Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/10/2024, 00:56

General

  • Target

    bittorrent_installer.exe

  • Size

    1.8MB

  • MD5

    5ea97449a6e7ccc611061450bbb2b993

  • SHA1

    bb2a46a09ef94591057bfacf7728553a72c45205

  • SHA256

    91c1909249d3722496be27e62d6d0f861c73c418e24337e2d0ec9cf46bd1f0b8

  • SHA512

    cb005db99a05a0e784fe681f25bafb04502f8b26b171afc0fde28a101454e4dc302f67fedb22212095a72f0b362d0a290bc9617e4bf0d09b1a7bbe4f87075cca

  • SSDEEP

    24576:S7FUDowAyrTVE3U5F4u62G9lm3dApk5RxlBMKUiu3mYx+Ud0C1McxE:SBuZrEU8uYgdA6nlKKUXmYxr9mcm

Score
6/10

Malware Config

Signatures

  • Checks for any installed AV software in registry 1 TTPs 9 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 12 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bittorrent_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\bittorrent_installer.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Users\Admin\AppData\Local\Temp\is-L0VBF.tmp\bittorrent_installer.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-L0VBF.tmp\bittorrent_installer.tmp" /SL5="$400F2,894868,871424,C:\Users\Admin\AppData\Local\Temp\bittorrent_installer.exe"
      2⤵
      • Checks for any installed AV software in registry
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      PID:2092

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          874a993638713203242d5dfe978ac10c

          SHA1

          cee8f20c9781692c32cc0da14b7a112c01687883

          SHA256

          5c88a1f6b744a35237c8b56417320589392a601b0414aa4cc10ad07726d74b53

          SHA512

          d3df1a3b972d47c7974000ef56554a2387c25135062501f348b0cc37e2537aa712ceb3c0bf620980c36eb70a3a9a48993188a66163212b58c597d8bb36629c5c

        • C:\Users\Admin\AppData\Local\Temp\CabAC96.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\TarACC8.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • C:\Users\Admin\AppData\Local\Temp\is-A28IH.tmp\107.png

          Filesize

          36KB

          MD5

          c0e10a5142865236ee82b96c2a9eb75c

          SHA1

          a6ddc9f963bf0f677b418d8d48f5e8430afc09d4

          SHA256

          16b6b70168ea5a2d6d684f379c1d5e88ab9993d9ea0d22f04736f24bc89200cc

          SHA512

          98393660fcf8261a9e084db9900a3dc8894c1b0f564935512a39a2aa14a1a4e2104e86634f4fe10eceac97b0193c77e23434077f4ce66e72a5793c8a8b4dabe8

        • C:\Users\Admin\AppData\Local\Temp\is-A28IH.tmp\108.png

          Filesize

          70KB

          MD5

          b582d76d71da0734a777fc8376fd0150

          SHA1

          687de4b5b0844bd720619b39c65f9078ae72e7cf

          SHA256

          1ce2b90c05299026d66af72b8d1fbf4c2abdbcbbd03959b8f05986a48f9034c6

          SHA512

          0d9e2680bcf159446704c82c514320f76af962281dd5e5738c6e56b93c900a43bf2fc5cd5792977ae7bee5ca904774ecd0ff95dab7470901997af4fb6a666053

        • C:\Users\Admin\AppData\Local\Temp\is-A28IH.tmp\109.png

          Filesize

          193KB

          MD5

          7c87614f099c75a0bed6ab01555143dd

          SHA1

          07ab72dc4a1e53e2c62ecccc1221472854d78635

          SHA256

          02335420cb5c2fa33eec48f32706d2353f8b609daaf337458f04a8f98d999a7c

          SHA512

          29b7ce896332ed2a05235645adb963b77920a0a252561684ea9f1f925f69dbcee4685e1b30584c1034a15b7efc18b911902d1ecb41c523cf2552ff23e165bf43

        • \Users\Admin\AppData\Local\Temp\is-L0VBF.tmp\bittorrent_installer.tmp

          Filesize

          3.1MB

          MD5

          723d6f33e0f91eac442bcf67b20ab25d

          SHA1

          83bf5541fd6c08a37c5ed0ab1485e075dff8af26

          SHA256

          8b5d3a86d17b1d0a379c754e37c00b647cc21e4238a20a3424fbf26fc16e15a4

          SHA512

          e7f51194559237abcc072e58cc5b19f72b483397a8bb52cf5796be7814880df51ce3963834869cf2838ba3ba1ec3d7ac4c8d655cd2da115c20bcf6d1084cfc89

        • memory/2092-149-0x0000000000400000-0x000000000071E000-memory.dmp

          Filesize

          3.1MB

        • memory/2092-159-0x0000000007650000-0x0000000007790000-memory.dmp

          Filesize

          1.2MB

        • memory/2092-148-0x0000000000400000-0x000000000071E000-memory.dmp

          Filesize

          3.1MB

        • memory/2092-173-0x0000000000400000-0x000000000071E000-memory.dmp

          Filesize

          3.1MB

        • memory/2092-153-0x0000000007650000-0x0000000007790000-memory.dmp

          Filesize

          1.2MB

        • memory/2092-155-0x0000000000400000-0x000000000071E000-memory.dmp

          Filesize

          3.1MB

        • memory/2092-171-0x0000000000400000-0x000000000071E000-memory.dmp

          Filesize

          3.1MB

        • memory/2092-9-0x0000000000400000-0x000000000071E000-memory.dmp

          Filesize

          3.1MB

        • memory/2092-161-0x0000000000400000-0x000000000071E000-memory.dmp

          Filesize

          3.1MB

        • memory/2092-169-0x0000000000400000-0x000000000071E000-memory.dmp

          Filesize

          3.1MB

        • memory/2092-165-0x0000000007650000-0x0000000007790000-memory.dmp

          Filesize

          1.2MB

        • memory/2092-167-0x0000000000400000-0x000000000071E000-memory.dmp

          Filesize

          3.1MB

        • memory/2960-0-0x0000000000400000-0x00000000004E2000-memory.dmp

          Filesize

          904KB

        • memory/2960-147-0x0000000000400000-0x00000000004E2000-memory.dmp

          Filesize

          904KB

        • memory/2960-2-0x0000000000401000-0x00000000004B7000-memory.dmp

          Filesize

          728KB