Analysis
-
max time kernel
144s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
01-07-2024 04:18
General
-
Target
Device/HarddiskVolume5/USERS/Administrator/AppData/Local/Temp/HYDF2AB.tmp.1644086939_permissionsCopy/updates/3.5.5_46010.exe
-
Size
2.0MB
-
MD5
3dffcaaffa5b777a02aa531f5bad41e7
-
SHA1
70afb27f75f612710181e0069a1d59690e1528db
-
SHA256
e30d28b6fe4eea1e4d7390897897f6beecb5c805bba810c5b1119e48272947f6
-
SHA512
5bb726fbc57b6b831084d6f58c949a878df2ea39fff9c2bd0df209bebad90c98a4cfb2290b89440313641f51c9fdfa171fe05f58599f839629bac17cb2faa299
-
SSDEEP
24576:Gebxzp1tSXaXpzKCIUSKZl7fBlX9mlln2OCehr/kYoFlUo5SEFW31alR1AEdxWmU:xbf10asOltltckTe96m3ETxW21nuxC
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
UPX packed file 15 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume5\USERS\Administrator\AppData\Local\Temp\HYDF2AB.tmp.1644086939_permissionsCopy\updates\3.5.5_46010.exe"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume5\USERS\Administrator\AppData\Local\Temp\HYDF2AB.tmp.1644086939_permissionsCopy\updates\3.5.5_46010.exe"1⤵
- Identifies Wine through registry keys
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\HYD43D0.tmp.1719807530\HTA\index.hta?utorrent" "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume5\USERS\Administrator\AppData\Local\Temp\HYDF2AB.tmp.1644086939_permissionsCopy\updates\3.5.5_46010.exe" /LOG "C:\Users\Admin\AppData\Local\Temp\HYD43D0.tmp.1719807530\index.hta.log" /PID "940" /CID "SZnCQqIQopUY_B-y" /VERSION "111915962" /BUCKET "0" /SSB "2" /COUNTRY "US" /OS "10.0" /BROWSERS "\"C:\Program Files\Mozilla Firefox\firefox.exe\",\"C:\Program Files\Google\Chrome\Application\chrome.exe\",C:\Program Files\Internet Explorer\iexplore.exe,\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\"" /ARCHITECTURE "64" /LANG "en" /USERNAME "Admin" /SID "S-1-5-21-3558294865-3673844354-2255444939-1000" /CLIENT "utorrent"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 4883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 604 -ip 6041⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HYD43D0.tmp.1719807530\HTA\images\main_utorrent.icoFilesize
104KB
MD544d122c9473107fc36412de81418c84a
SHA1a0072c789a9cd50ba561683c69af8602927cf4a8
SHA2567c7279daebd88f6a34246603db9c0ecf9bbfa35ef820edd3278e5bc53f9e7680
SHA512b4294b80edc0566744dd98a5ab3e2ac64a4ce4851192d5610ee13f12dc24947f51b7d5b5629f7bff6004d74e5a2b728913cda1b3386cf878ab7fb365490d8067
-
C:\Users\Admin\AppData\Local\Temp\HYD43D0.tmp.1719807530\HTA\index.htaFilesize
522B
MD576903930c0ade2285f1ab1bf54be660d
SHA10fdd5990ca58cf6c49985ffd2075baa09cd728ce
SHA25661acd6e7405fad348433f8de4b12ed97b42caccbcf28fe0e4ba4b4a5d2ea707e
SHA512c66c7f9f488a0ac58fc1b7c6560edb4bc6df71a3504c2567ac54f4f89aee40a7073865e67e508baf4e055555bbc2f461d5b558a427ab6ac602b9fe0b1f9f8c71
-
C:\Users\Admin\AppData\Local\Temp\HYD43D0.tmp.1719807530\HTA\install.1719807530.zipFilesize
761KB
MD5a65ca84bf2c878f87206ff596142b062
SHA18998ef455e40d8d1d0d903369ac832a7afd7fc1e
SHA25668e37eed2e04830fce9f735d8a2ecebb19a651394f5d590581370ac5d7754d90
SHA512bb87190b55a2192b0c3dfaecc26b5e144ffc021fe45e70baf48788ea687511cf53b5851d79b95b85841257293271e2eaab3cdc0ff0bea401127d9172e5d75ae2
-
C:\Users\Admin\AppData\Local\Temp\HYD43D0.tmp.1719807530\HTA\scripts\common.jsFilesize
354KB
MD5294704ab62d0810ce15a39d08c8b1bf4
SHA19eb74fbb3eb81e6312c94ec4e3e84792e1a0aa68
SHA256f6332951011366de16da034680ca2eaf06d28171aa094ed42af649823b045bdd
SHA512a622b8109a5b09961dd18761abeb701b3a2956967a8373e1ea3e4648a5a0d7427f37b7d0f0e3635aad452f43d0754d30ddeeac5def88a554ad655f174d60faff
-
C:\Users\Admin\AppData\Local\Temp\HYD43D0.tmp.1719807530\HTA\scripts\initialize.jsFilesize
1005B
MD52a65c76b51a2c15eebeefa662d511af9
SHA13c5f93d39fdd573e43c7a451836d425bc1b07a5d
SHA25631fc706ae4bd5093aecb6a0b7f9d3b686feb284076b1122aaff978779612dc06
SHA51285b012dca5bbdbdd929de859ae41ed817c7f1e02eae70aaaf687f9ba381f696fa7751e3f2262d48c14f49c9090f106a6bb9652962d38bb7fab93214a2466e8ed
-
C:\Users\Admin\AppData\Local\Temp\HYD43D0.tmp.1719807530\HTA\scripts\install.jsFilesize
6KB
MD5ade3e833add95bf0f5f1619bf816d893
SHA148df3ae9a43c6d8783dab68ec423a9ff8ab25c04
SHA256bbbf5859eb80eda10d42aee0557256d161768f1db7648f65a12444fc40fb8f1d
SHA5128ed6005f9801ad5e7108ca698f65f7e31ecd842ca3fc9c1086f9cd247896b2ed59c8d5aaf62ad33e96e67837757814510ce058b5ce1cbdec461453799f9abf26
-
C:\Users\Admin\AppData\Local\Temp\HYD43D0.tmp.1719807530\HTA\styles\common.cssFilesize
99KB
MD58a94d780401556cceabf35058bbd4b5a
SHA119ee91b1629f4ccf0fca1f664405a1eee9dacc5a
SHA256086a7e44de35a235bc258bf1107e22a7dc27932cb4d7e3ebcd1f368acc000caa
SHA512b02fdc9b46f6fa8424660f462bb290c60c0635ad5cb9fa1b386a55d85d4368d06ae5611d355f8dc0db76477c2e332b0501e70cbbba77c45aa027e1cac59ca182
-
C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat.oldFilesize
7KB
MD57bd7214239ab60de9b9f6c144db607af
SHA166a7d4cff90a0e8e8209516aad5ba06541cf724f
SHA25688fab8a7bb1a32b5652071aa62f29016d63879feb73665cddb6118dc8f8f5eaa
SHA512f5097bb1c5bf49e78bef73d460ba458c042020a1d60fddf216c8e9887076de96673961d495eabf5bdebfe355565e6a07dcf796c095a0d43af4445895a8974403
-
C:\Users\Admin\AppData\Roaming\uTorrent\toolbar.benc.newFilesize
170B
MD58e0af01b3e49f4d5913cae9395e8865b
SHA1d456f383735ef8389e4800a337a5950d4207b1ae
SHA2565ce1812fc3a6255d0b2242bd42bb3903f175b86fb345344c297a4e49ce509d2e
SHA512ab23da87de7690eea211d42d8f13f6eee784fe88f6b363e9d06082df95e8c09761ea4550229a8957515a734ec778ac587a42f116d1c07f1ee0a477eb0db3d77f
-
memory/940-91-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/940-89-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/940-90-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/940-0-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/940-92-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/940-93-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/940-94-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/940-95-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/940-96-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/940-97-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/940-98-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/940-99-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/940-100-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/940-101-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/940-102-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB