Overview
overview
8Static
static
5utorrent_i...er.exe
windows11-21h2-x64
8$PLUGINSDIR/INetC.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDI...el.dll
windows11-21h2-x64
3$PLUGINSDI...gs.dll
windows11-21h2-x64
3$PLUGINSDI...ll.dll
windows11-21h2-x64
3$PLUGINSDI...nt.exe
windows11-21h2-x64
7Analysis
-
max time kernel
91s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-11-2024 03:46
Behavioral task
behavioral1
Sample
utorrent_installer.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/INetC.dll
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win11-20241023-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/bt_datachannel.dll
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsisFirewall.dll
Resource
win11-20241007-en
General
-
Target
$PLUGINSDIR/bt_datachannel.dll
-
Size
4.1MB
-
MD5
dfca05beb0d6a31913c04b1314ca8b4a
-
SHA1
5fbbccf13325828016446f63d21250c723578841
-
SHA256
d4c4e05fade7e76f4a2d0c9c58a6b9b82b761d9951ffddd838c381549368e153
-
SHA512
858d4fb9d073c51c0ab7a0b896c30e35376678cc12aec189085638376d3cc74c1821495692eac378e4509ef5dcab0e8b950ad5bfab66d2c62ab31bc0a75118cf
-
SSDEEP
98304:tGVfiVHfYzUGCz2WLPhbiTIXuVJ6gSi5jrmn3iFUbv:cMVHfUVCz2APAUX0EgSi5jrEbv
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3376 wrote to memory of 4360 3376 rundll32.exe 79 PID 3376 wrote to memory of 4360 3376 rundll32.exe 79 PID 3376 wrote to memory of 4360 3376 rundll32.exe 79
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bt_datachannel.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bt_datachannel.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:4360
-