Analysis
-
max time kernel
188s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-06-2022 19:52
General
-
Target
1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe
-
Size
2.4MB
-
MD5
654315297a795b3cd81a37c4f71ceba5
-
SHA1
a77e4d0359943ec66376e82019129b0d3c2b7724
-
SHA256
1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0
-
SHA512
993da8afede0b8e22dd816000471758a63b8b2aafed53772ae29d539815e42d07a91d392907b5e384297f655acaa167f58ccdb49a499b0673314471ff99fb817
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Information.txt
qulab
http://teleg.run/QulabZ
Signatures
-
Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 15 IoCs
-
Suspicious use of SendNotifyMessage 15 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe"C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe"C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe"2⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"4⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\ENU_801FE97C5F89A74E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\*"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources"5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 25325⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"2⤵
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"2⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4688 -ip 46881⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"2⤵
- Drops file in System32 directory
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50085fc6ff6ec7649b40d39fbb27621ae
SHA13bc13b2c0831d921be07f807667f9e782a81f3dd
SHA25664ac1618737da4e4c53c3fd94b8fe08515981b1bdd74fce47aa4628e11ceb135
SHA5129ebd2dcbd275575bbcbfaa94b3e6c48f0c2e12e6a9a56dad5b33521a11e28e0ec9704ba9fe7a4a4d492f8cea2929f25dbd3ba91e8a519b2de8fc1db45d967862
-
Filesize
1KB
MD59dc8cffd5a3520fb6f173ada36ebc98e
SHA104a5fc563bcebff77d36eb519c956558134e09ba
SHA256c88ebf5821ef91fe371283edd0a3786b6a453ffafc44ebe6021bb917e53fa4a5
SHA5128398d501d1d02a3b27e75ee008d2e5bdf450922a8186fa144f55b4aef2b5508322dfab4acc487917121ba78de6b286eecb5c1d79406855d3a07c2d9075db88a4
-
Filesize
1KB
MD5ac768ff2ba86be0a146ca2cf728b7b84
SHA15d3e59375e7ea3065a4f78503176fab5bda39426
SHA256e019255dc4588dce850c3e9efa548ed09a6a1ac4b61f8f54556f39aea58eacb1
SHA512f1adadc74ae37fd1180739765610f3851bd99d5f8e30bdbb35fddf79af8e5e12b7a473282dcac4ab280306340d7a07a0f4afc2213d228ac891f0ecb291de710f
-
Filesize
450B
MD54113282a41366ff29510b7d84a7a83a7
SHA158696dea67308970f9363a7d9edb5ce8077766a4
SHA25601e2613eb89c2d8d79d7177626c9f684ba9bbd515b8d238f6a13fd25634bd50a
SHA5127ead24710f21cf8048985331de69993060406885a407543a6713f204dc85fe773f0aa3c9afd8b7d46bff677aac0ca55244ee2d2e4c64d157ab3a48aa7ede28d1
-
Filesize
482B
MD558b9c2e080ac5c5ada010059279df4a4
SHA1024f8dcb4540a20bfd8263d1c2431bf95b3a3fca
SHA2567229d806f0523162a3c07fbf75fe7960722a3b9f9e12460b3e289f1a7a2e33d3
SHA512c5651cdd3450898bd19f3c475e01e8f5f923683082d4ce536d9d5482fe566925dece7c1a551aedf3ff3a515a59496708f91e5e2d4e2130e203dc924a785834a8
-
Filesize
458B
MD5de3584a5e2f79c581a87a5322aa2e38b
SHA1c4101744e8eed414fa78ac5703fd6c582417ddc9
SHA256ea0a373d00ad4bede01485477be053b55f36877ff3bb07a0472722c51f4c246a
SHA512ab4034d1cb759934853c1cb27315b734513db6698b7583bd6fb98207e913c9c995fafbbfa02b68e30238fab34993fb6e9942b05004ffd9dbdd6bef0f66b163c5
-
Filesize
3KB
MD5fb297eac5433371bb4e80ac0042db812
SHA1579e6b38ff37e3621a5ccb6861598fb90e3d3c58
SHA256981ea4586730243d098f03355b7a3c19ea02e69c175f61e616a44872bd474e26
SHA512c4d9910d32c46e5c884bb67891091508426106f005fd47067d7244ee4a3e2e8c3d1d435d8e6e9c47f6ad8f0c975778c6127f3851746a28a98039a12adb48fe58
-
Filesize
49KB
MD54fa0c96e37cb6bee30107cc76295fae4
SHA1023fdf3b30b7ea5708691ceb0600b8fd06d37b34
SHA25658ea6f76277604df452bffcbf0fde0ad442bc2a386d7b3948dd8f561c5144540
SHA51224018dd02f5f6639a221ff7033287663767323b7a084447fc91c17b158a89b6978776ef752f575f6f71e398aa1b95ce7772950a7aea5dba80f6520022573fb7c
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02
-
Filesize
360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
500KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
840KB
-
Filesize
840KB
