96bac43faac2b1fa5e0bc495975b2e642af5da181e313a9c8f541912b83c0edb

Analysis

max time kernel
146s
max time network
126s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qbittorrent_4.6.4_x64_setup_1.exe
Size

34.0MB
MD5

918224925563095d15dbab7c34b3bf17
SHA1

33902285adf411e5824547e849a4adcfc6531114
SHA256

96bac43faac2b1fa5e0bc495975b2e642af5da181e313a9c8f541912b83c0edb
SHA512

4d6bd949693ea60671ddb8dc19ec87d8e02bf4888aca290318488ca696e495e13bf49161ac8f75cfff9befb72589ab2bedcd1138fa9d81c5bf071191d6344b28
SSDEEP

786432:7KMXiEtPqJO5MB3/UOd64S49KmFRc85C2uWF3Dzn:7DXioy0DOd6o1HtuW5/

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2072	qbittorrent_4.6.4_x64_setup_1.exe
2072	qbittorrent_4.6.4_x64_setup_1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbittorrent_4.6.4_x64_setup_1.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2180	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1528	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1528	vlc.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1528	vlc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 1464	812	rundll32.exe	36
PID 812 wrote to memory of 1464	812	rundll32.exe	36
PID 812 wrote to memory of 1464	812	rundll32.exe	36
PID 1464 wrote to memory of 1528	1464	rundll32.exe	38
PID 1464 wrote to memory of 1528	1464	rundll32.exe	38
PID 1464 wrote to memory of 1528	1464	rundll32.exe	38

C:\Users\Admin\AppData\Local\Temp\qbittorrent_4.6.4_x64_setup_1.exe
"C:\Users\Admin\AppData\Local\Temp\qbittorrent_4.6.4_x64_setup_1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2072

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\DenyUnlock.bat" "
1⤵
PID:768

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\DenyUnlock.bat" "
1⤵
PID:2660

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\PopExit.rar
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\PopExit.rar
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PopExit.rar"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1528

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SwitchUninstall.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsjAEF7.tmp\LangDLL.dll

Filesize
5KB

MD5
50016010fb0d8db2bc4cd258ceb43be5

SHA1
44ba95ee12e69da72478cf358c93533a9c7a01dc

SHA256
32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e

SHA512
ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAEF7.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/1528-27-0x000000013F9D0000-0x000000013FAC8000-memory.dmp

Filesize
992KB

Download
memory/1528-28-0x000007FEF59B0000-0x000007FEF59E4000-memory.dmp

Filesize
208KB

Download
memory/1528-29-0x000007FEF56F0000-0x000007FEF59A6000-memory.dmp

Filesize
2.7MB

Download
memory/1528-30-0x000007FEF4160000-0x000007FEF5210000-memory.dmp

Filesize
16.7MB

Download