Malware Analysis Report

2024-09-23 04:51

Sample ID 220502-wkj35aegcr
Target 02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff
SHA256 02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff
Tags
qulab discovery evasion ransomware spyware stealer upx vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff

Threat Level: Known bad

The file 02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff was found to be: Known bad.

Malicious Activity Summary

qulab discovery evasion ransomware spyware stealer upx vmprotect

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

VMProtect packed file

Sets file to hidden

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

AutoIT Executable

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-05-02 17:58

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-02 17:58

Reported

2022-05-02 19:28

Platform

win7-20220414-en

Max time kernel

124s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
PID 1944 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
PID 1944 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
PID 1944 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
PID 1944 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe
PID 1944 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe
PID 1944 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe
PID 1944 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe
PID 1084 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
PID 1084 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
PID 1084 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
PID 1084 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
PID 1724 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe
PID 1724 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe
PID 1724 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe
PID 1724 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe
PID 1724 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe C:\Windows\SysWOW64\attrib.exe
PID 1724 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe C:\Windows\SysWOW64\attrib.exe
PID 1724 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe C:\Windows\SysWOW64\attrib.exe
PID 1724 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe C:\Windows\SysWOW64\attrib.exe
PID 1212 wrote to memory of 1900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
PID 1212 wrote to memory of 1900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
PID 1212 wrote to memory of 1900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
PID 1212 wrote to memory of 1900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
PID 1212 wrote to memory of 1148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
PID 1212 wrote to memory of 1148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
PID 1212 wrote to memory of 1148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
PID 1212 wrote to memory of 1148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe

"C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe"

C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe

"C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe"

C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe

"C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ENU_687FE975325E824E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources"

C:\Windows\system32\taskeng.exe

taskeng.exe {A0495830-0553-41C8-ABA8-40D48F37170A} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
RU 109.120.174.15:80 tcp
RU 109.120.174.15:80 tcp

Files

memory/1944-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe

MD5 7fc2f942a731666fbcbfe41cca252d44
SHA1 4a9ec57556d61dfb66b1032a0e25c84997633893
SHA256 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2
SHA512 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421

\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe

MD5 7fc2f942a731666fbcbfe41cca252d44
SHA1 4a9ec57556d61dfb66b1032a0e25c84997633893
SHA256 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2
SHA512 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421

\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe

MD5 7fc2f942a731666fbcbfe41cca252d44
SHA1 4a9ec57556d61dfb66b1032a0e25c84997633893
SHA256 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2
SHA512 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421

\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe

MD5 7fc2f942a731666fbcbfe41cca252d44
SHA1 4a9ec57556d61dfb66b1032a0e25c84997633893
SHA256 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2
SHA512 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421

memory/1084-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe

MD5 7fc2f942a731666fbcbfe41cca252d44
SHA1 4a9ec57556d61dfb66b1032a0e25c84997633893
SHA256 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2
SHA512 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421

C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe

MD5 7fc2f942a731666fbcbfe41cca252d44
SHA1 4a9ec57556d61dfb66b1032a0e25c84997633893
SHA256 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2
SHA512 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421

\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe

MD5 7fb3cf569a680d1d97cf7109eb6d65a3
SHA1 cfd9c29811d4fb54de33dbb9bfcb72a958ccc6bd
SHA256 f972027704f00a7c89e80829c7dcb3a131f4d6ccc14d0bb88b68badce98095b7
SHA512 0fce8f8906a74c4a26b1decf0f1ad4f5d317a0bd58d745a34d8156b54ea4f4f9bf7950c056d414f1ba9ff34bf883c15408eeab5ed85da96e977abe81d9d07b7f

\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe

MD5 7fb3cf569a680d1d97cf7109eb6d65a3
SHA1 cfd9c29811d4fb54de33dbb9bfcb72a958ccc6bd
SHA256 f972027704f00a7c89e80829c7dcb3a131f4d6ccc14d0bb88b68badce98095b7
SHA512 0fce8f8906a74c4a26b1decf0f1ad4f5d317a0bd58d745a34d8156b54ea4f4f9bf7950c056d414f1ba9ff34bf883c15408eeab5ed85da96e977abe81d9d07b7f

memory/2000-66-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe

MD5 7fb3cf569a680d1d97cf7109eb6d65a3
SHA1 cfd9c29811d4fb54de33dbb9bfcb72a958ccc6bd
SHA256 f972027704f00a7c89e80829c7dcb3a131f4d6ccc14d0bb88b68badce98095b7
SHA512 0fce8f8906a74c4a26b1decf0f1ad4f5d317a0bd58d745a34d8156b54ea4f4f9bf7950c056d414f1ba9ff34bf883c15408eeab5ed85da96e977abe81d9d07b7f

C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe

MD5 7fb3cf569a680d1d97cf7109eb6d65a3
SHA1 cfd9c29811d4fb54de33dbb9bfcb72a958ccc6bd
SHA256 f972027704f00a7c89e80829c7dcb3a131f4d6ccc14d0bb88b68badce98095b7
SHA512 0fce8f8906a74c4a26b1decf0f1ad4f5d317a0bd58d745a34d8156b54ea4f4f9bf7950c056d414f1ba9ff34bf883c15408eeab5ed85da96e977abe81d9d07b7f

memory/1724-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

MD5 7fc2f942a731666fbcbfe41cca252d44
SHA1 4a9ec57556d61dfb66b1032a0e25c84997633893
SHA256 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2
SHA512 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421

\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/1460-76-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\Screen.jpg

MD5 f2efdd3a8929d2ace753c3dd16fd2dcb
SHA1 d83d1d12285e6cf0b0d439ce9aec7b1014f1ba17
SHA256 7bc6488132bcb8d8240d9e30e10ffe1d96e74f729ef3570e726d476bbe270df4
SHA512 0a6f5f58f262843fa954b1187877018bb660f6661daebf13795f443ada8498ba34e51b6b0f57921f7cfb9ca28588ce36d25022be11d2a075a64f8a58efbcbae9

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\Information.txt

MD5 1fc575068f5f0d32e4a7d2d5b53677f2
SHA1 989c422b627afdb6435103bd085383542942ef63
SHA256 f92fe5cce12641a5a59f8cef8ec2b9e245708f7dedef7c6a66264193de9f47b5
SHA512 271e3e168a1c83614aca30cb2771a6fe8aae177f5a3586646347ff53077255e6d704c8cfe74189773d75a428185256a443f23b9aebe948884f3d9bfa2264bcc8

memory/1496-80-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

MD5 7fc2f942a731666fbcbfe41cca252d44
SHA1 4a9ec57556d61dfb66b1032a0e25c84997633893
SHA256 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2
SHA512 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421

memory/1900-81-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

MD5 7fc2f942a731666fbcbfe41cca252d44
SHA1 4a9ec57556d61dfb66b1032a0e25c84997633893
SHA256 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2
SHA512 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421

memory/1148-84-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-02 17:58

Reported

2022-05-02 19:28

Platform

win10v2004-20220414-en

Max time kernel

125s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3560 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
PID 3560 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
PID 3560 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe
PID 2244 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
PID 2244 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
PID 2244 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe
PID 3560 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe
PID 3560 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe
PID 3560 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe
PID 1320 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe
PID 1320 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe
PID 1320 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe
PID 1320 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe C:\Windows\SysWOW64\attrib.exe
PID 1320 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe C:\Windows\SysWOW64\attrib.exe
PID 1320 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe

"C:\Users\Admin\AppData\Local\Temp\02c61c0cd23dcc382fd40aff99bbd896c04aaca7fae91f2fbe4a66ea7abf60ff.exe"

C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe

"C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe

"C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ENU_801FE970A758A6AE9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources"

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

Network

Country Destination Domain Proto
NL 104.97.14.81:80 tcp
NL 20.190.160.67:443 tcp
NL 20.190.160.67:443 tcp
NL 20.190.160.67:443 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
RU 109.120.174.15:80 tcp
NL 20.190.160.4:443 tcp
NL 20.190.160.4:443 tcp
NL 20.190.160.4:443 tcp
NL 52.178.17.2:443 tcp
NL 20.190.160.8:443 tcp
NL 20.190.160.8:443 tcp
NL 20.190.160.8:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 20.190.160.71:443 tcp
NL 20.190.160.71:443 tcp
NL 20.190.160.71:443 tcp
FR 2.18.109.224:443 tcp
US 104.18.24.243:80 tcp
NL 104.123.41.162:80 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.73:443 tcp
NL 20.190.160.73:443 tcp
NL 20.190.160.73:443 tcp

Files

memory/2244-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe

MD5 7fc2f942a731666fbcbfe41cca252d44
SHA1 4a9ec57556d61dfb66b1032a0e25c84997633893
SHA256 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2
SHA512 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421

C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\Build.exe

MD5 7fc2f942a731666fbcbfe41cca252d44
SHA1 4a9ec57556d61dfb66b1032a0e25c84997633893
SHA256 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2
SHA512 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421

memory/1320-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

MD5 7fc2f942a731666fbcbfe41cca252d44
SHA1 4a9ec57556d61dfb66b1032a0e25c84997633893
SHA256 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2
SHA512 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421

memory/3784-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe

MD5 7fb3cf569a680d1d97cf7109eb6d65a3
SHA1 cfd9c29811d4fb54de33dbb9bfcb72a958ccc6bd
SHA256 f972027704f00a7c89e80829c7dcb3a131f4d6ccc14d0bb88b68badce98095b7
SHA512 0fce8f8906a74c4a26b1decf0f1ad4f5d317a0bd58d745a34d8156b54ea4f4f9bf7950c056d414f1ba9ff34bf883c15408eeab5ed85da96e977abe81d9d07b7f

C:\Users\Admin\AppData\Roaming\P5qIcYY2168tU11ez\extrimhack_04.07.2019_.exe

MD5 7fb3cf569a680d1d97cf7109eb6d65a3
SHA1 cfd9c29811d4fb54de33dbb9bfcb72a958ccc6bd
SHA256 f972027704f00a7c89e80829c7dcb3a131f4d6ccc14d0bb88b68badce98095b7
SHA512 0fce8f8906a74c4a26b1decf0f1ad4f5d317a0bd58d745a34d8156b54ea4f4f9bf7950c056d414f1ba9ff34bf883c15408eeab5ed85da96e977abe81d9d07b7f

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/4696-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\Information.txt

MD5 cad2992b59870bc7eb409c66f1634f97
SHA1 2a22a210422b1e71b0b49175fba451509c6ea77a
SHA256 7444e87b9505aac08f90ec3af4f984f845abb7d0bbf9169d27d732076ef42c33
SHA512 e8c6e0d3d33c3a473f5001fcf91d721797da3e26137e53f6870d3225fa0f8c34d9fc531eca535bf46991fc13b790cbc3beb6643a763615e0b0e27d4ba29397d6

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\Screen.jpg

MD5 87eb23df56d3351065e18a2486c4c8a7
SHA1 8aabda0b974bcdc22b568ca771bb2e4d5d01c318
SHA256 ccbb5d163751befb76961833f0d1d5cf107d96e8039f822a93ad785a6d106fe0
SHA512 2fd944d99fd1733deec8a5d4ed9d069677df06cb1d3d90163a6773d89f5fd4ed56999458b1bb23918705cc7dfb70c9470de1d158f757f2ab62fae2012ce39064

memory/1312-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

MD5 7fc2f942a731666fbcbfe41cca252d44
SHA1 4a9ec57556d61dfb66b1032a0e25c84997633893
SHA256 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2
SHA512 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\twinui.exe

MD5 7fc2f942a731666fbcbfe41cca252d44
SHA1 4a9ec57556d61dfb66b1032a0e25c84997633893
SHA256 2ea0be1b0a11cc00f4e1a91c3f0d2357de51169d6273638bee546be54e22e6b2
SHA512 8d365f721ab46cf9c80efae142e033a7fadab653e23b97201cc00f53dfd269d87b9bc17a16454b9d9be07682970460e94e8e799a598b25c8fd46e15807a66421