6d0c4806624ae4c55b6f572a6f85fec7d7c189a7f0a248d6ed14cf2b6d69c2c8

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uTorrent3.4.3(40760)Stable.exe
Size

1.9MB
MD5

be19f180abe2d1d6c04f639e57c59ba4
SHA1

8f5261aea3f1bb62438ad8c7acf8c3640cb545c9
SHA256

efc67f2a55f5078ff07185fa3b3191ae842e125fcf2c5327352de3b4d0e8d83e
SHA512

12846f46bebd5e929b59585af1f6d13663a2c2b985c2751722fc3eec3f61d480f08f850e789049b39a4925930e650dc27db4f69ebffc8a03e1ebd78ccad5b8c7
SSDEEP

49152:yxbiKUSncokSbzTP17jwhMyfVEz7L7SAv6:yxJnco9bvP1ER0e1

Score

7^/10

evasion upx

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	uTorrent3.4.3(40760)Stable.exe
Key opened	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Wine	uTorrent3.4.3(40760)Stable.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1336-0-0x0000000000400000-0x0000000000869000-memory.dmp	upx
behavioral2/memory/1336-36-0x0000000000400000-0x0000000000869000-memory.dmp	upx

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	uTorrent3.4.3(40760)Stable.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	uTorrent3.4.3(40760)Stable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	uTorrent3.4.3(40760)Stable.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	uTorrent3.4.3(40760)Stable.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	uTorrent3.4.3(40760)Stable.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\uTorrent3.4.3(40760)Stable.exe = "9000"	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	uTorrent3.4.3(40760)Stable.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\uTorrent3.4.3(40760)Stable.exe = "1"	uTorrent3.4.3(40760)Stable.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.torrent\Content Type = "application/x-bittorrent"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent\Extension = ".torrent"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\MIME\Database\Content Type\application/x-bittorrent\Extension = ".torrent"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-app\Extension = ".btapp"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-skin\Extension = ".btskin"	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-appinst	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.btkey	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\bittorrent\shell\open	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\bittorrent\shell\open\command	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\uTorrent\Content Type\ = "application/x-bittorrent"	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Magnet\shell\open	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Magnet\shell\ = "open"	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-app	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-skin\Extension = ".btskin"	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.btinstall	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-key	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\bittorrent	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Magnet	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Magnet\URL Protocol	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Magnet\Content Type = "application/x-magnet"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.btskin\ = "uTorrent"	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-appinst	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\bittorrent\shell	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.torrent	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\uTorrent	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Magnet\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maindoc.ico"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Magnet\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\uTorrent3.4.3(40760)Stable.exe\" \"%1\" /SHELLASSOC"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.btsearch\Content Type = "application/x-bittorrentsearchdescription+xml"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.btskin\Content Type = "application/x-bittorrent-skin"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.btinstall\ = "uTorrent"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\bittorrent\URL Protocol	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.btkey\ = "uTorrent"	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\MIME\Database\Content Type\application/x-bittorrent	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\uTorrent\Content Type	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.btapp	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.btapp\Content Type = "application/x-bittorrent-app"	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.btskin	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.btkey\Content Type = "application/x-bittorrent-key"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\bittorrent\ = "bittorrent URI"	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\FalconBetaAccount	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\FalconBetaAccount\remote_access_client_id = "9941301908"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.torrent\ = "uTorrent"	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\uTorrent\DefaultIcon	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml\Extension = ".btsearch"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Magnet\ = "Magnet URI"	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Magnet\shell	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Magnet\DefaultIcon	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-app	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-skin	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.btinstall\Content Type = "application/x-bittorrent-appinst"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\bittorrent\Content Type = "application/x-bittorrent-protocol"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\bittorrent\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maindoc.ico"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\uTorrent\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maindoc.ico"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\uTorrent\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\uTorrent3.4.3(40760)Stable.exe\" \"%1\" /SHELLASSOC"	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\uTorrent\shell\ = "open"	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Magnet\shell\open\command	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.btapp\ = "uTorrent"	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-key	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\bittorrent\shell\ = "open"	uTorrent3.4.3(40760)Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\uTorrent\shell\open	uTorrent3.4.3(40760)Stable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\.btsearch\ = "uTorrent"	uTorrent3.4.3(40760)Stable.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1336	uTorrent3.4.3(40760)Stable.exe
1336	uTorrent3.4.3(40760)Stable.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1336	uTorrent3.4.3(40760)Stable.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1336	uTorrent3.4.3(40760)Stable.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1336	uTorrent3.4.3(40760)Stable.exe
1336	uTorrent3.4.3(40760)Stable.exe
1336	uTorrent3.4.3(40760)Stable.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1336	uTorrent3.4.3(40760)Stable.exe
1336	uTorrent3.4.3(40760)Stable.exe
1336	uTorrent3.4.3(40760)Stable.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1336	uTorrent3.4.3(40760)Stable.exe
1336	uTorrent3.4.3(40760)Stable.exe

C:\Users\Admin\AppData\Local\Temp\uTorrent3.4.3(40760)Stable.exe
"C:\Users\Admin\AppData\Local\Temp\uTorrent3.4.3(40760)Stable.exe"
1⤵
- Identifies Wine through registry keys
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dht_feed.dat.new

Filesize
2B

MD5
d9180594744f870aeefb086982e980bb

SHA1
593b743b207e10ff55ec63e71a46c07909d0880a

SHA256
61098a4bf2a5e216533e5f2994d8f290308b310f2efa046548a96302afe412ea

SHA512
052d52f93faf4fa4037fc1e1cedec179253e47e3f2a11f7ef070fcfc393a7429dec341c46463b000d0a46f6d0e6de1325e1e43f7f01fe4605954df9035e0b080

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.dat.old

Filesize
82KB

MD5
15f1afd3ee2aa35a1a5e81ad98d8ef14

SHA1
8a83f1a8e1f4d56953f9d1566a5598abc690e49e

SHA256
aa2aadefc8de6db464ad64d4b707866b1773c1d34a2de3fc5bf1f2e1aafa9f3b

SHA512
0ab0ba22c629ba2f23a6801b897bff23a0a442a94d58962a165965688c0682e2bf735e1e17832520da7a3a81e0261c96ace332e8b8b1df4af42d071cbc822d34

Download Submit
memory/1336-0-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/1336-36-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download