Analysis
-
max time kernel
117s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
20-04-2023 04:05
Behavioral task
behavioral1
Sample
qBittorrent/qbittorrent.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
qBittorrent/qbittorrent.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
qBittorrent/uninst.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
qBittorrent/uninst.exe
Resource
win10v2004-20230220-en
General
-
Target
qBittorrent/uninst.exe
-
Size
140KB
-
MD5
cc33af4952b4b2189e34ed18e0d6c70d
-
SHA1
5a745a04f6ca237bf64e37f0ccb788d0062cfc5d
-
SHA256
cef58c3d26735d7bf7d1ce25298b2aaa18fc65364b3d3105d34cec7bd1d7c6f3
-
SHA512
3cfaf859b66f027be8fd8b83a481fde384ee66a94dbfd091b0d40a0e5ddfc8073b4ada88c62ba656c410fbada51b29669d77383209cdca7894b7f1364c5c172a
-
SSDEEP
3072:gfY/TU9fE9PEturceAcnb7JmXArwBkFAfR7AaB2lo9aGsxU:2Ya6lmcvJ5rTE7AQaGsxU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Un_A.exepid process 2004 Un_A.exe -
Loads dropped DLL 3 IoCs
Processes:
uninst.exeUn_A.exepid process 1100 uninst.exe 2004 Un_A.exe 2004 Un_A.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Un_A.exepid process 2004 Un_A.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
uninst.exedescription pid process target process PID 1100 wrote to memory of 2004 1100 uninst.exe Un_A.exe PID 1100 wrote to memory of 2004 1100 uninst.exe Un_A.exe PID 1100 wrote to memory of 2004 1100 uninst.exe Un_A.exe PID 1100 wrote to memory of 2004 1100 uninst.exe Un_A.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\qBittorrent\uninst.exe"C:\Users\Admin\AppData\Local\Temp\qBittorrent\uninst.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\qBittorrent\2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exeFilesize
140KB
MD5cc33af4952b4b2189e34ed18e0d6c70d
SHA15a745a04f6ca237bf64e37f0ccb788d0062cfc5d
SHA256cef58c3d26735d7bf7d1ce25298b2aaa18fc65364b3d3105d34cec7bd1d7c6f3
SHA5123cfaf859b66f027be8fd8b83a481fde384ee66a94dbfd091b0d40a0e5ddfc8073b4ada88c62ba656c410fbada51b29669d77383209cdca7894b7f1364c5c172a
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exeFilesize
140KB
MD5cc33af4952b4b2189e34ed18e0d6c70d
SHA15a745a04f6ca237bf64e37f0ccb788d0062cfc5d
SHA256cef58c3d26735d7bf7d1ce25298b2aaa18fc65364b3d3105d34cec7bd1d7c6f3
SHA5123cfaf859b66f027be8fd8b83a481fde384ee66a94dbfd091b0d40a0e5ddfc8073b4ada88c62ba656c410fbada51b29669d77383209cdca7894b7f1364c5c172a
-
\Users\Admin\AppData\Local\Temp\nsd24A3.tmp\LangDLL.dllFilesize
5KB
MD568b287f4067ba013e34a1339afdb1ea8
SHA145ad585b3cc8e5a6af7b68f5d8269c97992130b3
SHA25618e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
SHA51206c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb
-
\Users\Admin\AppData\Local\Temp\nsd24A3.tmp\UAC.dllFilesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exeFilesize
140KB
MD5cc33af4952b4b2189e34ed18e0d6c70d
SHA15a745a04f6ca237bf64e37f0ccb788d0062cfc5d
SHA256cef58c3d26735d7bf7d1ce25298b2aaa18fc65364b3d3105d34cec7bd1d7c6f3
SHA5123cfaf859b66f027be8fd8b83a481fde384ee66a94dbfd091b0d40a0e5ddfc8073b4ada88c62ba656c410fbada51b29669d77383209cdca7894b7f1364c5c172a