0bb4adf992267f14d272bb10743030952057ba5429013b1f6559788498c901d0

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wobbly Life_j-nIYL1.exe
Size

13.8MB
MD5

42b0828a300ff9641620a1ab43cb9547
SHA1

aea4f6eefcc2aca7f04220daf688565f66b4c212
SHA256

0bb4adf992267f14d272bb10743030952057ba5429013b1f6559788498c901d0
SHA512

60341d9363a09636b1ccf19ff4ee20bc361c41488bba108ff546b8393aad2652988923d16e958ac889a13265a10f7ffce74b311acbc5986ac1d75c6cb3efa7d5
SSDEEP

196608:4j6kU9NYlObEk0Lp2dd/kZzkmxgy9NSW7I7GIXSpINbhiTGIwTh3kC3uDEN9TrSi:yLSN30LpEiSCC9XSpIFwah3RuINhkUP

Score

6^/10

evasion

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV\Dir	Wobbly Life_j-nIYL1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\SOFTWARE\AVG\AV\Dir	Wobbly Life_j-nIYL1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Browser\Installed	Wobbly Life_j-nIYL1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\SOFTWARE\Avira\Browser\Installed	Wobbly Life_j-nIYL1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	Wobbly Life_j-nIYL1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	Wobbly Life_j-nIYL1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\SOFTWARE\AVAST Software\Avast	Wobbly Life_j-nIYL1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	Wobbly Life_j-nIYL1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	Wobbly Life_j-nIYL1.tmp

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2480	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
1548	Wobbly Life_j-nIYL1.tmp
2756	qbittorrent.exe

Loads dropped DLL 4 IoCs

pid	Process
2932	Wobbly Life_j-nIYL1.exe
1548	Wobbly Life_j-nIYL1.tmp
1548	Wobbly Life_j-nIYL1.tmp
1548	Wobbly Life_j-nIYL1.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Wobbly Life_j-nIYL1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	Wobbly Life_j-nIYL1.tmp

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Wobbly Life_j-nIYL1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Wobbly Life_j-nIYL1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Wobbly Life_j-nIYL1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Wobbly Life_j-nIYL1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Wobbly Life_j-nIYL1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Wobbly Life_j-nIYL1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Wobbly Life_j-nIYL1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Wobbly Life_j-nIYL1.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2756	qbittorrent.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1548	Wobbly Life_j-nIYL1.tmp
1548	Wobbly Life_j-nIYL1.tmp
1548	Wobbly Life_j-nIYL1.tmp
1548	Wobbly Life_j-nIYL1.tmp
1548	Wobbly Life_j-nIYL1.tmp
1548	Wobbly Life_j-nIYL1.tmp
1548	Wobbly Life_j-nIYL1.tmp
1548	Wobbly Life_j-nIYL1.tmp
1548	Wobbly Life_j-nIYL1.tmp
1548	Wobbly Life_j-nIYL1.tmp
1548	Wobbly Life_j-nIYL1.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1548	Wobbly Life_j-nIYL1.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2756	qbittorrent.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 1548	2932	Wobbly Life_j-nIYL1.exe	28
PID 2932 wrote to memory of 1548	2932	Wobbly Life_j-nIYL1.exe	28
PID 2932 wrote to memory of 1548	2932	Wobbly Life_j-nIYL1.exe	28
PID 2932 wrote to memory of 1548	2932	Wobbly Life_j-nIYL1.exe	28
PID 2932 wrote to memory of 1548	2932	Wobbly Life_j-nIYL1.exe	28
PID 2932 wrote to memory of 1548	2932	Wobbly Life_j-nIYL1.exe	28
PID 2932 wrote to memory of 1548	2932	Wobbly Life_j-nIYL1.exe	28
PID 1548 wrote to memory of 2480	1548	Wobbly Life_j-nIYL1.tmp	29
PID 1548 wrote to memory of 2480	1548	Wobbly Life_j-nIYL1.tmp	29
PID 1548 wrote to memory of 2480	1548	Wobbly Life_j-nIYL1.tmp	29
PID 1548 wrote to memory of 2480	1548	Wobbly Life_j-nIYL1.tmp	29
PID 1548 wrote to memory of 2756	1548	Wobbly Life_j-nIYL1.tmp	31
PID 1548 wrote to memory of 2756	1548	Wobbly Life_j-nIYL1.tmp	31
PID 1548 wrote to memory of 2756	1548	Wobbly Life_j-nIYL1.tmp	31
PID 1548 wrote to memory of 2756	1548	Wobbly Life_j-nIYL1.tmp	31

C:\Users\Admin\AppData\Local\Temp\Wobbly Life_j-nIYL1.exe
"C:\Users\Admin\AppData\Local\Temp\Wobbly Life_j-nIYL1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\is-DP1MT.tmp\Wobbly Life_j-nIYL1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DP1MT.tmp\Wobbly Life_j-nIYL1.tmp" /SL5="$4014E,13603942,780800,C:\Users\Admin\AppData\Local\Temp\Wobbly Life_j-nIYL1.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" firewall add allowedprogramC:\Users\Admin\AppData\Local\Temp\is-JKM07.tmp\qbittorrent.exe "qBittorrent" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\is-JKM07.tmp\qbittorrent.exe
    "C:\Users\Admin\AppData\Local\Temp\is-JKM07.tmp\qbittorrent.exe" magnet:?xt=urn:btih:C161A3F09512F309A643A3E4232595D7AFE490D6
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2756

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
73153c559cae78d0151c29181979f430

SHA1
e9e3f998f50e3b0378dfdb47fcf6eda7410a2179

SHA256
88b229ac63fa091c8ef3cdbb917284a62b00fb56b7c8453e18c92ae70af53288

SHA512
d5e35a1a0e153651b9cb05ed08f7d1401fa4c9071056c645cbb93dce80e97b994b0edb6f19b931ed97d5ef032f74983016ecf4965c89ba5ca0ff3af80d1888d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab345B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar346E.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JKM07.tmp\AVG_AV.png

Filesize
114KB

MD5
5ef5291810c454a35f76d976105f37cc

SHA1
8ce0cc65ae1786cef1c545d40d081eda13239fa6

SHA256
03e69e8c87732c625df2f628ac63bd145268f9dea9c5f3dd3670b1cf349a995c

SHA512
3bec461bb3cbbbdb3c05171fcc5ab7e648b2b60d7b811261662f14d35c3836148b14cda1a3f2be127c89cc732de8cf1644d2e55e049eeeb2da8e397c58cc919e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JKM07.tmp\finish.png

Filesize
2KB

MD5
7afaf9e0e99fd80fa1023a77524f5587

SHA1
e20c9c27691810b388c73d2ca3e67e109c2b69b6

SHA256
760b70612bb9bd967c2d15a5133a50ccce8c0bd46a6464d76875298dcc45dea0

SHA512
a090626e7b7f67fb5aa207aae0cf65c3a27e1b85e22c9728eee7475bd9bb7375ca93baaecc662473f9a427b4f505d55f2c61ba36bda460e4e6947fe22eedb044

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JKM07.tmp\qbittorrent.exe

Filesize
640KB

MD5
5d9646e75a62c2b0fea2bf5c4113e249

SHA1
81e15b2b376a79503ca9ca77cb62aeefd1742b4d

SHA256
89e7d9525da18cb25d66bba31e54111abf4b9cef0c319c055806008e28b76b8b

SHA512
5e3fa9ec4d809ec0b73e813743c8dcf80f77b885001d3cb2012440d8563c0eb7d17542a68b3ee8191b9617938aa556a4f22f809980eded3fc724a653094978f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JKM07.tmp\qbittorrent.exe

Filesize
15.2MB

MD5
13f2b6743e364d2caab4d0c0eea1e070

SHA1
a2abbbc277feca525e28029892e604bbdbeb4fde

SHA256
b25b7d6a22972f7da8e378107d9b7790efec0c53c5a983124ba00641f1bcf406

SHA512
c75ee96c86c67f6f300edd8aada2346feebbe98228e7003c371f2a6089f0d8b3a1a994cf5633880ef302cfa7de7dd72e5466dd123804dd9b56f650c05f2ea358

Download Submit
\Users\Admin\AppData\Local\Temp\is-DP1MT.tmp\Wobbly Life_j-nIYL1.tmp

Filesize
2.9MB

MD5
392188858aab78d544835de0fe665a04

SHA1
e2c06e4d926bbecee75887c83b5a9e732b0103b8

SHA256
eaa483432e2cae37fcf1350c160b848948f8e512ed085fab67d901bfcd8d5d07

SHA512
0d0d1d1196d705af2a755d054372b45e8540edeb201d2b9ac2d48a08240399314130f3e78e7e962ce708d3da90ed933fa848023f7db9ecaf7fc6ec7979cb05a5

Download Submit
\Users\Admin\AppData\Local\Temp\is-JKM07.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-JKM07.tmp\qbittorrent.exe

Filesize
576KB

MD5
12b8ef025e88e7e6b077656f826b3a6e

SHA1
e36328ea1d8fca09fa0bf456656166cdb852a497

SHA256
7888bb17710ccb0afff62e51301553cfe9788f9016a9fb9e66ed47b2a4c54e4c

SHA512
2854359596eb65c6546d1781002ed90406755ac60223d3a77b1f2bd6bc22062e7c8f5b3e75b2a9bde82919dbc402d3d6e33a9ae1d1757fe689729fdcb68b920b

Download Submit
\Users\Admin\AppData\Local\Temp\is-JKM07.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
c79e3df659cdee033a447a8f372760ce

SHA1
f402273e29a6fa39572163e4595e72bde3d9330a

SHA256
7d09715c4e0735a0832bf81d92d84600df1815a2ba451586bd25eb16f7c450a5

SHA512
490cc30ccfac209f1f5332ce4168b0dc849d7e4d86f3c198ddd23b39ddc950001928a1e071c2ace74c4710508265c0872adb02e3f068e521d28ed8b19ea36492

Download Submit
memory/1548-154-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1548-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1548-152-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1548-153-0x0000000007870000-0x000000000787F000-memory.dmp

Filesize
60KB

Download
memory/1548-141-0x0000000007870000-0x000000000787F000-memory.dmp

Filesize
60KB

Download
memory/1548-138-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1548-173-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2756-159-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download
memory/2756-161-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/2756-162-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/2756-177-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2932-1-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2932-137-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2932-175-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download