866a8fb02c387b7160d43fb72cc5cfbc5acbb0df825be2f359727bafedc56d3a

General

Target

uTorrent.exe
Size

2.7MB
MD5

31b6c42ac6e43b3774315e7b405ce23b
SHA1

ad99c0ecaaff5b9f6be8a12689b03cee97864292
SHA256

866a8fb02c387b7160d43fb72cc5cfbc5acbb0df825be2f359727bafedc56d3a
SHA512

cc0decb68a781f5650ccbb8a95d2dd7861129b33dc8a6669f4a77c2a9d7b1464bfb9515c56b98c7179a50b43b16cc91713c79c74f84d1779d97cc2824a983dd4
SSDEEP

49152:oG5Ufg9vNl50b2t0KjlhuruchD0iLq3kY7AsollvFaBcY3BRGBZ3P2+AEsEN09:oG5Qg9vn5eR3D0iO3r7AsolXaBr3vAZc

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 2 IoCs

pid	Process
2380	installer.exe
2092	GenericSetup.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2092	GenericSetup.exe
2092	GenericSetup.exe
2092	GenericSetup.exe
2092	GenericSetup.exe
2092	GenericSetup.exe
2092	GenericSetup.exe
2092	GenericSetup.exe
2092	GenericSetup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	GenericSetup.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 2380	4924	uTorrent.exe	93
PID 4924 wrote to memory of 2380	4924	uTorrent.exe	93
PID 4924 wrote to memory of 2380	4924	uTorrent.exe	93
PID 2380 wrote to memory of 2092	2380	installer.exe	94
PID 2380 wrote to memory of 2092	2380	installer.exe	94

C:\Users\Admin\AppData\Local\Temp\uTorrent.exe
"C:\Users\Admin\AppData\Local\Temp\uTorrent.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Local\Temp\7zSC3372E28\installer.exe
  .\installer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\7zSC3372E28\GenericSetup.exe
    C:\Users\Admin\AppData\Local\Temp\7zSC3372E28\GenericSetup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC3372E28\BundleConfig.xml

Filesize
78KB

MD5
f60bff7133d9c6c895e3cf45937caea3

SHA1
3c91c9b8980e641d5c874eda0efa3d1d5f3003e3

SHA256
26d8eae8470e4e4b02a8a7a4d1e13ba27a9b8fb739a113fe763eda61fc44a102

SHA512
daa0e7ed662b931c836ca861b4311f547055cf0495936c410ce93d8136e4defcfcb078932ca1c0da2a3b0b758f50ca3cf12d814d2ce89a4b19fe54c452275557

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC3372E28\DevLib.dll

Filesize
291KB

MD5
07aa211ce6e5c1169ad9c451a99934a9

SHA1
c79646ec41544b779dea9b2cc741774551bd1a58

SHA256
6ef65465a2afbefd8e45fcea27734f63e142f2db32909b1aaa6c918925d154e6

SHA512
4664babf77fabd08a30c5f985b63880486ea8c096d8602a302a4580ab9928bcce9ca947a25a7e74c8cddcb486786257de821547dabe31e971b0a66755c4cd7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC3372E28\GenericSetup.exe

Filesize
68KB

MD5
db7f20eeb9e86758922997138deb9e8e

SHA1
86054cdbddd68d0958d821198f399f11ba0b9502

SHA256
7d173a0091162c2b28cb288c1b71fc732c70f18ab8380324f023f81bf9f2421b

SHA512
6a4516e0166418620897e744267931205e11552637c2e76291bda82608ae099cdacd658d6c48c8180f4e552be11bd50ef48a140614ed1a4bb825fd75f191f441

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC3372E28\GenericSetup.exe.config

Filesize
1KB

MD5
80a504d4544124fda7036d6b70317f94

SHA1
42384a541d861c59729c2ea391fa4ba5e2b6799f

SHA256
126a7ab225ed88d506bf86ac2af9dff6cb223e1162685c81b1445eb2cd2a324a

SHA512
005544bb6f3843823c6a895590ec918d809e422e8063768e4cad9eaa28c50b3ea5837d3b71f9b5b762bf8161029cfdd677cf28c1a4c80cfa72f4d19b2aca2780

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC3372E28\WizardPages.dll

Filesize
56KB

MD5
b945ea4ebab4169a82a199e8cebaa21e

SHA1
d71c00cf5f286a45fd2c7099904fbfd27755ef7b

SHA256
bf80c8b5d0d6ca7f277719ce797c6d09db990a31e6f3c9a7956763f193a7b8c2

SHA512
fdd3893e99709cbfe898eb1fb6858a6638f8c6817883efaf7f8aaac34146f310e54838fc317f6a3aa69b10d48613fbadff298bd3f120485c5a540ef56a25c995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC3372E28\installer.exe

Filesize
1.4MB

MD5
531687aed093d23b9213b16b5216ef46

SHA1
4e81eab76eda4daedf709d3191cd9c040758ceaa

SHA256
c12eb9e06d40499dfcf6e1343895c04295f461823bf9c20c4147f994a1e67108

SHA512
fdf8cf42bfac7739679a40ab3790093489c20c004531bc508ea50715d3b938907ccc34c88dfefce4cb51db6f7e88bfe70afe1ae8a03b7b0798835515e27519eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC3372E28\uTorrent.dll

Filesize
17KB

MD5
0ef592926ca8f79988d8c7df695b0d7e

SHA1
185562111ba45520eecd6e8559fc1d2fb402bec2

SHA256
e3a1dca99b96d7d6bd1391bd20fb450a8ba750adda029865fdf4739c04c5d18a

SHA512
3520e1a426153a07da03f8c1176b932ce0a9afa3a733ab78b27ffef7224545b8cf1c448c974cbe4afbf44d2fa953f3b60b7370b9c140a1d99cee425cda531db3

Download Submit
memory/2092-35-0x0000000000A40000-0x0000000000A54000-memory.dmp

Filesize
80KB

Download
memory/2092-39-0x000000001B760000-0x000000001B770000-memory.dmp

Filesize
64KB

Download
memory/2092-38-0x0000000002B20000-0x0000000002B6E000-memory.dmp

Filesize
312KB

Download
memory/2092-47-0x000000001B790000-0x000000001B7A4000-memory.dmp

Filesize
80KB

Download
memory/2092-48-0x000000001B760000-0x000000001B770000-memory.dmp

Filesize
64KB

Download
memory/2092-37-0x00007FFE6F1E0000-0x00007FFE6FCA1000-memory.dmp

Filesize
10.8MB

Download
memory/2092-50-0x000000001FA50000-0x000000001FA5A000-memory.dmp

Filesize
40KB

Download
memory/2092-53-0x000000001B760000-0x000000001B770000-memory.dmp

Filesize
64KB

Download
memory/2092-57-0x00007FFE6F1E0000-0x00007FFE6FCA1000-memory.dmp

Filesize
10.8MB

Download
memory/2092-58-0x000000001B760000-0x000000001B770000-memory.dmp

Filesize
64KB

Download
memory/2092-59-0x000000001B760000-0x000000001B770000-memory.dmp

Filesize
64KB

Download
memory/2092-60-0x000000001B760000-0x000000001B770000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing