Overview
overview
8Static
static
5utorrent_i...er.exe
windows11-21h2-x64
8$PLUGINSDIR/INetC.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDI...el.dll
windows11-21h2-x64
3$PLUGINSDI...gs.dll
windows11-21h2-x64
3$PLUGINSDI...ll.dll
windows11-21h2-x64
3$PLUGINSDI...nt.exe
windows11-21h2-x64
7Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-11-2024 03:46
Behavioral task
behavioral1
Sample
utorrent_installer.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/INetC.dll
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win11-20241023-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/bt_datachannel.dll
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsisFirewall.dll
Resource
win11-20241007-en
General
-
Target
$PLUGINSDIR/utorrent.exe
-
Size
2.0MB
-
MD5
b7f8a3909ad963d5b5260dacfa897e6e
-
SHA1
030ed1e99cb6d681dadca6068caf194bf67580e9
-
SHA256
8837428a93c7ee46b9772d6c857e109e9baa0f5b28450f87fff7c0e8b87cf017
-
SHA512
42569e974ef38ddea3300c6d82fd5e371c3cff8bdb04311c6bf3d94727fc37c5ef223ad07198ca2e499528a1671593ea6ef2bf3000611dbda49ca0a0c59c6bb4
-
SSDEEP
49152:0hdIt0pmLXWbNp5Hy5yTNeA1mrgvEUxfdCVfd6Yi:0hd3pGWRHBtjrxfdYfd6R
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Wine utorrent.exe Key opened \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Wine utorrent.exe -
resource yara_rule behavioral7/memory/1580-0-0x0000000000400000-0x00000000009C3000-memory.dmp upx behavioral7/memory/1580-25-0x0000000000400000-0x00000000009C3000-memory.dmp upx behavioral7/memory/1580-26-0x0000000000400000-0x00000000009C3000-memory.dmp upx behavioral7/memory/1580-27-0x0000000000400000-0x00000000009C3000-memory.dmp upx behavioral7/memory/1580-28-0x0000000000400000-0x00000000009C3000-memory.dmp upx behavioral7/files/0x001900000002abdb-42.dat upx behavioral7/memory/1580-44-0x0000000000400000-0x00000000009C3000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Executes dropped EXE 1 IoCs
pid Process 1240 uTorrent.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language utorrent.exe -
Modifies registry class 50 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-key utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-key utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-skin\Extension = ".btskin" utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-appinst utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\uTorrent\Content Type\ = "application/x-bittorrent" utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\.btinstall utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\.btinstall\Content Type = "application/x-bittorrent-appinst" utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Applications\uTorrent.exe\shell utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\.btapp utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\uTorrent\DefaultIcon utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\uTorrent\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\" \"%1\" /SHELLASSOC" utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-key\Extension = ".btkey" utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Applications\uTorrent.exe\shell\ = "open" utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\uTorrent utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\uTorrent\shell utorrent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-skin utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\.btinstall\ = "uTorrent" utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-appinst\Extension = ".btinstall" utorrent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-key\Extension = ".btkey" utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\.btsearch\OpenWithProgids utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\.btsearch utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\uTorrent\shell\open utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\.btskin utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Applications\uTorrent.exe\shell\open utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\uTorrent\Content Type utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\.btskin\Content Type = "application/x-bittorrent-skin" utorrent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-appinst utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\.btkey\Content Type = "application/x-bittorrent-key" utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Applications\uTorrent.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\" \"%1\" /SHELLASSOC" utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\FalconBetaAccount utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\.btapp\ = "uTorrent" utorrent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-app utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\uTorrent\shell\open\command utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\.btskin\ = "uTorrent" utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-skin utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Applications utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Applications\uTorrent.exe\shell\open\command utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\uTorrent\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\maindoc.ico" utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\.btapp\Content Type = "application/x-bittorrent-app" utorrent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-appinst\Extension = ".btinstall" utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\.btsearch\OpenWithProgids\uTorrent utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Applications\uTorrent.exe utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-app\Extension = ".btapp" utorrent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-skin\Extension = ".btskin" utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-app utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\uTorrent\shell\ = "open" utorrent.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\.btkey utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\.btkey\ = "uTorrent" utorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\FalconBetaAccount\remote_access_client_id = "1112994294" utorrent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-app\Extension = ".btapp" utorrent.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1580 utorrent.exe 1580 utorrent.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 1580 utorrent.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1580 wrote to memory of 1240 1580 utorrent.exe 81 PID 1580 wrote to memory of 1240 1580 utorrent.exe 81 PID 1580 wrote to memory of 1240 1580 utorrent.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\utorrent.exe"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\utorrent.exe"1⤵
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exeuTorrent.exe /NOINSTALL /BRINGTOFRONT2⤵
- Executes dropped EXE
PID:1240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD549b10fd80e6c83f0493121190c2ae7c1
SHA11db23123a5cba70235c672ecd3bf7c9459f362df
SHA25650b49e707baf0e2a3e698d9f93b7d8cb56d2272cd7637ed0f43ed6535e850ded
SHA512943f90b6eff55fb79871f6c40e1f04a89c2da3499a1aaaeeeaa2f6d4fa755d1bfd67fcf0fe8a40c23c0d224b2013804d8493a0dc96f7ff9bce4a4932ac9e35e9
-
Filesize
8KB
MD52532be093fef3e466023e7821b5c94b4
SHA197568b8135a92c0fa50d42dceb458225a873bc03
SHA256e3e0f1bef8d5e3a77d0f221186b658d470e2bee782f67109c90671568eb5aa3d
SHA5120402fffdee809467019a2ad8533dddfd241f02d332509b5efb936aee79fbc155c322e7263eaa268d76897b7906f0489d884861ef49b3ecda4a90a2cb984701c1
-
Filesize
170B
MD5566aef8c48d777a66d350e47969d18f7
SHA1e78a32a061df81964d5d69b5fe088e5b57b65dec
SHA256fd7b41a345db2d429d2479c290f478ae24d63fbdcbd79cc5c86b622e2108d259
SHA512413039035b5e570dbbe157a761ed4d3054c0f8e2fe1dda2d463cb4bf0ed588a27492e8ff04f5a8d327f39038c1c841c17d17844715e797037880f52e505c6d2d
-
Filesize
2.0MB
MD5b7f8a3909ad963d5b5260dacfa897e6e
SHA1030ed1e99cb6d681dadca6068caf194bf67580e9
SHA2568837428a93c7ee46b9772d6c857e109e9baa0f5b28450f87fff7c0e8b87cf017
SHA51242569e974ef38ddea3300c6d82fd5e371c3cff8bdb04311c6bf3d94727fc37c5ef223ad07198ca2e499528a1671593ea6ef2bf3000611dbda49ca0a0c59c6bb4