Analysis Overview
SHA256
0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de
Threat Level: Known bad
The file 0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Executes dropped EXE
Sets file to hidden
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Checks installed software on the system
Drops file in System32 directory
AutoIT Executable
Enumerates physical storage devices
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-20 17:20
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-20 17:20
Reported
2022-04-20 18:39
Platform
win7-20220414-en
Max time kernel
123s
Max time network
149s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe
"C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe"
C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
"C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe"
C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
"C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\ENU_687FE9762211651E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources"
C:\Windows\system32\taskeng.exe
taskeng.exe {49F0B25E-F28A-4E56-A5C6-A835411F3EB4} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| RU | 45.89.19.14:11928 | api.telegram.org | tcp |
| RU | 45.89.19.14:11928 | api.telegram.org | tcp |
Files
memory/1152-54-0x00000000763E1000-0x00000000763E3000-memory.dmp
\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
| MD5 | faaff4148db8cda4068234f5d5110c60 |
| SHA1 | b744ae0ee7f3cfeb762a4c9ea4b72f1f092fe391 |
| SHA256 | 58304b1ed9a66d44938f1e04767d1219194693bc918750388f259b1d0d251dc1 |
| SHA512 | 1956bad6e775b08fab06358225b5cb027ec3bcf35fa304c7e9dbcfcefe55b887a0dc95db24d6655eb299d6abb6740d64f36912683549c951d73836e4e63a18f0 |
\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
| MD5 | faaff4148db8cda4068234f5d5110c60 |
| SHA1 | b744ae0ee7f3cfeb762a4c9ea4b72f1f092fe391 |
| SHA256 | 58304b1ed9a66d44938f1e04767d1219194693bc918750388f259b1d0d251dc1 |
| SHA512 | 1956bad6e775b08fab06358225b5cb027ec3bcf35fa304c7e9dbcfcefe55b887a0dc95db24d6655eb299d6abb6740d64f36912683549c951d73836e4e63a18f0 |
\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
| MD5 | faaff4148db8cda4068234f5d5110c60 |
| SHA1 | b744ae0ee7f3cfeb762a4c9ea4b72f1f092fe391 |
| SHA256 | 58304b1ed9a66d44938f1e04767d1219194693bc918750388f259b1d0d251dc1 |
| SHA512 | 1956bad6e775b08fab06358225b5cb027ec3bcf35fa304c7e9dbcfcefe55b887a0dc95db24d6655eb299d6abb6740d64f36912683549c951d73836e4e63a18f0 |
\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
| MD5 | faaff4148db8cda4068234f5d5110c60 |
| SHA1 | b744ae0ee7f3cfeb762a4c9ea4b72f1f092fe391 |
| SHA256 | 58304b1ed9a66d44938f1e04767d1219194693bc918750388f259b1d0d251dc1 |
| SHA512 | 1956bad6e775b08fab06358225b5cb027ec3bcf35fa304c7e9dbcfcefe55b887a0dc95db24d6655eb299d6abb6740d64f36912683549c951d73836e4e63a18f0 |
memory/908-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
| MD5 | faaff4148db8cda4068234f5d5110c60 |
| SHA1 | b744ae0ee7f3cfeb762a4c9ea4b72f1f092fe391 |
| SHA256 | 58304b1ed9a66d44938f1e04767d1219194693bc918750388f259b1d0d251dc1 |
| SHA512 | 1956bad6e775b08fab06358225b5cb027ec3bcf35fa304c7e9dbcfcefe55b887a0dc95db24d6655eb299d6abb6740d64f36912683549c951d73836e4e63a18f0 |
C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
| MD5 | faaff4148db8cda4068234f5d5110c60 |
| SHA1 | b744ae0ee7f3cfeb762a4c9ea4b72f1f092fe391 |
| SHA256 | 58304b1ed9a66d44938f1e04767d1219194693bc918750388f259b1d0d251dc1 |
| SHA512 | 1956bad6e775b08fab06358225b5cb027ec3bcf35fa304c7e9dbcfcefe55b887a0dc95db24d6655eb299d6abb6740d64f36912683549c951d73836e4e63a18f0 |
\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
| MD5 | 7365da47139d60ed7f1d62dea77c171a |
| SHA1 | 313fcb1fcbb739485cc19d615ef34bf831ce3e30 |
| SHA256 | ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1 |
| SHA512 | 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543 |
memory/1172-67-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
| MD5 | 7365da47139d60ed7f1d62dea77c171a |
| SHA1 | 313fcb1fcbb739485cc19d615ef34bf831ce3e30 |
| SHA256 | ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1 |
| SHA512 | 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543 |
\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
| MD5 | 7365da47139d60ed7f1d62dea77c171a |
| SHA1 | 313fcb1fcbb739485cc19d615ef34bf831ce3e30 |
| SHA256 | ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1 |
| SHA512 | 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543 |
\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
| MD5 | 7365da47139d60ed7f1d62dea77c171a |
| SHA1 | 313fcb1fcbb739485cc19d615ef34bf831ce3e30 |
| SHA256 | ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1 |
| SHA512 | 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543 |
C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
| MD5 | 7365da47139d60ed7f1d62dea77c171a |
| SHA1 | 313fcb1fcbb739485cc19d615ef34bf831ce3e30 |
| SHA256 | ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1 |
| SHA512 | 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543 |
C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
| MD5 | 7365da47139d60ed7f1d62dea77c171a |
| SHA1 | 313fcb1fcbb739485cc19d615ef34bf831ce3e30 |
| SHA256 | ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1 |
| SHA512 | 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543 |
memory/1292-71-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
| MD5 | 7365da47139d60ed7f1d62dea77c171a |
| SHA1 | 313fcb1fcbb739485cc19d615ef34bf831ce3e30 |
| SHA256 | ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1 |
| SHA512 | 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543 |
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/1912-78-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\1\Information.txt
| MD5 | cc9b3f0f5a1d2c4045b118447d31b2d5 |
| SHA1 | 1dfac38c130df965b1c5642db0c9481fb8a22a6f |
| SHA256 | 09144e91efe5489145988c90a97faaff176879a3a510ea2618e520437c4baff5 |
| SHA512 | 9c13030ec9d157b2205b00f72bd02fdd2074e26840bc111d7ca53e79b62937e3824a4305f070251e37f8c30eadbd9d7c0b226fda283c83c2a01e36ab2cb91660 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\1\Screen.jpg
| MD5 | fbd94028aca4b7e82a93b0dfebae7fa9 |
| SHA1 | f5c8202d0201eda3e1744f83cd4ddad5d9c183be |
| SHA256 | 0f3e2a046349a353cf0debb01588201bc92ce2222c5d4318fdeb630958965137 |
| SHA512 | 31483795ca8912d84cb6b2353db5a1e23029f98c1881001b7efc8693776d6a57efad6e19295e80ec035bf957241745c75ad0f880f5f5b0780ab43539e06c3c19 |
memory/1640-82-0x0000000000000000-mapping.dmp
memory/1276-83-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
| MD5 | 7365da47139d60ed7f1d62dea77c171a |
| SHA1 | 313fcb1fcbb739485cc19d615ef34bf831ce3e30 |
| SHA256 | ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1 |
| SHA512 | 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543 |
memory/872-86-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
| MD5 | 7365da47139d60ed7f1d62dea77c171a |
| SHA1 | 313fcb1fcbb739485cc19d615ef34bf831ce3e30 |
| SHA256 | ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1 |
| SHA512 | 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-20 17:20
Reported
2022-04-20 18:39
Platform
win10v2004-20220414-en
Max time kernel
98s
Max time network
150s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe
"C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe"
C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
"C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe"
C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
"C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\ENU_801FE97C5F89A74E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.109.88.36:443 | tcp | |
| US | 52.242.97.97:443 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| RU | 45.89.19.14:11928 | api.telegram.org | tcp |
| US | 20.42.65.85:443 | tcp | |
| RU | 45.89.19.14:11928 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 8.253.208.112:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.253.208.112:80 | tcp |
Files
memory/4788-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
| MD5 | faaff4148db8cda4068234f5d5110c60 |
| SHA1 | b744ae0ee7f3cfeb762a4c9ea4b72f1f092fe391 |
| SHA256 | 58304b1ed9a66d44938f1e04767d1219194693bc918750388f259b1d0d251dc1 |
| SHA512 | 1956bad6e775b08fab06358225b5cb027ec3bcf35fa304c7e9dbcfcefe55b887a0dc95db24d6655eb299d6abb6740d64f36912683549c951d73836e4e63a18f0 |
memory/2980-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
| MD5 | 7365da47139d60ed7f1d62dea77c171a |
| SHA1 | 313fcb1fcbb739485cc19d615ef34bf831ce3e30 |
| SHA256 | ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1 |
| SHA512 | 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543 |
C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
| MD5 | faaff4148db8cda4068234f5d5110c60 |
| SHA1 | b744ae0ee7f3cfeb762a4c9ea4b72f1f092fe391 |
| SHA256 | 58304b1ed9a66d44938f1e04767d1219194693bc918750388f259b1d0d251dc1 |
| SHA512 | 1956bad6e775b08fab06358225b5cb027ec3bcf35fa304c7e9dbcfcefe55b887a0dc95db24d6655eb299d6abb6740d64f36912683549c951d73836e4e63a18f0 |
C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
| MD5 | 7365da47139d60ed7f1d62dea77c171a |
| SHA1 | 313fcb1fcbb739485cc19d615ef34bf831ce3e30 |
| SHA256 | ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1 |
| SHA512 | 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543 |
memory/1660-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
| MD5 | 7365da47139d60ed7f1d62dea77c171a |
| SHA1 | 313fcb1fcbb739485cc19d615ef34bf831ce3e30 |
| SHA256 | ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1 |
| SHA512 | 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/4008-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\1\Information.txt
| MD5 | 4cc32b8b2cb18a7bd4065fe6d852b607 |
| SHA1 | d516e5edbebd428501bdfda94ed930c3c14ac362 |
| SHA256 | bd3324aa046f24fb381ced6e66549a23db24bff0d7afbbcaa95a390e4ae23273 |
| SHA512 | 218a07fac3406bc542314871a0b52157fcde843528cacbda21dc9b833071090cee3e266b211fff0c44386a4e1f4e6ff88599578b7095d1832b2cb61f6c74d722 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\1\Screen.jpg
| MD5 | 799110fbd98387f98797b83203ebf1e9 |
| SHA1 | 74613b862df2c4691b5d02da2adc66f26aad9e8b |
| SHA256 | 38d5e9b5a3dd8149e737b54b967a574a0157b6d57cebd616982a0ddc5fc50d25 |
| SHA512 | f72380d5a0a688eadb75ac4ce4ee2bfc9e360cc95ed49fff8ad6584b010e87ae27a9476ca0297553f16dd6857815648954b0ecddb5aae95614f2ddff3f9a34ca |
memory/3728-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
| MD5 | 7365da47139d60ed7f1d62dea77c171a |
| SHA1 | 313fcb1fcbb739485cc19d615ef34bf831ce3e30 |
| SHA256 | ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1 |
| SHA512 | 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543 |