qulab | 4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb

Analysis

max time kernel
158s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
05-02-2022 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe
Size

7.1MB
MD5

09526cb4b6f6e38ec5b312bc4f055672
SHA1

d509e3913d93e712be39e1df09245f1a9e3f5825
SHA256

4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb
SHA512

0371b7bac83bc59fce4286292a65d905799833ec7e5195695aa140d4ae44682b6e0136944a331150ed17b1b7d92ea0ac36f0ff2962800485439813007c369d87

Score

10^/10

qulab discovery evasion persistence ransomware spyware stealer upx vmprotect

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\1\Information.txt

Family

qulab

Ransom Note

# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 05.02.2022, 06:02:29 OS: Windows 10 X64 / Build: 19041 UserName: Admin ComputerName: RIBCQUHQ Processor: Intel Core Processor (Broadwell) VideoCard: Microsoft Basic Display Adapter Memory: 2.00 Gb KeyBoard Layout ID: 00000409 Resolution: 1280x720x32, 64 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Crypto-Bot 5.0.0.8 - Google Chrome - Microsoft Edge - Microsoft Edge Update - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Java Auto Updater - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Acrobat Reader DC - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - Registry / PID: 92 - smss.exe / PID: 356 - csrss.exe / PID: 444 - wininit.exe / PID: 520 - csrss.exe / PID: 528 - winlogon.exe / PID: 616 - services.exe / PID: 656 - lsass.exe / PID: 668 - svchost.exe / PID: 784 - fontdrvhost.exe / PID: 792 - fontdrvhost.exe / PID: 796 - svchost.exe / PID: 912 - dwm.exe / PID: 996 - svchost.exe / PID: 408 - svchost.exe / PID: 684 - svchost.exe / PID: 732 - svchost.exe / PID: 1032 - svchost.exe / PID: 1172 - svchost.exe / PID: 1356 - svchost.exe / PID: 1460 - svchost.exe / PID: 1528 - spoolsv.exe / PID: 1656 - svchost.exe / PID: 1680 - svchost.exe / PID: 1764 - svchost.exe / PID: 1780 - svchost.exe / PID: 2008 - OfficeClickToRun.exe / PID: 1280 - svchost.exe / PID: 2164 - sihost.exe / PID: 2220 - svchost.exe / PID: 2236 - taskhostw.exe / PID: 2284 - explorer.exe / PID: 2440 - svchost.exe / PID: 2536 - dllhost.exe / PID: 2744 - dllhost.exe / PID: 2848 - StartMenuExperienceHost.exe / PID: 2936 - RuntimeBroker.exe / PID: 2996 - SearchApp.exe / PID: 3068 - RuntimeBroker.exe / PID: 2776 - RuntimeBroker.exe / PID: 3300 - MoUsoCoreWorker.exe / PID: 3852 - sppsvc.exe / PID: 3636 - svchost.exe / PID: 3024 - SppExtComObj.Exe / PID: 392 - svchost.exe / PID: 4060 - svchost.exe / PID: 1836 - RuntimeBroker.exe / PID: 3396 - svchost.exe / PID: 3140 - 4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe / PID: 3468 - WmiPrvSE.exe / PID: 2120 - WmiPrvSE.exe / PID: 1252 - svchost.exe / PID: 3672 - Explorer.exe / PID: 2580 - MSMPEG2ENC.exe / PID: 3740

URLs

http://teleg.run/QulabZ

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.sqlite3.module.dll	acprotect
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.sqlite3.module.dll	acprotect

Executes dropped EXE 6 IoCs

Processes:

Qulab.exeMSMPEG2ENC.exePredator.exeExplorer.exeMSMPEG2ENC.exeMSMPEG2ENC.module.exe

pid process

2196 Qulab.exe
1652 MSMPEG2ENC.exe
2136 Predator.exe
2580 Explorer.exe
3740 MSMPEG2ENC.exe
2544 MSMPEG2ENC.module.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
2196	Qulab.exe
1652	MSMPEG2ENC.exe
2136	Predator.exe
2580	Explorer.exe
3740	MSMPEG2ENC.exe
2544	MSMPEG2ENC.module.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.sqlite3.module.dll	upx
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.sqlite3.module.dll	upx
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Win\Explorer.exe	vmprotect
C:\Win\Explorer.exe	vmprotect
behavioral2/memory/2580-147-0x0000000000400000-0x0000000000C37000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe

Drops startup file 1 IoCs

Processes:

4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.lnk	4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe

Loads dropped DLL 2 IoCs

Processes:

MSMPEG2ENC.exe

pid process

3740 MSMPEG2ENC.exe
3740 MSMPEG2ENC.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

55 ipapi.co
56 ipapi.co
Drops file in System32 directory 1 IoCs

Processes:

MSMPEG2ENC.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ MSMPEG2ENC.exe

pid	process
3740	MSMPEG2ENC.exe
3740	MSMPEG2ENC.exe

flow	ioc
55	ipapi.co
56	ipapi.co

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	MSMPEG2ENC.exe

autoit_exe 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Win\Qulab.exe	autoit_exe
C:\Win\Qulab.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe	autoit_exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svchost.exeWaaSMedicAgent.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4068"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.671785"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132886872868189314"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe

Modifies registry class 1 IoCs

Processes:

4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe

NTFS ADS 2 IoCs

Processes:

Qulab.exeMSMPEG2ENC.exe

description	ioc	process
File opened for modification	C:\Win\winmgmts:\localhost\	Qulab.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\winmgmts:\localhost\	MSMPEG2ENC.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Explorer.exeMSMPEG2ENC.exe

pid process

2580 Explorer.exe
2580 Explorer.exe
2580 Explorer.exe
2580 Explorer.exe
3740 MSMPEG2ENC.exe
3740 MSMPEG2ENC.exe

pid	process
2580	Explorer.exe
2580	Explorer.exe
2580	Explorer.exe
2580	Explorer.exe
3740	MSMPEG2ENC.exe
3740	MSMPEG2ENC.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

MSMPEG2ENC.module.exe

description	pid	process
Token: SeRestorePrivilege	2544	MSMPEG2ENC.module.exe
Token: 35	2544	MSMPEG2ENC.module.exe
Token: SeSecurityPrivilege	2544	MSMPEG2ENC.module.exe
Token: SeSecurityPrivilege	2544	MSMPEG2ENC.module.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.execmd.exeQulab.exeMSMPEG2ENC.exe

description	pid	process	target process
PID 3468 wrote to memory of 3932	3468	4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe	cmd.exe
PID 3468 wrote to memory of 3932	3468	4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe	cmd.exe
PID 3468 wrote to memory of 3932	3468	4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe	cmd.exe
PID 3932 wrote to memory of 3400	3932	cmd.exe	attrib.exe
PID 3932 wrote to memory of 3400	3932	cmd.exe	attrib.exe
PID 3932 wrote to memory of 3400	3932	cmd.exe	attrib.exe
PID 3932 wrote to memory of 2468	3932	cmd.exe	attrib.exe
PID 3932 wrote to memory of 2468	3932	cmd.exe	attrib.exe
PID 3932 wrote to memory of 2468	3932	cmd.exe	attrib.exe
PID 3468 wrote to memory of 2196	3468	4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe	Qulab.exe
PID 3468 wrote to memory of 2196	3468	4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe	Qulab.exe
PID 3468 wrote to memory of 2196	3468	4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe	Qulab.exe
PID 2196 wrote to memory of 1652	2196	Qulab.exe	MSMPEG2ENC.exe
PID 2196 wrote to memory of 1652	2196	Qulab.exe	MSMPEG2ENC.exe
PID 2196 wrote to memory of 1652	2196	Qulab.exe	MSMPEG2ENC.exe
PID 3468 wrote to memory of 2136	3468	4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe	Predator.exe
PID 3468 wrote to memory of 2136	3468	4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe	Predator.exe
PID 3468 wrote to memory of 2136	3468	4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe	Predator.exe
PID 3468 wrote to memory of 2580	3468	4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe	Explorer.exe
PID 3468 wrote to memory of 2580	3468	4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe	Explorer.exe
PID 3468 wrote to memory of 2580	3468	4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe	Explorer.exe
PID 3740 wrote to memory of 2544	3740	MSMPEG2ENC.exe	MSMPEG2ENC.module.exe
PID 3740 wrote to memory of 2544	3740	MSMPEG2ENC.exe	MSMPEG2ENC.module.exe
PID 3740 wrote to memory of 2544	3740	MSMPEG2ENC.exe	MSMPEG2ENC.module.exe
PID 3740 wrote to memory of 3112	3740	MSMPEG2ENC.exe	attrib.exe
PID 3740 wrote to memory of 3112	3740	MSMPEG2ENC.exe	attrib.exe
PID 3740 wrote to memory of 3112	3740	MSMPEG2ENC.exe	attrib.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

3400 attrib.exe
2468 attrib.exe
3112 attrib.exe

pid	process
3400	attrib.exe
2468	attrib.exe
3112	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe
"C:\Users\Admin\AppData\Local\Temp\4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Win\Hide.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Win\*.*"
    3⤵
    - Views/modifies file attributes
    PID:3400
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Win"
    3⤵
    - Views/modifies file attributes
    PID:2468
- C:\Win\Qulab.exe
  "C:\Win\Qulab.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
    C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
    3⤵
    - Executes dropped EXE
    - NTFS ADS
    PID:1652
- C:\Win\Predator.exe
  "C:\Win\Predator.exe"
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Win\Explorer.exe
  "C:\Win\Explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2580

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1620

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe cd8035357de956df0df805827b42e014 jUyafFce4E+YioqOnVdfwg.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:2332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3672

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe
  C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\41646D696E524942435155485157494E5F313058.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\1\*"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources"
  2⤵
  - Views/modifies file attributes
  PID:3112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\1\Information.txt

MD5
7d1bd4d861d201cbaa3323da343aaa8b

SHA1
898a00e62b3149db87b359f71237c75cb5444045

SHA256
ce67fc1228e92fc1e92c518c7958a414796e3c4c5b956b64a13fe51e889a6e12

SHA512
432b9d27f9558b589b3b242ba98d243934f75cf7fa4fa9a182c6ad31c304700d8e9e760e1eb6d90082715895cfd6ae702807f3ec8e70f3d0ec919e78b5bb6a26

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\1\Screen.jpg

MD5
fa542b8acd1a9363329b5addd71c7d01

SHA1
dc6f69dd34b61a7fb1f623f78c5671975ee802fa

SHA256
9f86853f50ab95ddb0dcf0d234bbf285e67f416edabed915ac9464fc11a2eace

SHA512
ce3fcf07e93581a6ccadaaf895adac3666aec7cdf76458903c9e3f890d7ec92a12c46ee1f6b83ca0804a5bfd08c13040b51c400526c95dfe096ec9d67215a55d

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe

MD5
e4fa4401f2e90309a8871076361e841f

SHA1
72138a90020a90b2385e568cd838edf014e6fca5

SHA256
dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065

SHA512
dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe

MD5
e4fa4401f2e90309a8871076361e841f

SHA1
72138a90020a90b2385e568cd838edf014e6fca5

SHA256
dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065

SHA512
dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe

MD5
965119091c292c96af5011f40dae87a5

SHA1
85708f7bab07528f1b6e9dfbf64648189a513043

SHA256
1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b

SHA512
244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.sqlite3.module.dll

MD5
71000fc34d27d2016846743d1dcce548

SHA1
f75456389b8c0dd0398bb3d58f0b4745d862e1b5

SHA256
bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03

SHA512
d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.sqlite3.module.dll

MD5
71000fc34d27d2016846743d1dcce548

SHA1
f75456389b8c0dd0398bb3d58f0b4745d862e1b5

SHA256
bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03

SHA512
d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c

Download Submit
C:\Win\Explorer.exe

MD5
2cd61762eb4c6196c456c33cf98de1f6

SHA1
a821ab28c1efda473d4668bc21f3feb011f31f67

SHA256
942837dd4e4a172053a1d74a6d6fc3779d21843f6075aa830dc082e7ecd6e9eb

SHA512
44df93b53b1fcb73823fbf8be9f577dcd69e8f45d0aec4f2679729065221c78c46cfc05b8d907bc0bca50cef4c3452a3b767355a3ef40335103ef86ef2d58c9d

Download Submit
C:\Win\Explorer.exe

MD5
2cd61762eb4c6196c456c33cf98de1f6

SHA1
a821ab28c1efda473d4668bc21f3feb011f31f67

SHA256
942837dd4e4a172053a1d74a6d6fc3779d21843f6075aa830dc082e7ecd6e9eb

SHA512
44df93b53b1fcb73823fbf8be9f577dcd69e8f45d0aec4f2679729065221c78c46cfc05b8d907bc0bca50cef4c3452a3b767355a3ef40335103ef86ef2d58c9d

Download Submit
C:\Win\Explorer.lnk

MD5
b26c1a992e03ff5a77a56e04e63bb9d0

SHA1
202fe3c544f2d9a279580bfdbb89b18de6adec1a

SHA256
ddab94d125b7897d817b612d7d9bca0d9a6f7ffbd093aea3aeeeb2c019e73ff8

SHA512
f264723272e2a3f1bf1fd26eb7074318645718cbb0013d198dbfee06c02e5890f269788f70969d56c9ccd24d514f2d64842c1a01875e0feb716754d5fa2f3a58

Download Submit
C:\Win\Hide.bat

MD5
c58e37464168d102dc65923a0899a2f8

SHA1
1412757eb2ec89a99c54d9fcffa048c8a106a1e2

SHA256
65d773d88db3fe15865eb37e5e4fd6f49c9abdd391710844f8db35154702341e

SHA512
b420aabadf27bc52c590493abb2917c8f632daf0c16a6d67fe438b1b7423ec929638eb18036ec38b4ade555b6f1faecfb8f223ba3e07f2fd6661178bb4f2f7d0

Download Submit
C:\Win\Predator.exe

MD5
1de8c4150a2684f6951af9f1c4aaf87c

SHA1
ba7b08fad968f162f3e8ed12a6348c28ab8fd0a8

SHA256
15dbb8c8b82dd2f054db05c4a00597d32d20ecae26ca3c69ed8ce03930137c44

SHA512
5afb6d78e034e853c6f958137a034e3b752575c512f9a1d4fa60952f2112c6270be5d618a57cd0d104810afdad71809a9871435343b97fd8b59d1c3096c2e83e

Download Submit
C:\Win\Predator.exe

MD5
1de8c4150a2684f6951af9f1c4aaf87c

SHA1
ba7b08fad968f162f3e8ed12a6348c28ab8fd0a8

SHA256
15dbb8c8b82dd2f054db05c4a00597d32d20ecae26ca3c69ed8ce03930137c44

SHA512
5afb6d78e034e853c6f958137a034e3b752575c512f9a1d4fa60952f2112c6270be5d618a57cd0d104810afdad71809a9871435343b97fd8b59d1c3096c2e83e

Download Submit
C:\Win\Qulab.exe

MD5
e4fa4401f2e90309a8871076361e841f

SHA1
72138a90020a90b2385e568cd838edf014e6fca5

SHA256
dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065

SHA512
dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee

Download Submit
C:\Win\Qulab.exe

MD5
e4fa4401f2e90309a8871076361e841f

SHA1
72138a90020a90b2385e568cd838edf014e6fca5

SHA256
dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065

SHA512
dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee

Download Submit
memory/2580-141-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/2580-146-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2580-147-0x0000000000400000-0x0000000000C37000-memory.dmp

Filesize
8.2MB

Download
memory/2580-143-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/2580-142-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/2580-144-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2580-145-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/2580-139-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/3740-155-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/3740-154-0x0000000006F30000-0x0000000006F31000-memory.dmp

Filesize
4KB

Download
memory/3740-156-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/3740-157-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download