94c70fd5da5feb18eb47c379083c68edb32ef7c35d97ee80bad5da8c00688600

Analysis

max time kernel
144s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$DESKTOP/Torrent Portable/App/uTorrent/uTorrent.exe
Size

4.9MB
MD5

97c2ccf6622b460d89eaa0b481610394
SHA1

bc6fd3319daf27dfbb2786ad35b17329665a930b
SHA256

a17b3463587b84d73eecf57929d111dcfba158e33f93d5d43f8b28b7e4e3267c
SHA512

3ff0dcf9eb9b7c237d8ed13d51b20d3e14aedb5b11db763ff070c1afcef1ee677ace6d5f7d3bd724fc4277c925a30dcdd0d0280015d8cf4c8d88fd9efe910e57
SSDEEP

49152:lYTEpjDUiCeD8i8aUZMOwbk+ZNTEmrVLUWvggIhbf/NobusuC99ZaTg+P2jqAtHv:lY4ui18i2aQCaQa7P2jxpL9fn9UDc

Score

7^/10

evasion

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	uTorrent.exe
Key opened	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Wine	uTorrent.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\FalconBetaAccount	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\FalconBetaAccount\remote_access_client_id = "6676232942"	uTorrent.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4656	uTorrent.exe
4656	uTorrent.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4656	uTorrent.exe

C:\Users\Admin\AppData\Local\Temp\$DESKTOP\Torrent Portable\App\uTorrent\uTorrent.exe
"C:\Users\Admin\AppData\Local\Temp\$DESKTOP\Torrent Portable\App\uTorrent\uTorrent.exe"
1⤵
- Identifies Wine through registry keys
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat.old

Filesize
7KB

MD5
75ed35f76f5eab7c98d0a32e628a3b1a

SHA1
e1d77375fce923f222e6e90bb10817c561734bc3

SHA256
162b12a500ed67b1d52bff42ef4eadad38371fce260b7bef95665a49d3cbd92a

SHA512
f5d94eb121b15bcb9c3a782837d7a1798fc84af0648511bb8fb415da77505659e0156f27759a493f1cd11dcb6b4bc723b83f49fef458556b72448db176ba9889

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\toolbar.benc.new

Filesize
240B

MD5
ced9d98dc09379c6865ba13ffc220ccd

SHA1
0f5436f818cab24e7966e0656cc7bbe2705a95b6

SHA256
388fa64cc134ff0a52a92edd29a113b1eeb64b28273502b456bcc3470c423f04

SHA512
551ceee919d8f82bf702aedff536d25977ef85e31a9479db436a2df93d56260f6d72fb9ca17b9b0f4b09a88c2c95474e36a21a2e1922c4f02dc1102e41d3bd81

Download Submit
memory/4656-0-0x0000000000400000-0x0000000000921000-memory.dmp

Filesize
5.1MB

Download