43006c85c7f69e9d1f8842a1597a7287b1d3a5654e49b0e9eff754b6241ad867

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beelyk.torrent
Size

110B
MD5

2f0c89ca994326968406f1921e505350
SHA1

fdfb093baeb7a48848b5476934c2ac9f0f81b680
SHA256

43006c85c7f69e9d1f8842a1597a7287b1d3a5654e49b0e9eff754b6241ad867
SHA512

be7f79e108d0fa9b5091e761216e465aba158e027aada36ba54bd714246247a976b93b2c5bf86fbd9a534505f3d290727ddec09563b0a9ce4904e13c82a35d46

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.torrent	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\torrent_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\torrent_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\torrent_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\torrent_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\torrent_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\torrent_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.torrent\ = "torrent_auto_file"	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2620	AcroRd32.exe
2620	AcroRd32.exe
2620	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 1276	2984	cmd.exe	29
PID 2984 wrote to memory of 1276	2984	cmd.exe	29
PID 2984 wrote to memory of 1276	2984	cmd.exe	29
PID 1276 wrote to memory of 2620	1276	rundll32.exe	30
PID 1276 wrote to memory of 2620	1276	rundll32.exe	30
PID 1276 wrote to memory of 2620	1276	rundll32.exe	30
PID 1276 wrote to memory of 2620	1276	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\beelyk.torrent
1⤵
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\beelyk.torrent
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\beelyk.torrent"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e585cd1e4d123632693d3c5fb25418d1

SHA1
ce2b483de16428f9f38e469871d8d48338e0b9c7

SHA256
a3ad78f306aed75b0d9e0952b04302a48e73c868b2f3685a16478d863b73a4b8

SHA512
27b2a6cdd93ac3cd20225e2e4280febfd2ed7a15a0166fbf47c47b731300d17741a7c8d8dcdddd95807d4825669d4f3fd8b0d852b969fa31c5de9fc056af5b54

Download Submit