Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2023 12:16
Static task
static1
Behavioral task
behavioral1
Sample
utorrent_installer.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
utorrent_installer.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
utorrent_installer.exe
-
Size
1.7MB
-
MD5
d9e40e69322f6a227a665097adb91e70
-
SHA1
4ebfa5d35cca579373626f0056ebb6e41223d291
-
SHA256
0365daacdcde2fb93b2d972a46490b9cc4ca6f76e13f7ab745acf9dbcb92c32f
-
SHA512
f1ca58bf1e4c41bddefcacf443a631bd60520de30e5d1ef70a9eeb869f06aeeb0e8fbc7c6be58bd3d3ab2ee6bd23f85f62cdfc5f12369317e53f06065fe3cbf7
-
SSDEEP
24576:o4nXubIQGyxbPV0db26sdar9f7Zymuz7lnAjEHLcfVLKswfsI:oqe3f679fVyh71SaLcfxOfsI
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4068 utorrent_installer.tmp -
Loads dropped DLL 2 IoCs
pid Process 4068 utorrent_installer.tmp 4068 utorrent_installer.tmp -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 70 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 72 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4224 taskmgr.exe Token: SeSystemProfilePrivilege 4224 taskmgr.exe Token: SeCreateGlobalPrivilege 4224 taskmgr.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 4068 utorrent_installer.tmp 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5012 wrote to memory of 4068 5012 utorrent_installer.exe 81 PID 5012 wrote to memory of 4068 5012 utorrent_installer.exe 81 PID 5012 wrote to memory of 4068 5012 utorrent_installer.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\utorrent_installer.exe"C:\Users\Admin\AppData\Local\Temp\utorrent_installer.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\is-VB853.tmp\utorrent_installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-VB853.tmp\utorrent_installer.tmp" /SL5="$C003E,874637,815104,C:\Users\Admin\AppData\Local\Temp\utorrent_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4068
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4224
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD567965a5957a61867d661f05ae1f4773e
SHA1f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b
-
Filesize
37KB
MD567965a5957a61867d661f05ae1f4773e
SHA1f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b
-
Filesize
3.0MB
MD59a777cdc480689793142d6f078d8f0b5
SHA1cb1e715b6bad3919d98124e9eb9e2c53036122dd
SHA256c06e4c58f103d4f57495aecfa67c43380031c77c83fa4a040c72c51700376df2
SHA512b03b71a2fa7adb65220e767460a2e8b0ffa030fba8d29a2f5b186d48a51c48fbd5c287d22a6ffa9e19cd629c6bcd6d4c9f6f06c02045c27ffff9ce12b5fcedcf
-
Filesize
3.0MB
MD59a777cdc480689793142d6f078d8f0b5
SHA1cb1e715b6bad3919d98124e9eb9e2c53036122dd
SHA256c06e4c58f103d4f57495aecfa67c43380031c77c83fa4a040c72c51700376df2
SHA512b03b71a2fa7adb65220e767460a2e8b0ffa030fba8d29a2f5b186d48a51c48fbd5c287d22a6ffa9e19cd629c6bcd6d4c9f6f06c02045c27ffff9ce12b5fcedcf