a11b126e05b0c616700b5bf66f227b8fcb93658cf12fe72222a017e40e1f3c3d

Resubmissions

03-03-2023 16:54

230303-vep7hsae47 10

03-03-2023 16:44

230303-t9a6eaaa21 10

Analysis

max time kernel
132s
max time network
128s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
03-03-2023 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qbittorrent.exe
Size

28.3MB
MD5

cb03a80bc17d2d81fd34aab4341e89eb
SHA1

baf0f8686769ae47ed411e8432028057974a1611
SHA256

8e6af6cbd3765b8d8c1dd553354a0d4ff9f7fc2eb293704845af7e66a9ccdb0a
SHA512

f2bc0fefab5c22b9732f506ad47b93108779859f2ba7615c8e0522622cd2587cdb711225d603804f75a28932389b2877ab2f886facbbe5871cd55dc20256bcbe
SSDEEP

393216:keHUAF/9iRC0o+9xU+q7WndIFdU5cqyRZUSfruM4Jsv6tWKFdu9CCoR1:keHUwy9y9Wn+FK5cbfrVor

Score

1^/10

Malware Config

Signatures

Modifies registry class 16 IoCs

Processes:

qbittorrent.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\.torrent\ = "qBittorrent"	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\magnet\shell\	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\magnet\shell\open\command\	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\magnet	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\magnet\	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\magnet\URL Protocol	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\magnet\DefaultIcon\	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\magnet\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\qbittorrent.exe\",1"	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\magnet\ = "URL:Magnet link"	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\magnet\Content Type = "application/x-magnet"	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\magnet\shell	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\magnet\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\qbittorrent.exe\" \"%1\""	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\.torrent\	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\magnet\shell\ = "open"	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\magnet\shell\open	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\magnet\shell\open\command	qbittorrent.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

qbittorrent.exe

pid process

4224 qbittorrent.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

qbittorrent.exe

pid process

4224 qbittorrent.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

qbittorrent.exe

pid	process
4224	qbittorrent.exe
4224	qbittorrent.exe
4224	qbittorrent.exe
4224	qbittorrent.exe
4224	qbittorrent.exe
4224	qbittorrent.exe
4224	qbittorrent.exe
4224	qbittorrent.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

qbittorrent.exe

pid	process
4224	qbittorrent.exe
4224	qbittorrent.exe
4224	qbittorrent.exe
4224	qbittorrent.exe
4224	qbittorrent.exe
4224	qbittorrent.exe
4224	qbittorrent.exe
4224	qbittorrent.exe

C:\Users\Admin\AppData\Local\Temp\qbittorrent.exe
"C:\Users\Admin\AppData\Local\Temp\qbittorrent.exe"
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\qBittorrent\watched_folders.json
Filesize
4B

MD5
5b76b0eef9af8a2300673e0553f609f9

SHA1
0b56d40c0630a74abec5398e01c6cd83263feddc

SHA256
d914176fd50bd7f565700006a31aa97b79d3ad17cee20c8e5ff2061d5cb74817

SHA512
cf06a50de1bf63b7052c19ad53766fa0d99a4d88db76a7cbc672e33276e3d423e4c5f5cb4a8ae188c5c0e17d93bb740eaab6f25753f0d26501c5f84aeded075d

Download Submit
memory/4224-116-0x00000242C0D80000-0x00000242C0D90000-memory.dmp

Filesize
64KB

Download