Malware Analysis Report

2024-09-23 04:52

Sample ID 220201-esl41sgeam
Target bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375
SHA256 bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375
Tags
qulab discovery evasion ransomware spyware stealer upx persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375

Threat Level: Known bad

The file bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375 was found to be: Known bad.

Malicious Activity Summary

qulab discovery evasion ransomware spyware stealer upx persistence

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

UPX packed file

Sets service image path in registry

Sets file to hidden

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

autoit_exe

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Views/modifies file attributes

Suspicious behavior: RenamesItself

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-02-01 04:12

Signatures

autoit_exe

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-01 04:12

Reported

2022-02-01 04:14

Platform

win7-en-20211208

Max time kernel

124s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe N/A

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
PID 1696 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
PID 1696 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
PID 1696 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
PID 1212 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe
PID 1212 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe
PID 1212 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe
PID 1212 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe
PID 1212 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe C:\Windows\SysWOW64\attrib.exe
PID 1212 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe C:\Windows\SysWOW64\attrib.exe
PID 1212 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe C:\Windows\SysWOW64\attrib.exe
PID 1212 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe C:\Windows\SysWOW64\attrib.exe
PID 1828 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
PID 1828 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
PID 1828 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
PID 1828 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
PID 1828 wrote to memory of 1640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
PID 1828 wrote to memory of 1640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
PID 1828 wrote to memory of 1640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
PID 1828 wrote to memory of 1640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe

"C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe"

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\41646D696E565156564F414A4B57494E5F375836.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll"

C:\Windows\system32\taskeng.exe

taskeng.exe {61FEE486-0C0A-4344-90E8-36F540E580F6} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
RU 185.142.97.228:65233 tcp
RU 185.142.97.228:65233 tcp

Files

memory/1696-54-0x0000000076001000-0x0000000076003000-memory.dmp

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.sqlite3.module.dll

MD5 71000fc34d27d2016846743d1dcce548
SHA1 f75456389b8c0dd0398bb3d58f0b4745d862e1b5
SHA256 bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03
SHA512 d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.sqlite3.module.dll

MD5 71000fc34d27d2016846743d1dcce548
SHA1 f75456389b8c0dd0398bb3d58f0b4745d862e1b5
SHA256 bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03
SHA512 d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe

MD5 965119091c292c96af5011f40dae87a5
SHA1 85708f7bab07528f1b6e9dfbf64648189a513043
SHA256 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b
SHA512 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe

MD5 965119091c292c96af5011f40dae87a5
SHA1 85708f7bab07528f1b6e9dfbf64648189a513043
SHA256 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b
SHA512 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\1\Information.txt

MD5 232462866c5390687e8a1782600d9aeb
SHA1 d70ea492e8902bc743977e7e0a7adac5c3538b56
SHA256 6bb158dc9b63f4df774008e58ef42c1c2f3a27a18bb1c0bc7cdbcc93a7e15114
SHA512 3cfcf4296ddd2867b1b9e0032bd9b31fdb5861e9e6a84b6fbd1ffd2f7bd4ebf54bf7d41235d7fb9c53f1fb8fff39ca551e1e80f84c4547d858623b9058c583cd

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\1\Screen.jpg

MD5 bf873cec1cb93c6a31153a44f2bd7386
SHA1 dccaa097d5cde6749f7f2ca662e2507e23eb87ff
SHA256 0e171cd72e69623177561d067a75ee3494e541a89e86ee58b578aa8d3ed549a3
SHA512 a4eca46253c31bb920e198bc927280c4823d0222c045719dbf9bc3d0dda19d923cb1f06f0f118020cdf79a3262b07c234ee5989587251b9286a260c7e2015ad6

memory/1212-62-0x0000000002B90000-0x0000000002C30000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-01 04:12

Reported

2022-02-01 04:15

Platform

win10v2004-en-20220112

Max time kernel

137s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe N/A

Sets file to hidden

evasion

Sets service image path in registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3828 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
PID 3828 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
PID 3828 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
PID 3864 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe
PID 3864 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe
PID 3864 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe
PID 3864 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe C:\Windows\SysWOW64\attrib.exe
PID 3864 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe C:\Windows\SysWOW64\attrib.exe
PID 3864 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe

"C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe"

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe a6d6014b81ffc3fc3f59677414348c5f nHwbbKrc90q5AA2t+qJTRQ.0.1.0.0.0

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\41646D696E524942435155485157494E5F313058.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll"

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 crl3.digicert.com udp
US 72.21.91.29:80 crl3.digicert.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 crl4.digicert.com udp
US 93.184.220.29:80 crl4.digicert.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 72.21.91.29:80 crl3.digicert.com tcp
US 104.26.9.44:443 ipapi.co tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
RU 185.142.97.228:65233 tcp

Files

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.sqlite3.module.dll

MD5 71000fc34d27d2016846743d1dcce548
SHA1 f75456389b8c0dd0398bb3d58f0b4745d862e1b5
SHA256 bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03
SHA512 d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.sqlite3.module.dll

MD5 71000fc34d27d2016846743d1dcce548
SHA1 f75456389b8c0dd0398bb3d58f0b4745d862e1b5
SHA256 bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03
SHA512 d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe

MD5 965119091c292c96af5011f40dae87a5
SHA1 85708f7bab07528f1b6e9dfbf64648189a513043
SHA256 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b
SHA512 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\1\Information.txt

MD5 9d09216a0d0705b33bfebafdd3e01012
SHA1 cde21318bb356624c56717caf6a0766129799fcd
SHA256 d07f6b0724a93df425bc746e9ca6e38192d9cef79535265510a6bd6036934db7
SHA512 fa3999ffcf2fc2461634c1a4f89f90b462d9717cb66793c4dfbb44acf4a9db216d21ceacd6b132029097fa2cc34dcb0ae8b12e6e14eac6bf8f8b4c10f957359e

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\1\Screen.jpg

MD5 36bcccb7b53848e325dbb30efaca4c28
SHA1 ec28430f7a30913be1910d91b045f0f6bea76c93
SHA256 44bd70109cecbf0dc17f4ea7887b4dd76102b24484c9bb3ffb50e56782f5da41
SHA512 1628e34373205a13c74448f9e7c6504ac1007313d6168b687c436d792fcd7ef785ae8983eea4a24886b35bf7e0275d85690950b6c0c7c9519b239a68ba7b0e2f

memory/3864-136-0x00000000076B0000-0x00000000076B1000-memory.dmp

memory/3864-135-0x0000000007690000-0x0000000007691000-memory.dmp

memory/3864-137-0x00000000076A0000-0x00000000076A1000-memory.dmp

memory/3864-138-0x00000000076C0000-0x00000000076C1000-memory.dmp