Analysis Overview
SHA256
4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb
Threat Level: Known bad
The file 4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Executes dropped EXE
VMProtect packed file
Sets service image path in registry
Sets file to hidden
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Drops startup file
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Checks installed software on the system
Drops file in System32 directory
autoit_exe
Drops file in Windows directory
Enumerates physical storage devices
NTFS ADS
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-05 05:00
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-05 05:00
Reported
2022-02-05 05:03
Platform
win7-en-20211208
Max time kernel
139s
Max time network
121s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Win\Qulab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe | N/A |
| N/A | N/A | C:\Win\Predator.exe | N/A |
| N/A | N/A | C:\Win\Explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe | N/A |
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.lnk | C:\Users\Admin\AppData\Local\Temp\4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe | N/A |
autoit_exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe | N/A |
| File opened for modification | C:\Win\winmgmts:\localhost\ | C:\Win\Qulab.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe | N/A |
| N/A | N/A | C:\Win\Explorer.exe | N/A |
| N/A | N/A | C:\Win\Explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe
"C:\Users\Admin\AppData\Local\Temp\4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Win\Hide.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Win\*.*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Win"
C:\Win\Qulab.exe
"C:\Win\Qulab.exe"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
C:\Win\Predator.exe
"C:\Win\Predator.exe"
C:\Win\Explorer.exe
"C:\Win\Explorer.exe"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\41646D696E565156564F414A4B57494E5F375836.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources"
C:\Windows\system32\taskeng.exe
taskeng.exe {E4750376-03F5-469B-B72C-BAF18E760FBE} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 8.8.8.8:53 | fastcoin.biz | udp |
| US | 99.83.154.118:80 | fastcoin.biz | tcp |
| US | 99.83.154.118:80 | fastcoin.biz | tcp |
| RU | 185.142.97.228:65233 | tcp | |
| RU | 185.142.97.228:65233 | tcp | |
| US | 8.8.8.8:53 | instantcoin.cc | udp |
| N/A | 10.127.1.122:80 | tcp |
Files
memory/1336-54-0x0000000076151000-0x0000000076153000-memory.dmp
C:\Win\Hide.bat
| MD5 | c58e37464168d102dc65923a0899a2f8 |
| SHA1 | 1412757eb2ec89a99c54d9fcffa048c8a106a1e2 |
| SHA256 | 65d773d88db3fe15865eb37e5e4fd6f49c9abdd391710844f8db35154702341e |
| SHA512 | b420aabadf27bc52c590493abb2917c8f632daf0c16a6d67fe438b1b7423ec929638eb18036ec38b4ade555b6f1faecfb8f223ba3e07f2fd6661178bb4f2f7d0 |
C:\Win\Qulab.exe
| MD5 | e4fa4401f2e90309a8871076361e841f |
| SHA1 | 72138a90020a90b2385e568cd838edf014e6fca5 |
| SHA256 | dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065 |
| SHA512 | dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee |
C:\Win\Predator.exe
| MD5 | 1de8c4150a2684f6951af9f1c4aaf87c |
| SHA1 | ba7b08fad968f162f3e8ed12a6348c28ab8fd0a8 |
| SHA256 | 15dbb8c8b82dd2f054db05c4a00597d32d20ecae26ca3c69ed8ce03930137c44 |
| SHA512 | 5afb6d78e034e853c6f958137a034e3b752575c512f9a1d4fa60952f2112c6270be5d618a57cd0d104810afdad71809a9871435343b97fd8b59d1c3096c2e83e |
C:\Win\Explorer.lnk
| MD5 | b26c1a992e03ff5a77a56e04e63bb9d0 |
| SHA1 | 202fe3c544f2d9a279580bfdbb89b18de6adec1a |
| SHA256 | ddab94d125b7897d817b612d7d9bca0d9a6f7ffbd093aea3aeeeb2c019e73ff8 |
| SHA512 | f264723272e2a3f1bf1fd26eb7074318645718cbb0013d198dbfee06c02e5890f269788f70969d56c9ccd24d514f2d64842c1a01875e0feb716754d5fa2f3a58 |
C:\Win\Explorer.exe
| MD5 | 2cd61762eb4c6196c456c33cf98de1f6 |
| SHA1 | a821ab28c1efda473d4668bc21f3feb011f31f67 |
| SHA256 | 942837dd4e4a172053a1d74a6d6fc3779d21843f6075aa830dc082e7ecd6e9eb |
| SHA512 | 44df93b53b1fcb73823fbf8be9f577dcd69e8f45d0aec4f2679729065221c78c46cfc05b8d907bc0bca50cef4c3452a3b767355a3ef40335103ef86ef2d58c9d |
\Win\Qulab.exe
| MD5 | e4fa4401f2e90309a8871076361e841f |
| SHA1 | 72138a90020a90b2385e568cd838edf014e6fca5 |
| SHA256 | dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065 |
| SHA512 | dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee |
\Win\Qulab.exe
| MD5 | e4fa4401f2e90309a8871076361e841f |
| SHA1 | 72138a90020a90b2385e568cd838edf014e6fca5 |
| SHA256 | dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065 |
| SHA512 | dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee |
\Win\Qulab.exe
| MD5 | e4fa4401f2e90309a8871076361e841f |
| SHA1 | 72138a90020a90b2385e568cd838edf014e6fca5 |
| SHA256 | dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065 |
| SHA512 | dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee |
\Win\Qulab.exe
| MD5 | e4fa4401f2e90309a8871076361e841f |
| SHA1 | 72138a90020a90b2385e568cd838edf014e6fca5 |
| SHA256 | dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065 |
| SHA512 | dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee |
C:\Win\Qulab.exe
| MD5 | e4fa4401f2e90309a8871076361e841f |
| SHA1 | 72138a90020a90b2385e568cd838edf014e6fca5 |
| SHA256 | dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065 |
| SHA512 | dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
| MD5 | e4fa4401f2e90309a8871076361e841f |
| SHA1 | 72138a90020a90b2385e568cd838edf014e6fca5 |
| SHA256 | dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065 |
| SHA512 | dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee |
\Win\Predator.exe
| MD5 | 1de8c4150a2684f6951af9f1c4aaf87c |
| SHA1 | ba7b08fad968f162f3e8ed12a6348c28ab8fd0a8 |
| SHA256 | 15dbb8c8b82dd2f054db05c4a00597d32d20ecae26ca3c69ed8ce03930137c44 |
| SHA512 | 5afb6d78e034e853c6f958137a034e3b752575c512f9a1d4fa60952f2112c6270be5d618a57cd0d104810afdad71809a9871435343b97fd8b59d1c3096c2e83e |
\Win\Predator.exe
| MD5 | 1de8c4150a2684f6951af9f1c4aaf87c |
| SHA1 | ba7b08fad968f162f3e8ed12a6348c28ab8fd0a8 |
| SHA256 | 15dbb8c8b82dd2f054db05c4a00597d32d20ecae26ca3c69ed8ce03930137c44 |
| SHA512 | 5afb6d78e034e853c6f958137a034e3b752575c512f9a1d4fa60952f2112c6270be5d618a57cd0d104810afdad71809a9871435343b97fd8b59d1c3096c2e83e |
\Win\Predator.exe
| MD5 | 1de8c4150a2684f6951af9f1c4aaf87c |
| SHA1 | ba7b08fad968f162f3e8ed12a6348c28ab8fd0a8 |
| SHA256 | 15dbb8c8b82dd2f054db05c4a00597d32d20ecae26ca3c69ed8ce03930137c44 |
| SHA512 | 5afb6d78e034e853c6f958137a034e3b752575c512f9a1d4fa60952f2112c6270be5d618a57cd0d104810afdad71809a9871435343b97fd8b59d1c3096c2e83e |
C:\Win\Predator.exe
| MD5 | 1de8c4150a2684f6951af9f1c4aaf87c |
| SHA1 | ba7b08fad968f162f3e8ed12a6348c28ab8fd0a8 |
| SHA256 | 15dbb8c8b82dd2f054db05c4a00597d32d20ecae26ca3c69ed8ce03930137c44 |
| SHA512 | 5afb6d78e034e853c6f958137a034e3b752575c512f9a1d4fa60952f2112c6270be5d618a57cd0d104810afdad71809a9871435343b97fd8b59d1c3096c2e83e |
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
\Win\Explorer.exe
| MD5 | 2cd61762eb4c6196c456c33cf98de1f6 |
| SHA1 | a821ab28c1efda473d4668bc21f3feb011f31f67 |
| SHA256 | 942837dd4e4a172053a1d74a6d6fc3779d21843f6075aa830dc082e7ecd6e9eb |
| SHA512 | 44df93b53b1fcb73823fbf8be9f577dcd69e8f45d0aec4f2679729065221c78c46cfc05b8d907bc0bca50cef4c3452a3b767355a3ef40335103ef86ef2d58c9d |
\Win\Explorer.exe
| MD5 | 2cd61762eb4c6196c456c33cf98de1f6 |
| SHA1 | a821ab28c1efda473d4668bc21f3feb011f31f67 |
| SHA256 | 942837dd4e4a172053a1d74a6d6fc3779d21843f6075aa830dc082e7ecd6e9eb |
| SHA512 | 44df93b53b1fcb73823fbf8be9f577dcd69e8f45d0aec4f2679729065221c78c46cfc05b8d907bc0bca50cef4c3452a3b767355a3ef40335103ef86ef2d58c9d |
\Win\Explorer.exe
| MD5 | 2cd61762eb4c6196c456c33cf98de1f6 |
| SHA1 | a821ab28c1efda473d4668bc21f3feb011f31f67 |
| SHA256 | 942837dd4e4a172053a1d74a6d6fc3779d21843f6075aa830dc082e7ecd6e9eb |
| SHA512 | 44df93b53b1fcb73823fbf8be9f577dcd69e8f45d0aec4f2679729065221c78c46cfc05b8d907bc0bca50cef4c3452a3b767355a3ef40335103ef86ef2d58c9d |
\Win\Explorer.exe
| MD5 | 2cd61762eb4c6196c456c33cf98de1f6 |
| SHA1 | a821ab28c1efda473d4668bc21f3feb011f31f67 |
| SHA256 | 942837dd4e4a172053a1d74a6d6fc3779d21843f6075aa830dc082e7ecd6e9eb |
| SHA512 | 44df93b53b1fcb73823fbf8be9f577dcd69e8f45d0aec4f2679729065221c78c46cfc05b8d907bc0bca50cef4c3452a3b767355a3ef40335103ef86ef2d58c9d |
C:\Win\Explorer.exe
| MD5 | 2cd61762eb4c6196c456c33cf98de1f6 |
| SHA1 | a821ab28c1efda473d4668bc21f3feb011f31f67 |
| SHA256 | 942837dd4e4a172053a1d74a6d6fc3779d21843f6075aa830dc082e7ecd6e9eb |
| SHA512 | 44df93b53b1fcb73823fbf8be9f577dcd69e8f45d0aec4f2679729065221c78c46cfc05b8d907bc0bca50cef4c3452a3b767355a3ef40335103ef86ef2d58c9d |
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe
| MD5 | 965119091c292c96af5011f40dae87a5 |
| SHA1 | 85708f7bab07528f1b6e9dfbf64648189a513043 |
| SHA256 | 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b |
| SHA512 | 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe
| MD5 | 965119091c292c96af5011f40dae87a5 |
| SHA1 | 85708f7bab07528f1b6e9dfbf64648189a513043 |
| SHA256 | 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b |
| SHA512 | 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\1\Screen.jpg
| MD5 | 82c2b3f828619b0c8313e3c17cd73d56 |
| SHA1 | eab22ad9544d1e9423abca84de46180d38df9ad4 |
| SHA256 | 0eaa56053a93e7fde29e76acc1fb52ce42f7ca3cbf845bbb1eebb5611c76acb8 |
| SHA512 | 3e3924f49e400df6db7f47a2fc60b5e90f660e33740fc0c21bccbbb0183d794220fc1437833815dcf7f34ed50cb265f9399e05ee7b2fb22c26463b47f2c14d14 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\1\Information.txt
| MD5 | 0ab42e94ae800ee19a4b87dae9b2c8bc |
| SHA1 | cc10df0e5fedc05511c74365accf99e0967759ce |
| SHA256 | 83aa7810ddac11d518daad93120f957e4dfdc0b9d5d99ca09cfc166a6a21cfce |
| SHA512 | 4a1c2ac32be9a2c8baec303540f3f034a9ee0fd6898abcef84100ad26fa73e7094f33719f32d3d9fad9f38ea54863720d4861582d74f73154f79c3664f55f614 |
memory/1736-90-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/1736-89-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/1736-91-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/1736-92-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/1736-93-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/1736-94-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/1736-96-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/1736-97-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/1736-99-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
memory/1736-100-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
memory/1736-102-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
memory/1736-103-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
memory/1736-105-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
memory/1736-106-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
memory/1736-107-0x0000000000E00000-0x0000000000E01000-memory.dmp
memory/1736-108-0x0000000000E00000-0x0000000000E01000-memory.dmp
memory/1736-109-0x0000000000E00000-0x0000000000E01000-memory.dmp
memory/1736-110-0x0000000000400000-0x0000000000C37000-memory.dmp
memory/1540-112-0x0000000002D60000-0x0000000002D61000-memory.dmp
memory/1540-113-0x0000000002DC0000-0x0000000002DC1000-memory.dmp
memory/1540-114-0x0000000002DB0000-0x0000000002DB1000-memory.dmp
memory/1540-115-0x0000000002DD0000-0x0000000002DD1000-memory.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
| MD5 | e4fa4401f2e90309a8871076361e841f |
| SHA1 | 72138a90020a90b2385e568cd838edf014e6fca5 |
| SHA256 | dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065 |
| SHA512 | dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
| MD5 | e4fa4401f2e90309a8871076361e841f |
| SHA1 | 72138a90020a90b2385e568cd838edf014e6fca5 |
| SHA256 | dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065 |
| SHA512 | dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-05 05:00
Reported
2022-02-05 05:03
Platform
win10v2004-en-20220112
Max time kernel
158s
Max time network
160s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Win\Qulab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe | N/A |
| N/A | N/A | C:\Win\Predator.exe | N/A |
| N/A | N/A | C:\Win\Explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe | N/A |
Sets file to hidden
Sets service image path in registry
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.lnk | C:\Users\Admin\AppData\Local\Temp\4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe | N/A |
autoit_exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat | C:\Windows\System32\svchost.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotifyIcon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotifyIcon.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4068" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.671785" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132886872868189314" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Win\winmgmts:\localhost\ | C:\Win\Qulab.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Win\Explorer.exe | N/A |
| N/A | N/A | C:\Win\Explorer.exe | N/A |
| N/A | N/A | C:\Win\Explorer.exe | N/A |
| N/A | N/A | C:\Win\Explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe
"C:\Users\Admin\AppData\Local\Temp\4b3846fe93b8895a294f047d583aa9479b613276c3fe9322a5a5666e78b27adb.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Win\Hide.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Win\*.*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Win"
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Win\Qulab.exe
"C:\Win\Qulab.exe"
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe cd8035357de956df0df805827b42e014 jUyafFce4E+YioqOnVdfwg.0.1.0.0.0
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
C:\Win\Predator.exe
"C:\Win\Predator.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
C:\Win\Explorer.exe
"C:\Win\Explorer.exe"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\41646D696E524942435155485157494E5F313058.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| NL | 104.80.224.57:443 | tcp | |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| NL | 67.26.105.254:80 | tcp | |
| NL | 67.26.105.254:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| US | 52.179.219.14:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | fastcoin.biz | udp |
| US | 99.83.154.118:80 | fastcoin.biz | tcp |
| US | 99.83.154.118:80 | fastcoin.biz | tcp |
| US | 8.8.8.8:53 | instantcoin.cc | udp |
| N/A | 10.127.0.109:80 | tcp | |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| RU | 185.142.97.228:65233 | tcp |
Files
C:\Win\Hide.bat
| MD5 | c58e37464168d102dc65923a0899a2f8 |
| SHA1 | 1412757eb2ec89a99c54d9fcffa048c8a106a1e2 |
| SHA256 | 65d773d88db3fe15865eb37e5e4fd6f49c9abdd391710844f8db35154702341e |
| SHA512 | b420aabadf27bc52c590493abb2917c8f632daf0c16a6d67fe438b1b7423ec929638eb18036ec38b4ade555b6f1faecfb8f223ba3e07f2fd6661178bb4f2f7d0 |
C:\Win\Explorer.exe
| MD5 | 2cd61762eb4c6196c456c33cf98de1f6 |
| SHA1 | a821ab28c1efda473d4668bc21f3feb011f31f67 |
| SHA256 | 942837dd4e4a172053a1d74a6d6fc3779d21843f6075aa830dc082e7ecd6e9eb |
| SHA512 | 44df93b53b1fcb73823fbf8be9f577dcd69e8f45d0aec4f2679729065221c78c46cfc05b8d907bc0bca50cef4c3452a3b767355a3ef40335103ef86ef2d58c9d |
C:\Win\Qulab.exe
| MD5 | e4fa4401f2e90309a8871076361e841f |
| SHA1 | 72138a90020a90b2385e568cd838edf014e6fca5 |
| SHA256 | dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065 |
| SHA512 | dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee |
C:\Win\Predator.exe
| MD5 | 1de8c4150a2684f6951af9f1c4aaf87c |
| SHA1 | ba7b08fad968f162f3e8ed12a6348c28ab8fd0a8 |
| SHA256 | 15dbb8c8b82dd2f054db05c4a00597d32d20ecae26ca3c69ed8ce03930137c44 |
| SHA512 | 5afb6d78e034e853c6f958137a034e3b752575c512f9a1d4fa60952f2112c6270be5d618a57cd0d104810afdad71809a9871435343b97fd8b59d1c3096c2e83e |
C:\Win\Explorer.lnk
| MD5 | b26c1a992e03ff5a77a56e04e63bb9d0 |
| SHA1 | 202fe3c544f2d9a279580bfdbb89b18de6adec1a |
| SHA256 | ddab94d125b7897d817b612d7d9bca0d9a6f7ffbd093aea3aeeeb2c019e73ff8 |
| SHA512 | f264723272e2a3f1bf1fd26eb7074318645718cbb0013d198dbfee06c02e5890f269788f70969d56c9ccd24d514f2d64842c1a01875e0feb716754d5fa2f3a58 |
C:\Win\Qulab.exe
| MD5 | e4fa4401f2e90309a8871076361e841f |
| SHA1 | 72138a90020a90b2385e568cd838edf014e6fca5 |
| SHA256 | dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065 |
| SHA512 | dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
| MD5 | e4fa4401f2e90309a8871076361e841f |
| SHA1 | 72138a90020a90b2385e568cd838edf014e6fca5 |
| SHA256 | dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065 |
| SHA512 | dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee |
C:\Win\Predator.exe
| MD5 | 1de8c4150a2684f6951af9f1c4aaf87c |
| SHA1 | ba7b08fad968f162f3e8ed12a6348c28ab8fd0a8 |
| SHA256 | 15dbb8c8b82dd2f054db05c4a00597d32d20ecae26ca3c69ed8ce03930137c44 |
| SHA512 | 5afb6d78e034e853c6f958137a034e3b752575c512f9a1d4fa60952f2112c6270be5d618a57cd0d104810afdad71809a9871435343b97fd8b59d1c3096c2e83e |
C:\Win\Explorer.exe
| MD5 | 2cd61762eb4c6196c456c33cf98de1f6 |
| SHA1 | a821ab28c1efda473d4668bc21f3feb011f31f67 |
| SHA256 | 942837dd4e4a172053a1d74a6d6fc3779d21843f6075aa830dc082e7ecd6e9eb |
| SHA512 | 44df93b53b1fcb73823fbf8be9f577dcd69e8f45d0aec4f2679729065221c78c46cfc05b8d907bc0bca50cef4c3452a3b767355a3ef40335103ef86ef2d58c9d |
memory/2580-139-0x0000000000D90000-0x0000000000D91000-memory.dmp
memory/2580-141-0x0000000000EB0000-0x0000000000EB1000-memory.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.exe
| MD5 | e4fa4401f2e90309a8871076361e841f |
| SHA1 | 72138a90020a90b2385e568cd838edf014e6fca5 |
| SHA256 | dcfb6f24db305b188e3e011904520c25daa53f7ea03623e097408f5a96a6a065 |
| SHA512 | dd670f6901b8a0c0e53da55a2a96bdab683e1f0032cee4b7982e039dfccec6613335a408410af833cc209df7ad494b0158cd1403110fca11fea6ccd78eb9e7ee |
memory/2580-142-0x0000000000EC0000-0x0000000000EC1000-memory.dmp
memory/2580-143-0x0000000002880000-0x0000000002881000-memory.dmp
memory/2580-144-0x0000000002890000-0x0000000002891000-memory.dmp
memory/2580-145-0x00000000028A0000-0x00000000028A1000-memory.dmp
memory/2580-146-0x00000000028B0000-0x00000000028B1000-memory.dmp
memory/2580-147-0x0000000000400000-0x0000000000C37000-memory.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\MSMPEG2ENC.module.exe
| MD5 | 965119091c292c96af5011f40dae87a5 |
| SHA1 | 85708f7bab07528f1b6e9dfbf64648189a513043 |
| SHA256 | 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b |
| SHA512 | 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\1\Information.txt
| MD5 | 7d1bd4d861d201cbaa3323da343aaa8b |
| SHA1 | 898a00e62b3149db87b359f71237c75cb5444045 |
| SHA256 | ce67fc1228e92fc1e92c518c7958a414796e3c4c5b956b64a13fe51e889a6e12 |
| SHA512 | 432b9d27f9558b589b3b242ba98d243934f75cf7fa4fa9a182c6ad31c304700d8e9e760e1eb6d90082715895cfd6ae702807f3ec8e70f3d0ec919e78b5bb6a26 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-mccs-syncres.resources\1\Screen.jpg
| MD5 | fa542b8acd1a9363329b5addd71c7d01 |
| SHA1 | dc6f69dd34b61a7fb1f623f78c5671975ee802fa |
| SHA256 | 9f86853f50ab95ddb0dcf0d234bbf285e67f416edabed915ac9464fc11a2eace |
| SHA512 | ce3fcf07e93581a6ccadaaf895adac3666aec7cdf76458903c9e3f890d7ec92a12c46ee1f6b83ca0804a5bfd08c13040b51c400526c95dfe096ec9d67215a55d |
memory/3740-155-0x0000000006F50000-0x0000000006F51000-memory.dmp
memory/3740-154-0x0000000006F30000-0x0000000006F31000-memory.dmp
memory/3740-156-0x0000000006F40000-0x0000000006F41000-memory.dmp
memory/3740-157-0x0000000006F60000-0x0000000006F61000-memory.dmp