Overview

overview

10

Static

static

8

f0e9e44c5e...33.exe

windows7_x64

10

f0e9e44c5e...33.exe

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    85s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    18-05-2021 09:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0e9e44c5e6baee47e3f6d946155c305c3175c8150d948120b7ca2d393df2a33.exe

  • Size

    2.7MB

  • MD5

    4db32a31b88adc5bc8148cb870341e22

  • SHA1

    3c2ed928dce81f21baa9461eed865ae8d5235517

  • SHA256

    f0e9e44c5e6baee47e3f6d946155c305c3175c8150d948120b7ca2d393df2a33

  • SHA512

    5eb34d89d94b28789a60f1e57cded29c447d65e197c3c53cbf84362a9fd688441e45023a158844ef98eaf39d2c9fdf0e64f0f8992dcbb164a2284400d7082e83

Score
10/10
qulabdiscoveryevasionransomwarespywarestealerupxvmprotect

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc\1\Information.txt

Family

qulab

Ransom Note
# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 19.05.2021, 00:57:27 Main Information: - OS: Windows 7 X64 / Build: 7601 - UserName: Admin - ComputerName: QWOCTUPM - Processor: Persocon Processor 2.5+ - VideoCard: Standard VGA Graphics Adapter - Memory: 0.50 Gb - KeyBoard Layout ID: 00020409 - Resolution: 1280x720x32, 1 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Adobe AIR - Google Chrome - Microsoft Office Professional Plus 2010 - Adobe AIR - Microsoft Office Professional Plus 2010 - Microsoft Office Access MUI (English) 2010 - Microsoft Office Excel MUI (English) 2010 - Microsoft Office PowerPoint MUI (English) 2010 - Microsoft Office Publisher MUI (English) 2010 - Microsoft Office Outlook MUI (English) 2010 - Microsoft Office Word MUI (English) 2010 - Microsoft Office Proof (English) 2010 - Microsoft Office Proof (French) 2010 - Microsoft Office Proof (Spanish) 2010 - Microsoft Office Proofing (English) 2010 - Microsoft Office InfoPath MUI (English) 2010 - Microsoft Office Shared MUI (English) 2010 - Microsoft Office OneNote MUI (English) 2010 - Microsoft Office Groove MUI (English) 2010 - Microsoft Office Shared Setup Metadata MUI (English) 2010 - Microsoft Office Access Setup Metadata MUI (English) 2010 - Update for Microsoft .NET Framework 4.7.2 (KB4087364) - Adobe Reader 9 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 Process List: - [System Process] / PID: 0 - System / PID: 4 - smss.exe / PID: 260 - csrss.exe / PID: 332 - wininit.exe / PID: 372 - csrss.exe / PID: 384 - winlogon.exe / PID: 420 - services.exe / PID: 464 - lsass.exe / PID: 480 - lsm.exe / PID: 488 - svchost.exe / PID: 580 - svchost.exe / PID: 664 - svchost.exe / PID: 728 - svchost.exe / PID: 804 - svchost.exe / PID: 844 - svchost.exe / PID: 872 - svchost.exe / PID: 292 - spoolsv.exe / PID: 108 - svchost.exe / PID: 1092 - taskhost.exe / PID: 1104 - dwm.exe / PID: 1180 - explorer.exe / PID: 1212 - WMIADAP.exe / PID: 2024 - svchost.exe / PID: 2028 - sppsvc.exe / PID: 1172 - WmiPrvSE.exe / PID: 688 - / PID: 1780
URLs

http://teleg.run/QulabZ

Signatures

  • Qulab Stealer & Clipper

    Infostealer and clipper created with AutoIt.

    stealerqulab
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0e9e44c5e6baee47e3f6d946155c305c3175c8150d948120b7ca2d393df2a33.exe
    "C:\Users\Admin\AppData\Local\Temp\f0e9e44c5e6baee47e3f6d946155c305c3175c8150d948120b7ca2d393df2a33.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.exe
      C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.module.exe
        C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc\ENU_687FE97D0543F71E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc\1\*"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1032
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc"
        3⤵
        • Views/modifies file attributes
        PID:916
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc"
        3⤵
        • Views/modifies file attributes
        PID:1704
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc"
        3⤵
        • Views/modifies file attributes
        PID:1120
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc"
        3⤵
        • Views/modifies file attributes
        PID:1576
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {3CF6321E-CCCD-4BE9-AFAC-2D4FAADE8A93} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.exe
      C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.exe
      2⤵
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1692
    • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.exe
      C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.exe
      2⤵
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1728

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1120-62-0x0000000077170000-0x0000000077171000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1120-61-0x0000000000A30000-0x0000000000FCD000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1120-60-0x0000000074D91000-0x0000000074D93000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1692-79-0x0000000000A30000-0x0000000000FCD000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1728-91-0x0000000000A30000-0x0000000000FCD000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1780-76-0x00000000766B0000-0x00000000766B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-65-0x0000000000A30000-0x0000000000FCD000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1780-88-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-87-0x0000000002B40000-0x0000000002B41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-86-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-85-0x0000000001070000-0x0000000001071000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-69-0x00000000048C0000-0x00000000049E4000-memory.dmp

    Filesize

    1.1MB

    Download