Analysis Overview
SHA256
a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8
Threat Level: Known bad
The file a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
UPX packed file
Sets file to hidden
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
AutoIT Executable
Suspicious use of SetThreadContext
Suspicious behavior: RenamesItself
Views/modifies file attributes
NTFS ADS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-01 23:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-01 23:44
Reported
2022-05-01 23:47
Platform
win7-20220414-en
Max time kernel
106s
Max time network
46s
Command Line
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1580 set thread context of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe | C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe
"C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe"
C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe
"C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe
Network
Files
memory/1580-54-0x0000000001350000-0x00000000016B4000-memory.dmp
memory/1580-55-0x0000000076811000-0x0000000076813000-memory.dmp
memory/1580-56-0x0000000008070000-0x000000000839A000-memory.dmp
memory/1580-57-0x0000000000640000-0x0000000000654000-memory.dmp
memory/1268-58-0x0000000000400000-0x000000000077E000-memory.dmp
memory/1268-59-0x0000000000400000-0x000000000077E000-memory.dmp
memory/1268-61-0x0000000000400000-0x000000000077E000-memory.dmp
memory/1268-63-0x0000000000400000-0x000000000077E000-memory.dmp
memory/1268-65-0x0000000000400000-0x000000000077E000-memory.dmp
memory/1268-67-0x0000000000400000-0x000000000077E000-memory.dmp
memory/1268-69-0x0000000000400000-0x000000000077E000-memory.dmp
memory/1268-70-0x000000000042800A-mapping.dmp
memory/1268-73-0x0000000000400000-0x000000000077E000-memory.dmp
memory/1268-74-0x0000000000400000-0x000000000077E000-memory.dmp
memory/1864-75-0x0000000000000000-mapping.dmp
memory/1864-76-0x0000000001350000-0x00000000016B4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-01 23:44
Reported
2022-05-01 23:47
Platform
win10v2004-20220414-en
Max time kernel
143s
Max time network
154s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.module.exe | N/A |
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2288 set thread context of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe | C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe |
| PID 2216 set thread context of 4404 | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe
"C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe"
C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe
"C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe
"C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.module.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ENU_688FE972402C836E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\*"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe
Network
| Country | Destination | Domain | Proto |
| IE | 20.50.80.209:443 | tcp | |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
Files
memory/2288-130-0x0000000000080000-0x00000000003E4000-memory.dmp
memory/2288-131-0x0000000005320000-0x00000000058C4000-memory.dmp
memory/2288-132-0x0000000004E10000-0x0000000004EA2000-memory.dmp
memory/2288-133-0x0000000004DB0000-0x0000000004DBA000-memory.dmp
memory/4848-134-0x0000000000000000-mapping.dmp
memory/4848-135-0x0000000000400000-0x000000000077E000-memory.dmp
memory/4848-136-0x0000000000400000-0x000000000077E000-memory.dmp
memory/4848-137-0x0000000000400000-0x000000000077E000-memory.dmp
memory/4848-138-0x0000000000400000-0x000000000077E000-memory.dmp
memory/2216-139-0x0000000000000000-mapping.dmp
memory/4404-140-0x0000000000000000-mapping.dmp
memory/4404-142-0x0000000000400000-0x000000000077E000-memory.dmp
memory/4404-143-0x0000000000400000-0x000000000077E000-memory.dmp
memory/4404-144-0x0000000000400000-0x000000000077E000-memory.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/5040-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Desktop TXT Files\ts\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Desktop TXT Files\ts\CompareBackup.txt
| MD5 | 8bdc403789c438d253a619f4ec81d7dd |
| SHA1 | c512788f3561612d2b34315f93766154dedcda4b |
| SHA256 | c651ca47756f82cca0b1fdeaf452d753a710eb090ab565782c65aa101051476d |
| SHA512 | de4b5019001489692c6fe70ca3c16310c8c726873aa569bac966dbea541feeb129db393da5c25c590c90b2ad29a97dfec08d5dff9bb8f1c8355767e49aa54993 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Desktop TXT Files\ts\RemoveInstall.xlsx
| MD5 | 0a4303651e5c5aeca49cb008f5521ce4 |
| SHA1 | 527fe0ef0537c811de8d8ba083084d2d353fdfcf |
| SHA256 | 990af4bc05a06d00ff27c302dcdd2aaeede6877fe6834915bd7110b0b73739e2 |
| SHA512 | 449db15aea490e463ba07bfcaa0c02492d7b583826c3d973bdfada6158052f295e9c49ed8f86456e974a0da70ac33288b81d3e94a5db59efe18a3f5a67a65808 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Desktop TXT Files\ts\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Desktop TXT Files\ts\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Desktop TXT Files\ts\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Desktop TXT Files\ts\SaveShow.txt
| MD5 | 2c4ce54530dd33491de30966f61b84e5 |
| SHA1 | 42e5ee535074b10f32a1d3ad9d545398c9daa244 |
| SHA256 | c185c71b02c65d8da7a4fb152929ae0901dbbc2ecd20bbaed562c0d584b66153 |
| SHA512 | 1855e469169b0802f10e32a4d366719536c5133326f906f9cc2624a78229cede9c5e3b43e74ebf818a3ed4e7cb58307b4c3959db8c01527bc45930106f5527e3 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Information.txt
| MD5 | 49ccf820e498960cde41bf9e4d85cd5e |
| SHA1 | 12599f26e57a26d5807e564bfd3598b232cedd64 |
| SHA256 | 87ca65510cab4eb3e874587b96532b866c5b78ebffa09ebfb268a10b061c3bb3 |
| SHA512 | 612ae76943143c75262b21cfbcd7671b043c155e431504b72c2ef8e23273f5ef4ea2bcfc65bbc594bcb151f49955a4dd441a533a3c2385177192b932af4be35a |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Desktop TXT Files\ts\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Screen.jpg
| MD5 | ec5222e0aeb03ed81a2674aa19b9200b |
| SHA1 | d85673c0dd441d69d0dee9d5e490504e4467ab42 |
| SHA256 | 4dba8122686d8d3ba883b50ae991917abd5a285f4976dc19c26ad3a57e96c5fc |
| SHA512 | 3df4ced82400a66a6d8dfe49a99d545de37e4f672770499750e1b081ee314a7c7b4f99092f3f4f662a8c9e8c018abcf958c4fe5bc4427bb5397ae93bcae348f7 |
memory/2704-160-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Storprop.exe.log
| MD5 | 7ebe314bf617dc3e48b995a6c352740c |
| SHA1 | 538f643b7b30f9231a3035c448607f767527a870 |
| SHA256 | 48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8 |
| SHA512 | 0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e |
memory/3456-162-0x0000000000000000-mapping.dmp
memory/2676-163-0x0000000000000000-mapping.dmp