8ba16cc70e9335f5cfa3189cf0dc6704ce88948729078730878ee17c185da134

General

Target

uTorrent_zipsoft__13454__[29527].exe
Size

673KB
MD5

f485331235333f85377f0a5da49f18db
SHA1

44d80e2691b35705a20e3f8605a6b316a850ea48
SHA256

5d0e089ecc3b9070368bd983cf7c56360b6d1f12bee8ea5a14df8b956fc31cf5
SHA512

dfb3cf30bee7580a50097dcb2ead98a70c7ec60dd3ada52c6cae2f174f8e14b85693b9983d039557aca34a9b4136d755f8e198902965712d746c56d44cba2bf4
SSDEEP

12288:9w8eE43nhb40+56Dbf4HIkwHj4qkTZXTBJhX:nJmBDr4Mj4q2X

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	uTorrent_zipsoft__13454__[29527].exe

Executes dropped EXE 1 IoCs

pid	Process
3900	360TS_Setup_Mini_WW_AZ_CPI202204_6.6.0.1054.exe

Loads dropped DLL 1 IoCs

pid	Process
3900	360TS_Setup_Mini_WW_AZ_CPI202204_6.6.0.1054.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	360TS_Setup_Mini_WW_AZ_CPI202204_6.6.0.1054.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2856	uTorrent_zipsoft__13454__[29527].exe
3900	360TS_Setup_Mini_WW_AZ_CPI202204_6.6.0.1054.exe
3900	360TS_Setup_Mini_WW_AZ_CPI202204_6.6.0.1054.exe
3900	360TS_Setup_Mini_WW_AZ_CPI202204_6.6.0.1054.exe
3900	360TS_Setup_Mini_WW_AZ_CPI202204_6.6.0.1054.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	uTorrent_zipsoft__13454__[29527].exe
Token: SeManageVolumePrivilege	3900	360TS_Setup_Mini_WW_AZ_CPI202204_6.6.0.1054.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 3900	2856	uTorrent_zipsoft__13454__[29527].exe	100
PID 2856 wrote to memory of 3900	2856	uTorrent_zipsoft__13454__[29527].exe	100
PID 2856 wrote to memory of 3900	2856	uTorrent_zipsoft__13454__[29527].exe	100

C:\Users\Admin\AppData\Local\Temp\uTorrent_zipsoft__13454__[29527].exe
"C:\Users\Admin\AppData\Local\Temp\uTorrent_zipsoft__13454__[29527].exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\ZipSoft\360TS_Setup_Mini_WW_AZ_CPI202204_6.6.0.1054.exe
  "C:\Users\Admin\AppData\Local\Temp\ZipSoft\360TS_Setup_Mini_WW_AZ_CPI202204_6.6.0.1054.exe" /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4184,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
1⤵
PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
654B

MD5
5cdfc4b9de66db60219b702987b6884f

SHA1
3f664159cd6af48abc3f4c4a2d0ec16ff715b208

SHA256
9a52a5e9dcfcc59699cab7a8777c114d2b9685e68b00502c0bfb28b42ef3321d

SHA512
3c14da8a340736a697b4b2188b1b250b7328278a11e3483cc684247a2c10fc2b69435013e2704275dae319d992a048ff66a074065e91e9a2f65cfbd24a874d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
830B

MD5
a483da8b27289fc9cc49d6b17e61cbf6

SHA1
2d4a5a704c2ff332df6436b7bcd16365f03c2a97

SHA256
f7785d4e80691cb2bb59301fe8962e50862c44d8992a0e308f86689b7ee76911

SHA512
e0d061a5ed7c7789d11331b192c0693e9a49398de371153d1d13a8b7a32ae7078ea103b03a535ebd0581f1d9d56bacf77b9e31f68ab1888663111e8d2afea0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZipSoft\360TS_Setup_Mini_WW_AZ_CPI202204_6.6.0.1054.exe

Filesize
1.5MB

MD5
315b1959710ad100d0c6a7de71512044

SHA1
cca5a448b8f3009cf3c9f4f5b71de06ccfd7cdd6

SHA256
032b6dfd8bfb5fd4c7c1a7a63df470d8ccb01b75a47f0b807e830eccdd33a52b

SHA512
7d6638c6199dc9cc75136234cbeb10e8c3896d15c81b53ec02bc0200af01cbaf9563eb292ce2172f860b9f47506732ddb2165145827e2348e3f8c23b8eda191b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{57B6A423-838C-4d5e-9FFE-9B130213DD8F}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
memory/2856-10-0x000000000A430000-0x000000000A438000-memory.dmp

Filesize
32KB

Download
memory/2856-13-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/2856-6-0x0000000009E50000-0x0000000009E62000-memory.dmp

Filesize
72KB

Download
memory/2856-7-0x0000000009EB0000-0x0000000009EEC000-memory.dmp

Filesize
240KB

Download
memory/2856-8-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/2856-9-0x000000000A440000-0x000000000A5C6000-memory.dmp

Filesize
1.5MB

Download
memory/2856-0-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/2856-11-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/2856-12-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/2856-5-0x0000000007E80000-0x0000000007E8E000-memory.dmp

Filesize
56KB

Download
memory/2856-14-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/2856-15-0x0000000001440000-0x0000000001448000-memory.dmp

Filesize
32KB

Download
memory/2856-4-0x00000000084D0000-0x0000000008508000-memory.dmp

Filesize
224KB

Download
memory/2856-3-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/2856-1-0x00000000009C0000-0x0000000000A6A000-memory.dmp

Filesize
680KB

Download
memory/2856-38-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/2856-2-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/3900-37-0x0000000004020000-0x0000000004021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads