8ab5c1ec0b309e33dd2928488d6b2f24b95d60f5d2f40d5783cd8c3cfe804213

Analysis

max time kernel
134s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2023 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qBittorrent/uninst.exe
Size

140KB
MD5

cc33af4952b4b2189e34ed18e0d6c70d
SHA1

5a745a04f6ca237bf64e37f0ccb788d0062cfc5d
SHA256

cef58c3d26735d7bf7d1ce25298b2aaa18fc65364b3d3105d34cec7bd1d7c6f3
SHA512

3cfaf859b66f027be8fd8b83a481fde384ee66a94dbfd091b0d40a0e5ddfc8073b4ada88c62ba656c410fbada51b29669d77383209cdca7894b7f1364c5c172a
SSDEEP

3072:gfY/TU9fE9PEturceAcnb7JmXArwBkFAfR7AaB2lo9aGsxU:2Ya6lmcvJ5rTE7AQaGsxU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Un_A.exe

pid process

372 Un_A.exe
Loads dropped DLL 2 IoCs

Processes:

Un_A.exe

pid process

372 Un_A.exe
372 Un_A.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
372	Un_A.exe

pid	process
372	Un_A.exe
372	Un_A.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

uninst.exe

description	pid	process	target process
PID 4816 wrote to memory of 372	4816	uninst.exe	Un_A.exe
PID 4816 wrote to memory of 372	4816	uninst.exe	Un_A.exe
PID 4816 wrote to memory of 372	4816	uninst.exe	Un_A.exe

C:\Users\Admin\AppData\Local\Temp\qBittorrent\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\qBittorrent\uninst.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\qBittorrent\
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsw991A.tmp\LangDLL.dll
Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw991A.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
Filesize
140KB

MD5
cc33af4952b4b2189e34ed18e0d6c70d

SHA1
5a745a04f6ca237bf64e37f0ccb788d0062cfc5d

SHA256
cef58c3d26735d7bf7d1ce25298b2aaa18fc65364b3d3105d34cec7bd1d7c6f3

SHA512
3cfaf859b66f027be8fd8b83a481fde384ee66a94dbfd091b0d40a0e5ddfc8073b4ada88c62ba656c410fbada51b29669d77383209cdca7894b7f1364c5c172a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
Filesize
140KB

MD5
cc33af4952b4b2189e34ed18e0d6c70d

SHA1
5a745a04f6ca237bf64e37f0ccb788d0062cfc5d

SHA256
cef58c3d26735d7bf7d1ce25298b2aaa18fc65364b3d3105d34cec7bd1d7c6f3

SHA512
3cfaf859b66f027be8fd8b83a481fde384ee66a94dbfd091b0d40a0e5ddfc8073b4ada88c62ba656c410fbada51b29669d77383209cdca7894b7f1364c5c172a

Download Submit