Analysis Overview
SHA256
02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff
Threat Level: Known bad
The file 02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
VMProtect packed file
Sets file to hidden
UPX packed file
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Looks up external IP address via web service
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
AutoIT Executable
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-02 17:58
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-02 17:58
Reported
2022-05-02 19:28
Platform
win7-20220414-en
Max time kernel
124s
Max time network
133s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe
"C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe"
C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
"C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe"
C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe
"C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ENU_687FE975325E824E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources"
C:\Windows\system32\taskeng.exe
taskeng.exe {A0495830-0553-41C8-ABA8-40D48F37170A} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| RU | 109.120.174.15:80 | tcp | |
| RU | 109.120.174.15:80 | tcp |
Files
memory/1944-54-0x00000000753C1000-0x00000000753C3000-memory.dmp
\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
| MD5 | 7fc2f942a731666fbcbfe41cca252d44 |
| SHA1 | 4a9ec57556d61dfb66b1032a0e25c84997633893 |
| SHA256 | 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2 |
| SHA512 | 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421 |
\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
| MD5 | 7fc2f942a731666fbcbfe41cca252d44 |
| SHA1 | 4a9ec57556d61dfb66b1032a0e25c84997633893 |
| SHA256 | 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2 |
| SHA512 | 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421 |
\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
| MD5 | 7fc2f942a731666fbcbfe41cca252d44 |
| SHA1 | 4a9ec57556d61dfb66b1032a0e25c84997633893 |
| SHA256 | 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2 |
| SHA512 | 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421 |
\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
| MD5 | 7fc2f942a731666fbcbfe41cca252d44 |
| SHA1 | 4a9ec57556d61dfb66b1032a0e25c84997633893 |
| SHA256 | 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2 |
| SHA512 | 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421 |
memory/1084-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
| MD5 | 7fc2f942a731666fbcbfe41cca252d44 |
| SHA1 | 4a9ec57556d61dfb66b1032a0e25c84997633893 |
| SHA256 | 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2 |
| SHA512 | 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421 |
C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
| MD5 | 7fc2f942a731666fbcbfe41cca252d44 |
| SHA1 | 4a9ec57556d61dfb66b1032a0e25c84997633893 |
| SHA256 | 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2 |
| SHA512 | 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421 |
\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe
| MD5 | 7fb3cf569a680d1d97cf7109eb6d65a3 |
| SHA1 | cfd9c29811d4fb54de33dbb9bfcb72a958ccc6bd |
| SHA256 | f972027704f00a7c89e80829c7dcb3a131f4d6ccc14d0bb88b68badce98095b7 |
| SHA512 | 0fce8f8906a74c4a26b1decf0f1ad4f5d317a0bd58d745a34d8156b54ea4f4f9bf7950c056d414f1ba9ff34bf883c15408eeab5ed85da96e977abe81d9d07b7f |
\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe
| MD5 | 7fb3cf569a680d1d97cf7109eb6d65a3 |
| SHA1 | cfd9c29811d4fb54de33dbb9bfcb72a958ccc6bd |
| SHA256 | f972027704f00a7c89e80829c7dcb3a131f4d6ccc14d0bb88b68badce98095b7 |
| SHA512 | 0fce8f8906a74c4a26b1decf0f1ad4f5d317a0bd58d745a34d8156b54ea4f4f9bf7950c056d414f1ba9ff34bf883c15408eeab5ed85da96e977abe81d9d07b7f |
memory/2000-66-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe
| MD5 | 7fb3cf569a680d1d97cf7109eb6d65a3 |
| SHA1 | cfd9c29811d4fb54de33dbb9bfcb72a958ccc6bd |
| SHA256 | f972027704f00a7c89e80829c7dcb3a131f4d6ccc14d0bb88b68badce98095b7 |
| SHA512 | 0fce8f8906a74c4a26b1decf0f1ad4f5d317a0bd58d745a34d8156b54ea4f4f9bf7950c056d414f1ba9ff34bf883c15408eeab5ed85da96e977abe81d9d07b7f |
C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe
| MD5 | 7fb3cf569a680d1d97cf7109eb6d65a3 |
| SHA1 | cfd9c29811d4fb54de33dbb9bfcb72a958ccc6bd |
| SHA256 | f972027704f00a7c89e80829c7dcb3a131f4d6ccc14d0bb88b68badce98095b7 |
| SHA512 | 0fce8f8906a74c4a26b1decf0f1ad4f5d317a0bd58d745a34d8156b54ea4f4f9bf7950c056d414f1ba9ff34bf883c15408eeab5ed85da96e977abe81d9d07b7f |
memory/1724-68-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
| MD5 | 7fc2f942a731666fbcbfe41cca252d44 |
| SHA1 | 4a9ec57556d61dfb66b1032a0e25c84997633893 |
| SHA256 | 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2 |
| SHA512 | 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421 |
\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/1460-76-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\Screen.jpg
| MD5 | f2efdd3a8929d2ace753c3dd16fd2dcb |
| SHA1 | d83d1d12285e6cf0b0d439ce9aec7b1014f1ba17 |
| SHA256 | 7bc6488132bcb8d8240d9e30e10ffe1d96e74f729ef3570e726d476bbe270df4 |
| SHA512 | 0a6f5f58f262843fa954b1187877018bb660f6661daebf13795f443ada8498ba34e51b6b0f57921f7cfb9ca28588ce36d25022be11d2a075a64f8a58efbcbae9 |
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\Information.txt
| MD5 | 1fc575068f5f0d32e4a7d2d5b53677f2 |
| SHA1 | 989c422b627afdb6435103bd085383542942ef63 |
| SHA256 | f92fe5cce12641a5a59f8cef8ec2b9e245708f7dedef7c6a66264193de9f47b5 |
| SHA512 | 271e3e168a1c83614aca30cb2771a6fe8aae177f5a3586646347ff53077255e6d704c8cfe74189773d75a428185256a443f23b9aebe948884f3d9bfa2264bcc8 |
memory/1496-80-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
| MD5 | 7fc2f942a731666fbcbfe41cca252d44 |
| SHA1 | 4a9ec57556d61dfb66b1032a0e25c84997633893 |
| SHA256 | 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2 |
| SHA512 | 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421 |
memory/1900-81-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
| MD5 | 7fc2f942a731666fbcbfe41cca252d44 |
| SHA1 | 4a9ec57556d61dfb66b1032a0e25c84997633893 |
| SHA256 | 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2 |
| SHA512 | 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421 |
memory/1148-84-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-02 17:58
Reported
2022-05-02 19:28
Platform
win10v2004-20220414-en
Max time kernel
125s
Max time network
139s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe
"C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe"
C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
"C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe
"C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ENU_801FE970A758A6AE9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources"
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
Network
| Country | Destination | Domain | Proto |
| NL | 104.97.14.81:80 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| RU | 109.120.174.15:80 | tcp | |
| NL | 20.190.160.4:443 | tcp | |
| NL | 20.190.160.4:443 | tcp | |
| NL | 20.190.160.4:443 | tcp | |
| NL | 52.178.17.2:443 | tcp | |
| NL | 20.190.160.8:443 | tcp | |
| NL | 20.190.160.8:443 | tcp | |
| NL | 20.190.160.8:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 20.190.160.71:443 | tcp | |
| NL | 20.190.160.71:443 | tcp | |
| NL | 20.190.160.71:443 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.24.243:80 | tcp | |
| NL | 104.123.41.162:80 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.73:443 | tcp |
Files
memory/2244-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
| MD5 | 7fc2f942a731666fbcbfe41cca252d44 |
| SHA1 | 4a9ec57556d61dfb66b1032a0e25c84997633893 |
| SHA256 | 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2 |
| SHA512 | 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421 |
C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
| MD5 | 7fc2f942a731666fbcbfe41cca252d44 |
| SHA1 | 4a9ec57556d61dfb66b1032a0e25c84997633893 |
| SHA256 | 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2 |
| SHA512 | 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421 |
memory/1320-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
| MD5 | 7fc2f942a731666fbcbfe41cca252d44 |
| SHA1 | 4a9ec57556d61dfb66b1032a0e25c84997633893 |
| SHA256 | 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2 |
| SHA512 | 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421 |
memory/3784-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe
| MD5 | 7fb3cf569a680d1d97cf7109eb6d65a3 |
| SHA1 | cfd9c29811d4fb54de33dbb9bfcb72a958ccc6bd |
| SHA256 | f972027704f00a7c89e80829c7dcb3a131f4d6ccc14d0bb88b68badce98095b7 |
| SHA512 | 0fce8f8906a74c4a26b1decf0f1ad4f5d317a0bd58d745a34d8156b54ea4f4f9bf7950c056d414f1ba9ff34bf883c15408eeab5ed85da96e977abe81d9d07b7f |
C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe
| MD5 | 7fb3cf569a680d1d97cf7109eb6d65a3 |
| SHA1 | cfd9c29811d4fb54de33dbb9bfcb72a958ccc6bd |
| SHA256 | f972027704f00a7c89e80829c7dcb3a131f4d6ccc14d0bb88b68badce98095b7 |
| SHA512 | 0fce8f8906a74c4a26b1decf0f1ad4f5d317a0bd58d745a34d8156b54ea4f4f9bf7950c056d414f1ba9ff34bf883c15408eeab5ed85da96e977abe81d9d07b7f |
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/4696-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\Information.txt
| MD5 | cad2992b59870bc7eb409c66f1634f97 |
| SHA1 | 2a22a210422b1e71b0b49175fba451509c6ea77a |
| SHA256 | 7444e87b9505aac08f90ec3af4f984f845abb7d0bbf9169d27d732076ef42c33 |
| SHA512 | e8c6e0d3d33c3a473f5001fcf91d721797da3e26137e53f6870d3225fa0f8c34d9fc531eca535bf46991fc13b790cbc3beb6643a763615e0b0e27d4ba29397d6 |
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\Screen.jpg
| MD5 | 87eb23df56d3351065e18a2486c4c8a7 |
| SHA1 | 8aabda0b974bcdc22b568ca771bb2e4d5d01c318 |
| SHA256 | ccbb5d163751befb76961833f0d1d5cf107d96e8039f822a93ad785a6d106fe0 |
| SHA512 | 2fd944d99fd1733deec8a5d4ed9d069677df06cb1d3d90163a6773d89f5fd4ed56999458b1bb23918705cc7dfb70c9470de1d158f757f2ab62fae2012ce39064 |
memory/1312-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
| MD5 | 7fc2f942a731666fbcbfe41cca252d44 |
| SHA1 | 4a9ec57556d61dfb66b1032a0e25c84997633893 |
| SHA256 | 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2 |
| SHA512 | 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421 |
C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
| MD5 | 7fc2f942a731666fbcbfe41cca252d44 |
| SHA1 | 4a9ec57556d61dfb66b1032a0e25c84997633893 |
| SHA256 | 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2 |
| SHA512 | 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421 |