e9fda42f141f3fa37244d8f5065611a9dc8914af6b7b1cbd99e191389d251cb9

Analysis

max time kernel
25s
max time network
25s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uTorrent221_2022.exe
Size

2.1MB
MD5

36bb5b88432be7a8674a2182e3341039
SHA1

cc94701664600ebabb0803ea4c9e24a3a35dd587
SHA256

e9fda42f141f3fa37244d8f5065611a9dc8914af6b7b1cbd99e191389d251cb9
SHA512

f7760476e0fe0e8bb989bce15e7e69eb6a93c1e591dfabf08cb8332322dd102edc1235f6182773845f9cd683fb7df650b00b3ae4e46d07b33deb5d497308cef3
SSDEEP

49152:PuWifaDh9pvSGmfOwU8/N5t2KnyeSqPlzvonOpVJJ81f:PuWyaDhXvSGmfOwUc9Ie9lxpVJi

Score

7^/10

evasion upx

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

utorrent.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	utorrent.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	utorrent.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\uTorrent\uninstall.exe	upx
\Users\Admin\AppData\Roaming\uTorrent\utorrent.exe	upx
behavioral1/memory/1448-62-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1448-113-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1448-126-0x0000000000400000-0x0000000000510000-memory.dmp	upx

Executes dropped EXE 1 IoCs

Processes:

utorrent.exe

pid process

1448 utorrent.exe

pid	process
1448	utorrent.exe

Loads dropped DLL 7 IoCs

Processes:

uTorrent221_2022.exe

pid	process
2028	uTorrent221_2022.exe
2028	uTorrent221_2022.exe
2028	uTorrent221_2022.exe
2028	uTorrent221_2022.exe
2028	uTorrent221_2022.exe
2028	uTorrent221_2022.exe
2028	uTorrent221_2022.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeuTorrent221_2022.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	uTorrent221_2022.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A38B59D1-17A8-11EF-8554-DE288D05BF47} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies registry class 64 IoCs

Processes:

utorrent.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\uTorrent\shell\ = "open"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Magnet\shell	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Magnet\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\utorrent.exe\" \"%1\""	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btinstall\ = ".btinstall URI"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btinstall\shell\open\command	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\uTorrent\Content Type	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btapp\shell\open\command	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btskin\Content Type = "application/x-bittorrent-skin"	utorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent\Extension = ".torrent"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Magnet	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Magnet\ = "Magnet URI"	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btapp\Content Type = "application/x-bittorrent-app"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\MIME\Database\Content Type\application/x-bittorrent	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btapp\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\utorrent.exe\" \"%1\""	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btinstall\shell\ = "open"	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btinstall\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\utorrent.exe\",0"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\uTorrent\DefaultIcon	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\uTorrent\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\utorrent.exe\" \"%1\""	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btapp\shell\ = "open"	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btinstall\Content Type = "application/x-bittorrent-app"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btinstall\DefaultIcon	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btskin\shell\ = "open"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btinstall	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btskin\ = ".btskin URI"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.torrent	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\MIME\Database	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\uTorrent\shell\open\command	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btsearch\ = "uTorrent"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btapp\shell	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btapp\DefaultIcon	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btskin\shell	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btskin\DefaultIcon	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\uTorrent\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\utorrent.exe\",0"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btsearch	utorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml\Extension = ".btsearch"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Magnet\shell\open\command	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btapp\URL Protocol	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btskin	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btsearch\Content Type = "application/x-bittorrentsearchdescription+xml"	utorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Magnet\URL Protocol	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btinstall\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\utorrent.exe\" \"%1\""	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btskin\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\utorrent.exe\",0"	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\MIME\Database\Content Type\application/x-bittorrent\Extension = ".torrent"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Magnet\DefaultIcon	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btskin\URL Protocol	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btskin\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\utorrent.exe\" \"%1\""	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btinstall\URL Protocol	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\uTorrent	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\MIME\Database\Content Type	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\uTorrent\Content Type\ = "application/x-bittorrent"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Magnet\shell\open	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btapp\ = ".btapp URI"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btapp\shell\open	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\MIME	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml\Extension = ".btsearch"	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Magnet\shell\ = "open"	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.torrent\ = "uTorrent"	utorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\uTorrent\shell\open	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btinstall\shell	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.btskin\shell\open	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.torrent\Content Type = "application/x-bittorrent"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml	utorrent.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

utorrent.exe

pid process

1448 utorrent.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

utorrent.exe

description pid process

Token: SeManageVolumePrivilege 1448 utorrent.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeutorrent.exe

pid process

2920 iexplore.exe
1448 utorrent.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

utorrent.exe

pid process

1448 utorrent.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

uTorrent221_2022.exeiexplore.exeIEXPLORE.EXEutorrent.exe

pid process

2028 uTorrent221_2022.exe
2028 uTorrent221_2022.exe
2920 iexplore.exe
2920 iexplore.exe
2952 IEXPLORE.EXE
2952 IEXPLORE.EXE
1448 utorrent.exe

pid	process
1448	utorrent.exe

description	pid	process
Token: SeManageVolumePrivilege	1448	utorrent.exe

pid	process
2920	iexplore.exe
1448	utorrent.exe

pid	process
1448	utorrent.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

uTorrent221_2022.exeiexplore.exe

description	pid	process	target process
PID 2028 wrote to memory of 2720	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 2720	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 2720	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 2720	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 2728	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 2728	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 2728	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 2728	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 776	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 776	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 776	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 776	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 892	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 892	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 892	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 892	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 2412	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 2412	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 2412	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 2412	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 2472	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 2472	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 2472	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 2472	2028	uTorrent221_2022.exe	reg.exe
PID 2028 wrote to memory of 2920	2028	uTorrent221_2022.exe	iexplore.exe
PID 2028 wrote to memory of 2920	2028	uTorrent221_2022.exe	iexplore.exe
PID 2028 wrote to memory of 2920	2028	uTorrent221_2022.exe	iexplore.exe
PID 2028 wrote to memory of 2920	2028	uTorrent221_2022.exe	iexplore.exe
PID 2028 wrote to memory of 1448	2028	uTorrent221_2022.exe	utorrent.exe
PID 2028 wrote to memory of 1448	2028	uTorrent221_2022.exe	utorrent.exe
PID 2028 wrote to memory of 1448	2028	uTorrent221_2022.exe	utorrent.exe
PID 2028 wrote to memory of 1448	2028	uTorrent221_2022.exe	utorrent.exe
PID 2920 wrote to memory of 2952	2920	iexplore.exe	IEXPLORE.EXE
PID 2920 wrote to memory of 2952	2920	iexplore.exe	IEXPLORE.EXE
PID 2920 wrote to memory of 2952	2920	iexplore.exe	IEXPLORE.EXE
PID 2920 wrote to memory of 2952	2920	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\uTorrent221_2022.exe
"C:\Users\Admin\AppData\Local\Temp\uTorrent221_2022.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent" /v "DisplayName" /d "µTorrent" /f
2⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent" /v "DisplayIcon" /d "C:\Users\Admin\AppData\Roaming\uTorrent\uninstall.exe" /f
2⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent" /v "UninstallString" /d "C:\Users\Admin\AppData\Roaming\uTorrent\uninstall.exe" /f
2⤵
PID:776

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent" /v "DisplayVersion" /d "2.2.1.25534" /f
2⤵
PID:892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent" /v "Publisher" /d "emc, uTorrent.CZ" /f
2⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent" /v "URLInfoAbout" /d "http://www.utorrent.cz" /f
2⤵
PID:2472

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.utorrent.cz/tracker/?v=2.2.1.25534
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Users\Admin\AppData\Roaming\uTorrent\utorrent.exe
"C:\Users\Admin\AppData\Roaming\uTorrent\utorrent.exe" /noinstall
2⤵
- Identifies Wine through registry keys
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1448

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
PID:1688

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\uTorrent\apps\mpc-hc.btapp

Filesize
11KB

MD5
0ec40b7b6ac0e1743d89563611486ee2

SHA1
f278558706fca3d907017aab3fbcc8bdb19a45f9

SHA256
8ce67bf0098d8fc9b7e884d462f06a44f370293d1d88f4fdfecda5cb725fcadd

SHA512
8f40933cde1db558c80c2051a44230034f7a05f75c7e4f322771a150772d6884181f7931a91e0c281eb62b10696f49f22a708968c1dcac81d32cad2d62bfa4ec

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\current.btskin

Filesize
5KB

MD5
60595ad7d31a7ed82087624f9fca7225

SHA1
3ba7b50b5fdb032883b4e4feced404da1b366a11

SHA256
bb47eb175393290f9f81c2004d86b94ebd613d692792759e203375d916406630

SHA512
15da73aa6ea1158aa7038eb909c09166b5bc4d07a7005e70e3c329c3acb2736ce92784ad4e97b3c03ceac8bd23019e9d4893c3538d0c7ec4a2ef48d209682964

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat

Filesize
862B

MD5
75025f540ad1985721998c8fec512f6e

SHA1
002d4fbc3a650934758945c9a1cbf87a5d33ffb5

SHA256
3e50c9b522fe3796364d8dc111fe16e846e546010d8390689d0b0f463435ccb6

SHA512
db4862133c265a9f847e43d21922a90fa2a99ca4f43b33d7486d34118312c2e78290445ea5aeac987c4d5f5e04d9b098970d8456a99240264c1c9a9834cced64

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat.old

Filesize
3KB

MD5
3e7809b33199ff1081b5c739fc6f451c

SHA1
c815915384cbfc739b66a814ccd1c5b5ef54a08c

SHA256
f61e9b256a3e6c04d91a787945ade632d7bea73df898d2ebd6e3e1c93c836fb4

SHA512
970bec4f9fcf3d5db23d51ccc74975e1a3826fcbcf5411fa747e1c00755b1e5f053e747768dca4cb7000620b0ed7a604cc860bf5a07b75080f73e6dc45f877c2

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\toolbar.bmp

Filesize
27KB

MD5
7598a57f7c2776f7715f07d64c389dd5

SHA1
767e48ccc5ee5492ae2efaf535e82ed9b6291f91

SHA256
72951aee40c81a5e75529a91f3c0b9b1a6e7696e55d327102b847fe8bfd990a1

SHA512
0924ddda4c20ee428d150f0fa44a9074eaf4537cd98b5457e93cb4b68ffc832a06f0c7ca1838e9f873dea5dfc72c27fae1ea23c61dfed0828f9b0bc54f023df7

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\utorrent.lng

Filesize
716KB

MD5
ce820f3a028cea6474b2e15515caf5bf

SHA1
4dcad270e42602b71db0a7e2b0a071bf44eded6d

SHA256
dad758c5734702252cf35ddf97bed8d06093195d37ad2c47891e355ae5c1491a

SHA512
c6719f4ae51448816b145ca6223835893e84e5a56e345b1b8dc629ddd0c695890f514f746cdb3636dba74736a119d394988252e679bb70416d754e9772c9c314

Download Submit
\Users\Admin\AppData\Roaming\uTorrent\uninstall.exe

Filesize
369KB

MD5
f65bce6a1d7897dd7c44623355d8f73a

SHA1
49d3a42639ee24f675dae461726c511e9ae97d7e

SHA256
99cd26315736d61b78ef86ed1afb4e55699c3d729131518e3d5bccde752c17de

SHA512
7f80764ddc2dfd524292dcb3f701dc7682b15f146ee59d78909d69d7604c52753e48787256d622e1d129e729c573c08c8f7f9c62ec3c5a279cfc3c2c9b525e3e

Download Submit
\Users\Admin\AppData\Roaming\uTorrent\utorrent.exe

Filesize
417KB

MD5
bebe692199dd7f549f4a081fd8b03b4e

SHA1
c0b96402909befb8a15474a1c0797a1cd18f622f

SHA256
3ba45fe242fe4594183b09e1d924bbb705a0f8c0cc60fe2d0b0d6f6c890cf612

SHA512
e20b3f9ad7ec03f5afa8decdd4a28345847b35cbedf20256c4986f2c238e6e5cf597cf329654ddf5f6648e3e4dab65f7254e949777659585eeada96e3621a1af

Download Submit
memory/1448-119-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-90-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-126-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1448-64-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-73-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-72-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-71-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-62-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1448-91-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-83-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-63-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-84-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-85-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-87-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-92-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-88-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-89-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-121-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-124-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-123-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-114-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-96-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-98-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-99-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-113-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1448-97-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-115-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-116-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-125-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-118-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-117-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-120-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1448-122-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/2028-39-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/2028-60-0x0000000004DE0000-0x0000000004EF0000-memory.dmp

Filesize
1.1MB

Download
memory/2028-46-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/2028-32-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/2028-51-0x0000000004DE0000-0x0000000004EF0000-memory.dmp

Filesize
1.1MB

Download