1300 wrote to memory of 2340 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 7 PID 1300 wrote to memory of 2356 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 48 PID 1300 wrote to memory of 2496 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 47 PID 1300 wrote to memory of 2940 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 37 PID 1300 wrote to memory of 760 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 36 PID 1300 wrote to memory of 3244 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 35 PID 1300 wrote to memory of 3332 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 34 PID 1300 wrote to memory of 3396 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 8 PID 1300 wrote to memory of 3496 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 33 PID 1300 wrote to memory of 3616 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 32 PID 1300 wrote to memory of 4692 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 29 PID 1300 wrote to memory of 740 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 20 PID 1300 wrote to memory of 2588 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 16 PID 1300 wrote to memory of 1524 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 10 PID 1300 wrote to memory of 3996 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 85 PID 1300 wrote to memory of 3996 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 85 PID 1300 wrote to memory of 3996 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 85 PID 1300 wrote to memory of 3760 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 86 PID 1300 wrote to memory of 3760 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 86 PID 1300 wrote to memory of 3760 1300 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe 86 PID 3996 wrote to memory of 772 3996 BitTorrent.exe 2 PID 3996 wrote to memory of 780 3996 BitTorrent.exe 78 PID 3996 wrote to memory of 1020 3996 BitTorrent.exe 3 PID 3996 wrote to memory of 2340 3996 BitTorrent.exe 7 PID 3996 wrote to memory of 2356 3996 BitTorrent.exe 48 PID 3996 wrote to memory of 2496 3996 BitTorrent.exe 47 PID 3996 wrote to memory of 2940 3996 BitTorrent.exe 37 PID 3996 wrote to memory of 760 3996 BitTorrent.exe 36 PID 3996 wrote to memory of 3244 3996 BitTorrent.exe 35 PID 3996 wrote to memory of 3332 3996 BitTorrent.exe 34 PID 3996 wrote to memory of 3396 3996 BitTorrent.exe 8 PID 3996 wrote to memory of 3496 3996 BitTorrent.exe 33 PID 3996 wrote to memory of 3616 3996 BitTorrent.exe 32 PID 3996 wrote to memory of 4692 3996 BitTorrent.exe 29 PID 3996 wrote to memory of 740 3996 BitTorrent.exe 20 PID 3996 wrote to memory of 2588 3996 BitTorrent.exe 16 PID 3996 wrote to memory of 772 3996 BitTorrent.exe 2 PID 3996 wrote to memory of 780 3996 BitTorrent.exe 78 PID 3996 wrote to memory of 1020 3996 BitTorrent.exe 3 PID 3996 wrote to memory of 2340 3996 BitTorrent.exe 7 PID 3996 wrote to memory of 2356 3996 BitTorrent.exe 48 PID 3996 wrote to memory of 2496 3996 BitTorrent.exe 47 PID 3996 wrote to memory of 2940 3996 BitTorrent.exe 37 PID 3996 wrote to memory of 760 3996 BitTorrent.exe 36 PID 3996 wrote to memory of 3244 3996 BitTorrent.exe 35 PID 3996 wrote to memory of 3332 3996 BitTorrent.exe 34 PID 3996 wrote to memory of 3396 3996 BitTorrent.exe 8 PID 3996 wrote to memory of 3496 3996 BitTorrent.exe 33 PID 3996 wrote to memory of 3616 3996 BitTorrent.exe 32 PID 3996 wrote to memory of 4692 3996 BitTorrent.exe 29 PID 3996 wrote to memory of 740 3996 BitTorrent.exe 20 PID 3996 wrote to memory of 2588 3996 BitTorrent.exe 16 PID 3996 wrote to memory of 772 3996 BitTorrent.exe 2 PID 3996 wrote to memory of 780 3996 BitTorrent.exe 78 PID 3996 wrote to memory of 1020 3996 BitTorrent.exe 3 PID 3996 wrote to memory of 2340 3996 BitTorrent.exe 7 PID 3996 wrote to memory of 2356 3996 BitTorrent.exe 48 PID 3996 wrote to memory of 2496 3996 BitTorrent.exe 47 PID 3996 wrote to memory of 2940 3996 BitTorrent.exe 37 PID 3996 wrote to memory of 760 3996 BitTorrent.exe 36 PID 3996 wrote to memory of 3244 3996 BitTorrent.exe 35 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BitTorrent.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2340
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3396
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1524
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2588
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:740
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4692
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3616
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3496
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3332
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:760
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe"C:\Users\Admin\AppData\Local\Temp\017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1300 -
C:\Program Files (x86)\BitTorrent\BitTorrent.exeBitTorrent.exe /NOINSTALL /BRINGTOFRONT3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\017AE8~1.EXE > nul3⤵PID:3760
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2356
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
657KB
MD56a1304af0bdb3a90423021ea9b607f31
SHA1b3a8fea4b7a35a5e2461f261e05148481aa19443
SHA256017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e
SHA51279e4e10172cf4f86ddfc340ff77dfdc7a51683b2d42dbbeee94ae2488d5b27f1149c3c846fb8bd71800eacd9c3f00280c269eba6c3e63e21948290d76a567576
-
Filesize
657KB
MD56a1304af0bdb3a90423021ea9b607f31
SHA1b3a8fea4b7a35a5e2461f261e05148481aa19443
SHA256017ae8666f5f4cfd7ee853a2e506f9607a11c4e99481f1c2f8b8ee974ef5a13e
SHA51279e4e10172cf4f86ddfc340ff77dfdc7a51683b2d42dbbeee94ae2488d5b27f1149c3c846fb8bd71800eacd9c3f00280c269eba6c3e63e21948290d76a567576
-
Filesize
257B
MD50cf8578e7b74337a28f02f6e85754e98
SHA16d5f276fad2f084441b035110d8672a58588dcaa
SHA2563cfded45b4d5c105b79934b3697e8f87d6c6536d48078c97dcb2da752259ab3a
SHA512d4253f5876de83bc3f3b77942d70ec9c469c26330220808557527a4c399786a3ee48d2fb578d3d65aeb8fb2d3de6acf950142e8ae3a32d3e4683e13825e9188d