866a8fb02c387b7160d43fb72cc5cfbc5acbb0df825be2f359727bafedc56d3a

Analysis

max time kernel
119s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uTorrent.exe
Size

2.7MB
MD5

31b6c42ac6e43b3774315e7b405ce23b
SHA1

ad99c0ecaaff5b9f6be8a12689b03cee97864292
SHA256

866a8fb02c387b7160d43fb72cc5cfbc5acbb0df825be2f359727bafedc56d3a
SHA512

cc0decb68a781f5650ccbb8a95d2dd7861129b33dc8a6669f4a77c2a9d7b1464bfb9515c56b98c7179a50b43b16cc91713c79c74f84d1779d97cc2824a983dd4
SSDEEP

49152:oG5Ufg9vNl50b2t0KjlhuruchD0iLq3kY7AsollvFaBcY3BRGBZ3P2+AEsEN09:oG5Qg9vn5eR3D0iO3r7AsolXaBr3vAZc

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 2 IoCs

pid	Process
2128	installer.exe
2524	GenericSetup.exe

Loads dropped DLL 2 IoCs

pid	Process
2804	uTorrent.exe
2128	installer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	GenericSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	GenericSetup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2524	GenericSetup.exe
2524	GenericSetup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	GenericSetup.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2128	2804	uTorrent.exe	28
PID 2804 wrote to memory of 2128	2804	uTorrent.exe	28
PID 2804 wrote to memory of 2128	2804	uTorrent.exe	28
PID 2804 wrote to memory of 2128	2804	uTorrent.exe	28
PID 2804 wrote to memory of 2128	2804	uTorrent.exe	28
PID 2804 wrote to memory of 2128	2804	uTorrent.exe	28
PID 2804 wrote to memory of 2128	2804	uTorrent.exe	28
PID 2128 wrote to memory of 2524	2128	installer.exe	29
PID 2128 wrote to memory of 2524	2128	installer.exe	29
PID 2128 wrote to memory of 2524	2128	installer.exe	29
PID 2128 wrote to memory of 2524	2128	installer.exe	29

C:\Users\Admin\AppData\Local\Temp\uTorrent.exe
"C:\Users\Admin\AppData\Local\Temp\uTorrent.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\7zS4FAF3C56\installer.exe
  .\installer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\7zS4FAF3C56\GenericSetup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS4FAF3C56\GenericSetup.exe
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FAF3C56\BundleConfig.xml

Filesize
78KB

MD5
f60bff7133d9c6c895e3cf45937caea3

SHA1
3c91c9b8980e641d5c874eda0efa3d1d5f3003e3

SHA256
26d8eae8470e4e4b02a8a7a4d1e13ba27a9b8fb739a113fe763eda61fc44a102

SHA512
daa0e7ed662b931c836ca861b4311f547055cf0495936c410ce93d8136e4defcfcb078932ca1c0da2a3b0b758f50ca3cf12d814d2ce89a4b19fe54c452275557

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FAF3C56\DevLib.dll

Filesize
291KB

MD5
07aa211ce6e5c1169ad9c451a99934a9

SHA1
c79646ec41544b779dea9b2cc741774551bd1a58

SHA256
6ef65465a2afbefd8e45fcea27734f63e142f2db32909b1aaa6c918925d154e6

SHA512
4664babf77fabd08a30c5f985b63880486ea8c096d8602a302a4580ab9928bcce9ca947a25a7e74c8cddcb486786257de821547dabe31e971b0a66755c4cd7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FAF3C56\GenericSetup.exe.config

Filesize
1KB

MD5
2b3e7574b3daa725c93d5639945b2dd4

SHA1
528cce0fe1441512450af50b51f6da50b1e4f47e

SHA256
b95626271a6815b38ede37ea8e2e9ae130ca16a51d14dc6f2349e36b010d44c6

SHA512
22ca92112d718a979e68820cb8088139adf82fc159dbf408bb8920dfe33cddeca1f7cea5c3d3a29ec68fe03d7497bfa9c818090e0645e75a89e8c2846fd4e28e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FAF3C56\GenericSetup.exe.config

Filesize
1KB

MD5
299356e70be8a0089f2504f6b373341b

SHA1
0b3d014c61ec82f53d3cfc9850985db090b46ca4

SHA256
3582753c8396f72df0c70e09d94d23f95be87b2a0ee8c032cd89295d2ca89209

SHA512
f6804786da9d8d1ebd63eab9fa4aa863b59e5b9a5fa954e8a3db260dd2bbf558f797ba6f7f6ccf52aee7f94aca9b7ca9d47f67591e90b0dd18525cbc3527111b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FAF3C56\WizardPages.dll

Filesize
56KB

MD5
b945ea4ebab4169a82a199e8cebaa21e

SHA1
d71c00cf5f286a45fd2c7099904fbfd27755ef7b

SHA256
bf80c8b5d0d6ca7f277719ce797c6d09db990a31e6f3c9a7956763f193a7b8c2

SHA512
fdd3893e99709cbfe898eb1fb6858a6638f8c6817883efaf7f8aaac34146f310e54838fc317f6a3aa69b10d48613fbadff298bd3f120485c5a540ef56a25c995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FAF3C56\uTorrent.dll

Filesize
17KB

MD5
0ef592926ca8f79988d8c7df695b0d7e

SHA1
185562111ba45520eecd6e8559fc1d2fb402bec2

SHA256
e3a1dca99b96d7d6bd1391bd20fb450a8ba750adda029865fdf4739c04c5d18a

SHA512
3520e1a426153a07da03f8c1176b932ce0a9afa3a733ab78b27ffef7224545b8cf1c448c974cbe4afbf44d2fa953f3b60b7370b9c140a1d99cee425cda531db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA1EA.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA406.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4FAF3C56\GenericSetup.exe

Filesize
68KB

MD5
db7f20eeb9e86758922997138deb9e8e

SHA1
86054cdbddd68d0958d821198f399f11ba0b9502

SHA256
7d173a0091162c2b28cb288c1b71fc732c70f18ab8380324f023f81bf9f2421b

SHA512
6a4516e0166418620897e744267931205e11552637c2e76291bda82608ae099cdacd658d6c48c8180f4e552be11bd50ef48a140614ed1a4bb825fd75f191f441

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4FAF3C56\installer.exe

Filesize
1.4MB

MD5
531687aed093d23b9213b16b5216ef46

SHA1
4e81eab76eda4daedf709d3191cd9c040758ceaa

SHA256
c12eb9e06d40499dfcf6e1343895c04295f461823bf9c20c4147f994a1e67108

SHA512
fdf8cf42bfac7739679a40ab3790093489c20c004531bc508ea50715d3b938907ccc34c88dfefce4cb51db6f7e88bfe70afe1ae8a03b7b0798835515e27519eb

Download Submit
memory/2524-41-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2524-42-0x00000000006C0000-0x0000000000740000-memory.dmp

Filesize
512KB

Download
memory/2524-52-0x00000000006C0000-0x0000000000740000-memory.dmp

Filesize
512KB

Download
memory/2524-50-0x00000000004E0000-0x00000000004F4000-memory.dmp

Filesize
80KB

Download
memory/2524-54-0x0000000000740000-0x000000000074A000-memory.dmp

Filesize
40KB

Download
memory/2524-55-0x0000000000740000-0x000000000074A000-memory.dmp

Filesize
40KB

Download
memory/2524-51-0x00000000006C0000-0x0000000000740000-memory.dmp

Filesize
512KB

Download
memory/2524-40-0x0000000000430000-0x000000000047E000-memory.dmp

Filesize
312KB

Download
memory/2524-38-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/2524-115-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2524-116-0x00000000006C0000-0x0000000000740000-memory.dmp

Filesize
512KB

Download
memory/2524-117-0x00000000006C0000-0x0000000000740000-memory.dmp

Filesize
512KB

Download
memory/2524-118-0x00000000006C0000-0x0000000000740000-memory.dmp

Filesize
512KB

Download