Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20-02-2022 12:07

General

  • Target

    b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe

  • Size

    2.3MB

  • MD5

    4bb0a120d0b51dae6d3b784ba4c29245

  • SHA1

    e9c76fc16b212fc3c0f23bac20acd13e9a7df656

  • SHA256

    b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6

  • SHA512

    d86b9d53dc0e83390ff6c6f37ebef7431061cc1013b3cdb22e718c5aa46e1a1b9df6ad54eeae0f90a6ed9f16ef0e9101d9fd5a2ffe0552939dd608db3e0bc214

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\1\Information.txt

Family

qulab

Ransom Note
# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 20.02.2022, 13:08:01 OS: Windows 10 X64 / Build: 19041 UserName: Admin ComputerName: RIBCQUHQ Processor: Intel Core Processor (Broadwell) VideoCard: Microsoft Basic Display Adapter Memory: 2.00 Gb KeyBoard Layout ID: 00000409 Resolution: 1280x720x32, 64 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Google Chrome - Microsoft Edge - Microsoft Edge Update - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Java Auto Updater - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Acrobat Reader DC - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - Registry / PID: 92 - smss.exe / PID: 352 - csrss.exe / PID: 440 - wininit.exe / PID: 532 - csrss.exe / PID: 548 - winlogon.exe / PID: 628 - services.exe / PID: 648 - lsass.exe / PID: 676 - svchost.exe / PID: 796 - fontdrvhost.exe / PID: 804 - fontdrvhost.exe / PID: 808 - svchost.exe / PID: 916 - dwm.exe / PID: 1004 - svchost.exe / PID: 528 - svchost.exe / PID: 696 - svchost.exe / PID: 744 - svchost.exe / PID: 880 - svchost.exe / PID: 1184 - svchost.exe / PID: 1428 - svchost.exe / PID: 1540 - svchost.exe / PID: 1620 - svchost.exe / PID: 1700 - spoolsv.exe / PID: 1724 - svchost.exe / PID: 1764 - svchost.exe / PID: 1844 - svchost.exe / PID: 2028 - OfficeClickToRun.exe / PID: 1368 - svchost.exe / PID: 2212 - sihost.exe / PID: 2324 - svchost.exe / PID: 2344 - taskhostw.exe / PID: 2384 - explorer.exe / PID: 2548 - svchost.exe / PID: 2640 - dllhost.exe / PID: 2836 - StartMenuExperienceHost.exe / PID: 2944 - RuntimeBroker.exe / PID: 3004 - SearchApp.exe / PID: 64 - dllhost.exe / PID: 1436 - RuntimeBroker.exe / PID: 3212 - RuntimeBroker.exe / PID: 3520 - svchost.exe / PID: 4008 - sppsvc.exe / PID: 3620 - SppExtComObj.Exe / PID: 2368 - RuntimeBroker.exe / PID: 3668 - svchost.exe / PID: 1880 - svchost.exe / PID: 3808 - WMIADAP.exe / PID: 3060 - WmiPrvSE.exe / PID: 3104 - upfc.exe / PID: 2952 - MusNotification.exe / PID: 1404 - backgroundTaskHost.exe / PID: 368 - svchost.exe / PID: 2956 - backgroundTaskHost.exe / PID: 2000 - MoUsoCoreWorker.exe / PID: 4032 - backgroundTaskHost.exe / PID: 1452 - NlsLexicons001d.exe / PID: 3088 - MusNotificationUx.exe / PID: 3372 - BackgroundTransferHost.exe / PID: 3852
URLs

http://teleg.run/QulabZ

Signatures

  • Qulab Stealer & Clipper

    Infostealer and clipper created with AutoIt.

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 50 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe
    "C:\Users\Admin\AppData\Local\Temp\b45e734ae4ddc52234ca1bde5781834ed3f04e1ce2a2c0e09c8720360e1102a6.exe"
    1⤵
    • NTFS ADS
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
      C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
      2⤵
      • Loads dropped DLL
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3088
      • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe
        C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\41646D696E524942435155485157494E5F313058.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\1\*"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1888
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources"
        3⤵
        • Views/modifies file attributes
        PID:2044
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:1448
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:3788
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2968
  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
    C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
    1⤵
    • Drops file in System32 directory
    PID:884
  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
    C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-font-fms.resources\NlsLexicons001d.exe
    1⤵
    • Drops file in System32 directory
    PID:224

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3088-136-0x00000000073D0000-0x00000000073D1000-memory.dmp

    Filesize

    4KB

  • memory/3088-135-0x00000000073B0000-0x00000000073B1000-memory.dmp

    Filesize

    4KB

  • memory/3088-137-0x00000000073C0000-0x00000000073C1000-memory.dmp

    Filesize

    4KB

  • memory/3088-138-0x00000000073E0000-0x00000000073E1000-memory.dmp

    Filesize

    4KB