Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-11-2024 03:46

General

  • Target

    $PLUGINSDIR/utorrent.exe

  • Size

    2.0MB

  • MD5

    b7f8a3909ad963d5b5260dacfa897e6e

  • SHA1

    030ed1e99cb6d681dadca6068caf194bf67580e9

  • SHA256

    8837428a93c7ee46b9772d6c857e109e9baa0f5b28450f87fff7c0e8b87cf017

  • SHA512

    42569e974ef38ddea3300c6d82fd5e371c3cff8bdb04311c6bf3d94727fc37c5ef223ad07198ca2e499528a1671593ea6ef2bf3000611dbda49ca0a0c59c6bb4

  • SSDEEP

    49152:0hdIt0pmLXWbNp5Hy5yTNeA1mrgvEUxfdCVfd6Yi:0hd3pGWRHBtjrxfdYfd6R

Score
7/10

Malware Config

Signatures

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 50 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\utorrent.exe
    "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\utorrent.exe"
    1⤵
    • Identifies Wine through registry keys
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe
      uTorrent.exe /NOINSTALL /BRINGTOFRONT
      2⤵
      • Executes dropped EXE
      PID:1240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat.old

    Filesize

    7KB

    MD5

    49b10fd80e6c83f0493121190c2ae7c1

    SHA1

    1db23123a5cba70235c672ecd3bf7c9459f362df

    SHA256

    50b49e707baf0e2a3e698d9f93b7d8cb56d2272cd7637ed0f43ed6535e850ded

    SHA512

    943f90b6eff55fb79871f6c40e1f04a89c2da3499a1aaaeeeaa2f6d4fa755d1bfd67fcf0fe8a40c23c0d224b2013804d8493a0dc96f7ff9bce4a4932ac9e35e9

  • C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat.old

    Filesize

    8KB

    MD5

    2532be093fef3e466023e7821b5c94b4

    SHA1

    97568b8135a92c0fa50d42dceb458225a873bc03

    SHA256

    e3e0f1bef8d5e3a77d0f221186b658d470e2bee782f67109c90671568eb5aa3d

    SHA512

    0402fffdee809467019a2ad8533dddfd241f02d332509b5efb936aee79fbc155c322e7263eaa268d76897b7906f0489d884861ef49b3ecda4a90a2cb984701c1

  • C:\Users\Admin\AppData\Roaming\uTorrent\toolbar.benc.new

    Filesize

    170B

    MD5

    566aef8c48d777a66d350e47969d18f7

    SHA1

    e78a32a061df81964d5d69b5fe088e5b57b65dec

    SHA256

    fd7b41a345db2d429d2479c290f478ae24d63fbdcbd79cc5c86b622e2108d259

    SHA512

    413039035b5e570dbbe157a761ed4d3054c0f8e2fe1dda2d463cb4bf0ed588a27492e8ff04f5a8d327f39038c1c841c17d17844715e797037880f52e505c6d2d

  • C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe

    Filesize

    2.0MB

    MD5

    b7f8a3909ad963d5b5260dacfa897e6e

    SHA1

    030ed1e99cb6d681dadca6068caf194bf67580e9

    SHA256

    8837428a93c7ee46b9772d6c857e109e9baa0f5b28450f87fff7c0e8b87cf017

    SHA512

    42569e974ef38ddea3300c6d82fd5e371c3cff8bdb04311c6bf3d94727fc37c5ef223ad07198ca2e499528a1671593ea6ef2bf3000611dbda49ca0a0c59c6bb4

  • memory/1240-45-0x0000000000400000-0x00000000009C3000-memory.dmp

    Filesize

    5.8MB

  • memory/1580-0-0x0000000000400000-0x00000000009C3000-memory.dmp

    Filesize

    5.8MB

  • memory/1580-25-0x0000000000400000-0x00000000009C3000-memory.dmp

    Filesize

    5.8MB

  • memory/1580-26-0x0000000000400000-0x00000000009C3000-memory.dmp

    Filesize

    5.8MB

  • memory/1580-27-0x0000000000400000-0x00000000009C3000-memory.dmp

    Filesize

    5.8MB

  • memory/1580-28-0x0000000000400000-0x00000000009C3000-memory.dmp

    Filesize

    5.8MB

  • memory/1580-44-0x0000000000400000-0x00000000009C3000-memory.dmp

    Filesize

    5.8MB