e555c06879ed4eda6277e1fa8a4985590e70d8fa81421103048803e386daaf28

Analysis

max time kernel
144s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TORMENTOR_h47-zQ1.exe
Size

13.8MB
MD5

af45bc08a07f1ba16abe59f29072ebcc
SHA1

66edea40ba7b38a45bd856e6889bba12384c458f
SHA256

e555c06879ed4eda6277e1fa8a4985590e70d8fa81421103048803e386daaf28
SHA512

a4c63d95b2ce3ed6590617e18f18d78a530deb7958fcb4e1ed1b9ab415c4c370e907d2eccc63becb7f2d7dcb7b603125809008d38f450f3462d9b8d61b7f1d97
SSDEEP

393216:bBBTeN30LpEiSCC9XSpIFwah3RuINhkUOgs:dtwkLps9Xhrhhuahk5D

Score

6^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\AVG\AV\Dir	TORMENTOR_h47-zQ1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Browser\Installed	TORMENTOR_h47-zQ1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Avira\Browser\Installed	TORMENTOR_h47-zQ1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	TORMENTOR_h47-zQ1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\AVAST Software\Avast	TORMENTOR_h47-zQ1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV\Dir	TORMENTOR_h47-zQ1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	TORMENTOR_h47-zQ1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	TORMENTOR_h47-zQ1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	TORMENTOR_h47-zQ1.tmp

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	qbittorrent.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1840	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2084	TORMENTOR_h47-zQ1.tmp
2040	qbittorrent.exe

Loads dropped DLL 3 IoCs

pid	Process
1520	TORMENTOR_h47-zQ1.exe
2084	TORMENTOR_h47-zQ1.tmp
2084	TORMENTOR_h47-zQ1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TORMENTOR_h47-zQ1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TORMENTOR_h47-zQ1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbittorrent.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	TORMENTOR_h47-zQ1.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TORMENTOR_h47-zQ1.tmp

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\magnet\	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\magnet\shell\open\command\	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\magnet\URL Protocol	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\magnet\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\is-E56LI.tmp\\qbittorrent.exe\",1"	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\magnet\shell\ = "open"	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\magnet	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\magnet\shell	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\magnet\shell\open	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\magnet\ = "URL:Magnet link"	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\magnet\Content Type = "application/x-magnet"	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\magnet\shell\	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\magnet\shell\open\command	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\magnet\DefaultIcon\	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\magnet\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\is-E56LI.tmp\\qbittorrent.exe\" \"%1\""	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.torrent\	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.torrent\ = "qBittorrent"	qbittorrent.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	TORMENTOR_h47-zQ1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	TORMENTOR_h47-zQ1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	TORMENTOR_h47-zQ1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	TORMENTOR_h47-zQ1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	TORMENTOR_h47-zQ1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	TORMENTOR_h47-zQ1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	TORMENTOR_h47-zQ1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	TORMENTOR_h47-zQ1.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2040	qbittorrent.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2084	TORMENTOR_h47-zQ1.tmp
2084	TORMENTOR_h47-zQ1.tmp
2084	TORMENTOR_h47-zQ1.tmp
2084	TORMENTOR_h47-zQ1.tmp
2084	TORMENTOR_h47-zQ1.tmp
2084	TORMENTOR_h47-zQ1.tmp
2084	TORMENTOR_h47-zQ1.tmp
2084	TORMENTOR_h47-zQ1.tmp
2084	TORMENTOR_h47-zQ1.tmp
2084	TORMENTOR_h47-zQ1.tmp
2084	TORMENTOR_h47-zQ1.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2040	qbittorrent.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2040	qbittorrent.exe
Token: SeIncBasePriorityPrivilege	2040	qbittorrent.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2084	TORMENTOR_h47-zQ1.tmp
2040	qbittorrent.exe
2040	qbittorrent.exe
2040	qbittorrent.exe
2040	qbittorrent.exe
2040	qbittorrent.exe
2040	qbittorrent.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2040	qbittorrent.exe
2040	qbittorrent.exe
2040	qbittorrent.exe
2040	qbittorrent.exe
2040	qbittorrent.exe
2040	qbittorrent.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2040	qbittorrent.exe
2040	qbittorrent.exe
2040	qbittorrent.exe
2040	qbittorrent.exe
2040	qbittorrent.exe
2040	qbittorrent.exe
2040	qbittorrent.exe
2040	qbittorrent.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2084	1520	TORMENTOR_h47-zQ1.exe	30
PID 1520 wrote to memory of 2084	1520	TORMENTOR_h47-zQ1.exe	30
PID 1520 wrote to memory of 2084	1520	TORMENTOR_h47-zQ1.exe	30
PID 1520 wrote to memory of 2084	1520	TORMENTOR_h47-zQ1.exe	30
PID 1520 wrote to memory of 2084	1520	TORMENTOR_h47-zQ1.exe	30
PID 1520 wrote to memory of 2084	1520	TORMENTOR_h47-zQ1.exe	30
PID 1520 wrote to memory of 2084	1520	TORMENTOR_h47-zQ1.exe	30
PID 2084 wrote to memory of 1840	2084	TORMENTOR_h47-zQ1.tmp	32
PID 2084 wrote to memory of 1840	2084	TORMENTOR_h47-zQ1.tmp	32
PID 2084 wrote to memory of 1840	2084	TORMENTOR_h47-zQ1.tmp	32
PID 2084 wrote to memory of 1840	2084	TORMENTOR_h47-zQ1.tmp	32
PID 2084 wrote to memory of 2040	2084	TORMENTOR_h47-zQ1.tmp	34
PID 2084 wrote to memory of 2040	2084	TORMENTOR_h47-zQ1.tmp	34
PID 2084 wrote to memory of 2040	2084	TORMENTOR_h47-zQ1.tmp	34
PID 2084 wrote to memory of 2040	2084	TORMENTOR_h47-zQ1.tmp	34

C:\Users\Admin\AppData\Local\Temp\TORMENTOR_h47-zQ1.exe
"C:\Users\Admin\AppData\Local\Temp\TORMENTOR_h47-zQ1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\is-RC0KD.tmp\TORMENTOR_h47-zQ1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RC0KD.tmp\TORMENTOR_h47-zQ1.tmp" /SL5="$40026,13566766,780800,C:\Users\Admin\AppData\Local\Temp\TORMENTOR_h47-zQ1.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" firewall add allowedprogramC:\Users\Admin\AppData\Local\Temp\is-E56LI.tmp\qbittorrent.exe "qBittorrent" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1840
- - C:\Users\Admin\AppData\Local\Temp\is-E56LI.tmp\qbittorrent.exe
    "C:\Users\Admin\AppData\Local\Temp\is-E56LI.tmp\qbittorrent.exe" magnet:?xt=urn:btih:5D80A267968A627ACAA7780E52F79E76C7819DC2
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2040

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c85cb1f5f073cb8ea8a8b7d7d429c10

SHA1
cf221bacc83907b52421b90fb84db8df91ba470f

SHA256
54d8b99dee6427b5511e597b9a5740261e60e66036a1525ef4ef3609cf3a2021

SHA512
96d5d84d637bf4a46fbc488892223def408505c7987d6a18da23ec77631862ac2294e4d02511b12cb781992bed9bfba1289b7267861a521e0899e90c5123eaf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC0A3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC0C5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E56LI.tmp\AVG_AV.png

Filesize
51KB

MD5
aee8e80b35dcb3cf2a5733ba99231560

SHA1
7bcf9feb3094b7d79d080597b56a18da5144ca7b

SHA256
35bbd8f390865173d65ba2f38320a04755541a0783e9f825fdb9862f80d97aa9

SHA512
dcd84221571bf809107f7aeaf94bab2f494ea0431b9dadb97feed63074322d1cf0446dbd52429a70186d3ecd631fb409102afcf7e11713e9c1041caacdb8b976

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E56LI.tmp\AVG_BRW.png

Filesize
29KB

MD5
0b4fa89d69051df475b75ca654752ef6

SHA1
81bf857a2af9e3c3e4632cbb88cd71e40a831a73

SHA256
60a9085cea2e072d4b65748cc71f616d3137c1f0b7eed4f77e1b6c9e3aa78b7e

SHA512
8106a4974f3453a1e894fec8939038a9692fd87096f716e5aa5895aa14ee1c187a9a9760c0d4aec7c1e0cc7614b4a2dbf9b6c297cc0f7a38ba47837bede3b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E56LI.tmp\WeatherZero.png

Filesize
29KB

MD5
9ac6287111cb2b272561781786c46cdd

SHA1
6b02f2307ec17d9325523af1d27a6cb386c8f543

SHA256
ab99cdb7d798cb7b7d8517584d546aa4ed54eca1b808de6d076710c8a400c8c4

SHA512
f998a4e0ce14b3898a72e0b8a3f7154fc87d2070badcfa98582e3b570ca83a562d5a0c95f999a4b396619db42ab6269a2bac47702597c5a2c37177441723d837

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\qBittorrent.ini

Filesize
1KB

MD5
3d97fe98a5e7416eb20922436f544f63

SHA1
bd59ee17e8047c0bc2bc558c035554b7f2ac74b6

SHA256
b5a3b21d557ebbc07943694ade684ac396517a28acf12b9660f327e0875a91be

SHA512
2c09617536af9bee46593d55fddd8320962b1edef06b7f063710f88c6876917ed177aa4c4178384ee05b0b9fb4ecf375367afedba11976a7d253237ae8a27f9e

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\watched_folders.json

Filesize
4B

MD5
5b76b0eef9af8a2300673e0553f609f9

SHA1
0b56d40c0630a74abec5398e01c6cd83263feddc

SHA256
d914176fd50bd7f565700006a31aa97b79d3ad17cee20c8e5ff2061d5cb74817

SHA512
cf06a50de1bf63b7052c19ad53766fa0d99a4d88db76a7cbc672e33276e3d423e4c5f5cb4a8ae188c5c0e17d93bb740eaab6f25753f0d26501c5f84aeded075d

Download Submit
\Users\Admin\AppData\Local\Temp\is-E56LI.tmp\qbittorrent.exe

Filesize
22.8MB

MD5
22a34900ada67ead7e634eb693bd3095

SHA1
2913c78bcaaa6f4ee22b0977be72333d2077191d

SHA256
3cec1e40e8116a35aac6df3da0356864e5d14bc7687c502c7936ee9b7c1b9c58

SHA512
88d90646f047f86adf3d9fc5c04d97649b0e01bac3c973b2477bb0e9a02e97f56665b7ede1800b68edd87115aed6559412c48a79942a8c2a656dfae519e2c36f

Download Submit
\Users\Admin\AppData\Local\Temp\is-E56LI.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
59d3c3a9180ba792ae2dad18b6903cde

SHA1
c8cd105d3a0e99a54d1d16f0d1f60000fa3dca8a

SHA256
dd01edbd4368ef227693723c5e427a48b264cb57bbd07d81210d6e633e0b1b2e

SHA512
d6b6358e5108654931fcb3b7920df65c4ae65d48f9ea012c3f821bb571f821e815d86feab85cd55a8ce767f2f7342a512e55d03ee4041ac0baf4ff13ad238699

Download Submit
\Users\Admin\AppData\Local\Temp\is-RC0KD.tmp\TORMENTOR_h47-zQ1.tmp

Filesize
2.9MB

MD5
49312c19fa9b298ca2ae71e14f07ccf3

SHA1
0150f9d27733ba2d0647da03453e1b1b6535861d

SHA256
74c20b61d428450e2c0b3974381684190d8bbd2aef3d573c86a3a954598319a5

SHA512
a1c4cbca2974277c52b2689a43a6d13f88884e1e8be3b42a1c23e615a226e8d7c0fdca2591ee4e8c39f439cb0ff0bce3898676c95d3addc8d7f0c5000b0ea092

Download Submit
memory/1520-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1520-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1520-143-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1520-166-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2040-176-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/2040-159-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/2040-160-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/2084-153-0x00000000078B0000-0x00000000079F0000-memory.dmp

Filesize
1.2MB

Download
memory/2084-138-0x00000000078B0000-0x00000000079F0000-memory.dmp

Filesize
1.2MB

Download
memory/2084-149-0x00000000078B0000-0x00000000079F0000-memory.dmp

Filesize
1.2MB

Download
memory/2084-164-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2084-8-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2084-145-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2084-144-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2084-142-0x00000000078B0000-0x00000000079F0000-memory.dmp

Filesize
1.2MB

Download