Malware Analysis Report

2024-09-23 04:50

Sample ID 220530-ckezmaaca4
Target 0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678
SHA256 0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678
Tags
qulab discovery evasion ransomware spyware stealer upx vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678

Threat Level: Known bad

The file 0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678 was found to be: Known bad.

Malicious Activity Summary

qulab discovery evasion ransomware spyware stealer upx vmprotect

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

UPX packed file

Sets file to hidden

VMProtect packed file

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Drops file in System32 directory

AutoIT Executable

Enumerates physical storage devices

NTFS ADS

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: RenamesItself

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-05-30 02:07

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-30 02:07

Reported

2022-05-30 02:59

Platform

win10v2004-20220414-en

Max time kernel

100s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe N/A

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1532 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1532 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1532 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 5052 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe
PID 5052 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe
PID 5052 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe
PID 5052 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 5052 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 5052 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 5052 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 5052 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 5052 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 5052 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 5052 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 5052 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 5052 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 5052 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 5052 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 5052 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 5052 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 5052 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe

"C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\ENU_801FE97C5F89A74E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

Network

Country Destination Domain Proto
US 20.44.10.123:443 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 ipapi.co udp
US 172.67.69.226:443 ipapi.co tcp
US 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
US 172.67.69.226:443 ipapi.co tcp
NL 104.110.191.133:80 tcp
RU 193.233.30.150:65233 tcp
NL 8.248.7.254:80 tcp

Files

memory/1532-130-0x0000000000990000-0x000000000116A000-memory.dmp

memory/1532-134-0x0000000000990000-0x000000000116A000-memory.dmp

memory/5052-135-0x0000000000000000-mapping.dmp

memory/1532-136-0x0000000000990000-0x000000000116A000-memory.dmp

memory/5052-137-0x0000000000990000-0x000000000116A000-memory.dmp

memory/5052-140-0x0000000000990000-0x000000000116A000-memory.dmp

memory/5052-141-0x0000000000990000-0x000000000116A000-memory.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/5052-145-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/5052-144-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/5052-146-0x0000000000990000-0x000000000116A000-memory.dmp

memory/5052-147-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/5052-148-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/4460-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\Information.txt

MD5 baeba814d4fd460ffd8c1bbb6f777b75
SHA1 b1b5ecc71bf9bf55ee72be81a6aee1c9c9e86731
SHA256 8ebbeda776c1c72df54aa2f9195341df2e6fc241bcfe6e89b09e945da0ab51a9
SHA512 a49955107656e9dc9dd1168c1d440601bb9834c77d920cdbc3db62347c8ddacddba6a03f78566fb307163d0483578150cf80ad7d8d027776eecba1b14256a542

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\Screen.jpg

MD5 0319291cd20fd6bd0c2ab9fa154bc852
SHA1 10228b06c27defb8779469e664ce27abd68ba4fe
SHA256 02a28f1fc9ae78267b92c0c8c69c8b1aee536e82cd93557d6707abbb0d9a2351
SHA512 0d8a2fd1e3e253ea29f02d049964ef915605104eb288a21a5cf31ad906242adb5852b37cc1a75ba706270d2012bac16a4ffc90038e82fa62d10f080ca78421c8

memory/4460-154-0x0000000000400000-0x000000000047D000-memory.dmp

memory/4468-155-0x0000000000000000-mapping.dmp

memory/2288-156-0x0000000000000000-mapping.dmp

memory/2904-157-0x0000000000000000-mapping.dmp

memory/3708-158-0x0000000000000000-mapping.dmp

memory/2104-159-0x0000000000000000-mapping.dmp

memory/928-160-0x0000000000990000-0x000000000116A000-memory.dmp

memory/928-163-0x0000000000990000-0x000000000116A000-memory.dmp

memory/928-164-0x0000000000990000-0x000000000116A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-30 02:07

Reported

2022-05-30 02:59

Platform

win7-20220414-en

Max time kernel

134s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe N/A

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 596 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 596 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 596 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 596 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1988 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe
PID 1988 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe
PID 1988 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe
PID 1988 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe
PID 1988 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 1988 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 1988 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 1988 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 1184 wrote to memory of 1032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1184 wrote to memory of 1032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1184 wrote to memory of 1032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1184 wrote to memory of 1032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1184 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1184 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1184 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1184 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe

"C:\Users\Admin\AppData\Local\Temp\0bc34b2e2ff36841f5dac71b80d97d002e554bdc1c1f5b8e6776e907d8030678.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\ENU_687FE9762211651E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db"

C:\Windows\system32\taskeng.exe

taskeng.exe {23374AF0-90DF-4665-9C80-3F08D731F994} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 ipapi.co udp
NL 149.154.167.220:443 api.telegram.org tcp
US 104.26.8.44:443 ipapi.co tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
RU 193.233.30.150:65233 tcp
RU 193.233.30.150:65233 tcp

Files

memory/596-54-0x00000000765C1000-0x00000000765C3000-memory.dmp

memory/596-55-0x0000000001300000-0x0000000001ADA000-memory.dmp

memory/596-58-0x0000000001300000-0x0000000001ADA000-memory.dmp

memory/596-59-0x0000000001300000-0x0000000001ADA000-memory.dmp

memory/596-60-0x0000000001300000-0x0000000001ADA000-memory.dmp

memory/1988-61-0x0000000000000000-mapping.dmp

memory/596-63-0x0000000001300000-0x0000000001ADA000-memory.dmp

memory/1988-64-0x0000000001300000-0x0000000001ADA000-memory.dmp

memory/1988-67-0x0000000001300000-0x0000000001ADA000-memory.dmp

\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/1988-70-0x0000000061E00000-0x0000000061ED2000-memory.dmp

\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/1928-73-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\Screen.jpg

MD5 c822f9c17f93d2b58c88103e2262ff86
SHA1 fc414e95f2c6d7346c6b4e25a46164fb1ffdd1c6
SHA256 cbd3f5ebdd2e2dadb3ede988deaf42831e7c755bd14d7d705f643e9d576a625f
SHA512 dca564ca10e44d0693d42a2dbbbdaa51eeb426bcc2b07ba49e35d215dccb2e49dffe862b27b2c8c6b995de077d857562c2bc27ab0dc5eef3229beb085f8834e5

memory/1928-77-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\Information.txt

MD5 d2f7e21196d4b0e32e53056f478b3a22
SHA1 17a1a698b3284ad9afd4804de6f9e700d838a212
SHA256 d8be1a59fe998344321b10d532e9af4f6c43449d34ecdba3847dd9d53100bc5d
SHA512 5e3269b2a6d2000267ab494b05a841a507eff5f51c4e922cbd13929c410af6977b08f84cd51ea2901a96b16e4e987f5325d2862302a9d87b3202717250275ab8

memory/1988-79-0x0000000004670000-0x00000000046ED000-memory.dmp

memory/1988-78-0x0000000004670000-0x00000000046ED000-memory.dmp

memory/1512-80-0x0000000000000000-mapping.dmp

memory/1988-81-0x0000000001300000-0x0000000001ADA000-memory.dmp

memory/1988-82-0x0000000004670000-0x00000000046ED000-memory.dmp

memory/1032-83-0x0000000000000000-mapping.dmp

memory/1032-85-0x0000000001300000-0x0000000001ADA000-memory.dmp

memory/1032-88-0x0000000001300000-0x0000000001ADA000-memory.dmp

memory/1676-89-0x0000000000000000-mapping.dmp

memory/1676-91-0x0000000001300000-0x0000000001ADA000-memory.dmp

memory/1676-94-0x0000000001300000-0x0000000001ADA000-memory.dmp

memory/1676-95-0x0000000001300000-0x0000000001ADA000-memory.dmp