bf4ee47d0df1870104f4fada8a68c2fb29e94fea9284c7bb6a6b385a718d8a18

General

Target

utorrent_installer.exe
Size

1.7MB
MD5

241ce365f228ee5f74d81b3fea14e09a
SHA1

700b05506dd3eebb4b87ff545f6d2bb6af6a3ae3
SHA256

bf4ee47d0df1870104f4fada8a68c2fb29e94fea9284c7bb6a6b385a718d8a18
SHA512

bf3756fb2b037a10592498f08e6eb3bad8f50da4ff9e96703e646a69ea1481e6801023abb3b1aae923fb2c68bb21ae5bb50f8e675b57ff90504c8e7ee8f81593
SSDEEP

49152:9BuZrEUT97LZxMPrlDZFBmS06nIJOZobMP:LkLp/ZSr97Bmb6naO6bs

Score

6^/10

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	utorrent_installer.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	utorrent_installer.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\SOFTWARE\AVAST Software\Avast	utorrent_installer.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	utorrent_installer.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	utorrent_installer.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\SOFTWARE\AVG\AV\Dir	utorrent_installer.tmp

Executes dropped EXE 1 IoCs

pid	Process
1800	utorrent_installer.tmp

Loads dropped DLL 2 IoCs

pid	Process
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	utorrent_installer.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	utorrent_installer.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp
1800	utorrent_installer.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1800	utorrent_installer.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 1800	5116	utorrent_installer.exe	78
PID 5116 wrote to memory of 1800	5116	utorrent_installer.exe	78
PID 5116 wrote to memory of 1800	5116	utorrent_installer.exe	78

C:\Users\Admin\AppData\Local\Temp\utorrent_installer.exe
"C:\Users\Admin\AppData\Local\Temp\utorrent_installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Local\Temp\is-63SP2.tmp\utorrent_installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-63SP2.tmp\utorrent_installer.tmp" /SL5="$500DE,875149,815616,C:\Users\Admin\AppData\Local\Temp\utorrent_installer.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-63SP2.tmp\utorrent_installer.tmp

Filesize
3.0MB

MD5
27174a5611d8827d1736d9ac8382d19f

SHA1
f000848acdd1c152d32a44c928deace522983886

SHA256
36a40fb99c1b026e59c6ba286a02548c64ec7a7e280b19d3169af9aa3c59b994

SHA512
4b6180facd75a9f10e2122ed1ca513979752f953cb92f8436877aff341b40575125db43293259a291406d95f408fbebbd89081fc07f2a5779ec02e5ead23406d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M1QRP.tmp\Logo.png

Filesize
7KB

MD5
5424804c80db74e1304535141a5392c6

SHA1
6d749f3b59672b0c243690811ec3240ff2eced8e

SHA256
9b7e2ea77e518b50e5dd78e0faec509e791949a7c7f360a967c9ee204a8f1412

SHA512
6c7364b9693ce9cbbdbca60ecef3911dfe3d2d836252d7650d34506d2aa41fc5892028ba93f2619caf7edb06576fddae7e5f91f5844b5c3a47f54ca39f84cc6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M1QRP.tmp\RAV_Cross.png

Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M1QRP.tmp\WebAdvisor.png

Filesize
47KB

MD5
4cfff8dc30d353cd3d215fd3a5dbac24

SHA1
0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

SHA256
0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

SHA512
9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M1QRP.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
memory/1800-43-0x0000000004B10000-0x0000000004B1F000-memory.dmp

Filesize
60KB

Download
memory/1800-15-0x0000000004B10000-0x0000000004B1F000-memory.dmp

Filesize
60KB

Download
memory/1800-6-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/1800-37-0x0000000004B10000-0x0000000004B1F000-memory.dmp

Filesize
60KB

Download
memory/1800-36-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/1800-42-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/1800-51-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/5116-31-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/5116-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/5116-0-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/5116-53-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download

Analysis

Sharing