Analysis Overview
SHA256
1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6
Threat Level: Known bad
The file 1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
Sets file to hidden
UPX packed file
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Drops file in System32 directory
AutoIT Executable
Enumerates physical storage devices
NSIS installer
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-12 22:50
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-12 22:50
Reported
2022-06-13 04:35
Platform
win7-20220414-en
Max time kernel
161s
Max time network
171s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XXMBK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SSJK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CDGH.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XXMBK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XXMBK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XXMBK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XXMBK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\SSJK.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_dual\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe
"C:\Users\Admin\AppData\Local\Temp\1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe"
C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
"C:\Users\Admin\AppData\Local\Temp\XXMBK.exe" -s -pfsdgsdfvsdzcxfsDC
C:\Users\Admin\AppData\Roaming\SSJK.exe
"C:\Users\Admin\AppData\Roaming\SSJK.exe"
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Local\Temp\CDGH.exe
"C:\Users\Admin\AppData\Local\Temp\CDGH.exe"
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_dual\ENU_687FE9737473A97E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_dual\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_dual"
C:\Windows\system32\taskeng.exe
taskeng.exe {137C2581-6212-465B-B8C7-3E9A215EF624} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| RU | 46.161.51.230:39635 | tcp | |
| RU | 46.161.51.230:39635 | tcp |
Files
memory/1300-54-0x0000000075951000-0x0000000075953000-memory.dmp
\Users\Admin\AppData\Local\Temp\XXMBK.exe
| MD5 | a24d6f686b4e46d2a828036ed821f15a |
| SHA1 | 7df1294dd167c8c50b21d5ac5b731ccb140f39e1 |
| SHA256 | a3253375704929d9843d71b2a974661ab9014ebb4a510be7576654be456de5ad |
| SHA512 | 338697d0e29ec48bcc3e8cea7828628472773e2b72a820a81d306f774d81a7e060d70b5a97f4b29c9086c0fc1f0d4a2cc675318e54c4a0f6bdd152754c853936 |
memory/848-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
| MD5 | a24d6f686b4e46d2a828036ed821f15a |
| SHA1 | 7df1294dd167c8c50b21d5ac5b731ccb140f39e1 |
| SHA256 | a3253375704929d9843d71b2a974661ab9014ebb4a510be7576654be456de5ad |
| SHA512 | 338697d0e29ec48bcc3e8cea7828628472773e2b72a820a81d306f774d81a7e060d70b5a97f4b29c9086c0fc1f0d4a2cc675318e54c4a0f6bdd152754c853936 |
C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
| MD5 | a24d6f686b4e46d2a828036ed821f15a |
| SHA1 | 7df1294dd167c8c50b21d5ac5b731ccb140f39e1 |
| SHA256 | a3253375704929d9843d71b2a974661ab9014ebb4a510be7576654be456de5ad |
| SHA512 | 338697d0e29ec48bcc3e8cea7828628472773e2b72a820a81d306f774d81a7e060d70b5a97f4b29c9086c0fc1f0d4a2cc675318e54c4a0f6bdd152754c853936 |
\Users\Admin\AppData\Roaming\SSJK.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
\Users\Admin\AppData\Roaming\SSJK.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
\Users\Admin\AppData\Roaming\SSJK.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
\Users\Admin\AppData\Roaming\SSJK.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
memory/2044-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\SSJK.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
C:\Users\Admin\AppData\Roaming\SSJK.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
memory/1244-68-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/1244-73-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1244-74-0x0000000061E00000-0x0000000061ED2000-memory.dmp
\Users\Admin\AppData\Local\Temp\CDGH.exe
| MD5 | 439e839b6ea367af00f7b99c0e9636a4 |
| SHA1 | 72546bc18281613ce3f0a9138136ae33fe4559e8 |
| SHA256 | cfdf8ea497068d151b91d122e0daa28e08a919d39cd0a061f0a66353d4fe3637 |
| SHA512 | eaf8471418db8abb3488e3d11a097ee50c0f5cd44800d29a692fa70a6ec56865ac83ddb98373844801bc8978fa3a42373e22308a7a879c167d9c0a4596aa431b |
memory/1536-76-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\CDGH.exe
| MD5 | 439e839b6ea367af00f7b99c0e9636a4 |
| SHA1 | 72546bc18281613ce3f0a9138136ae33fe4559e8 |
| SHA256 | cfdf8ea497068d151b91d122e0daa28e08a919d39cd0a061f0a66353d4fe3637 |
| SHA512 | eaf8471418db8abb3488e3d11a097ee50c0f5cd44800d29a692fa70a6ec56865ac83ddb98373844801bc8978fa3a42373e22308a7a879c167d9c0a4596aa431b |
C:\Users\Admin\AppData\Local\Temp\CDGH.exe
| MD5 | 439e839b6ea367af00f7b99c0e9636a4 |
| SHA1 | 72546bc18281613ce3f0a9138136ae33fe4559e8 |
| SHA256 | cfdf8ea497068d151b91d122e0daa28e08a919d39cd0a061f0a66353d4fe3637 |
| SHA512 | eaf8471418db8abb3488e3d11a097ee50c0f5cd44800d29a692fa70a6ec56865ac83ddb98373844801bc8978fa3a42373e22308a7a879c167d9c0a4596aa431b |
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/1412-82-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\amd64_dual\1\Information.txt
| MD5 | 2f1a9b70a7772aa9c1acb3331dad6699 |
| SHA1 | 007d5c230f45e7f07f8040367df4ce4571d59ec0 |
| SHA256 | ef1f5e43d932b5cc16fbec927395873e17af309e093563843a45fa88a4dc5c4f |
| SHA512 | 082ac4166196111810d5ae281be2133cb1310942cd3fdd752f32a8c99f09a5961f110efb7dcc9d626d9a52dfcac0930239e69bc19c7581133ccf59e362553fe9 |
C:\Users\Admin\AppData\Roaming\amd64_dual\1\Screen.jpg
| MD5 | 264844711a7bc75784dd23b7871be143 |
| SHA1 | 9d9c6cbeacd2497f56a3dd16736008b42a7eaf5e |
| SHA256 | b338acdf7da4971f1aad38805c29bf7bfd4c18bfbfa25bf9f2d8fb9f2d1ddc2e |
| SHA512 | fce38062dba1547f7566ed0e7d24aa292c5901bb8a23c823f09e703f9144e858b5d5b183a0a4589a41f1d766091f07075f101367250c35fd5362f119e1c9afbd |
memory/1412-86-0x0000000000400000-0x000000000047D000-memory.dmp
memory/1244-87-0x0000000002770000-0x00000000027ED000-memory.dmp
memory/1820-88-0x0000000000000000-mapping.dmp
memory/1768-89-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
memory/660-92-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-12 22:50
Reported
2022-06-13 04:34
Platform
win10v2004-20220414-en
Max time kernel
125s
Max time network
143s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XXMBK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SSJK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CDGH.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XXMBK.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\SSJK.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_dual\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe
"C:\Users\Admin\AppData\Local\Temp\1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe"
C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
"C:\Users\Admin\AppData\Local\Temp\XXMBK.exe" -s -pfsdgsdfvsdzcxfsDC
C:\Users\Admin\AppData\Roaming\SSJK.exe
"C:\Users\Admin\AppData\Roaming\SSJK.exe"
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_dual\ENU_801FE970A758A6AE9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_dual\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_dual"
C:\Users\Admin\AppData\Local\Temp\CDGH.exe
"C:\Users\Admin\AppData\Local\Temp\CDGH.exe"
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 13.89.179.8:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| RU | 46.161.51.230:39635 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 52.168.117.170:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.25.243:80 | tcp |
Files
memory/4668-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
| MD5 | a24d6f686b4e46d2a828036ed821f15a |
| SHA1 | 7df1294dd167c8c50b21d5ac5b731ccb140f39e1 |
| SHA256 | a3253375704929d9843d71b2a974661ab9014ebb4a510be7576654be456de5ad |
| SHA512 | 338697d0e29ec48bcc3e8cea7828628472773e2b72a820a81d306f774d81a7e060d70b5a97f4b29c9086c0fc1f0d4a2cc675318e54c4a0f6bdd152754c853936 |
C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
| MD5 | a24d6f686b4e46d2a828036ed821f15a |
| SHA1 | 7df1294dd167c8c50b21d5ac5b731ccb140f39e1 |
| SHA256 | a3253375704929d9843d71b2a974661ab9014ebb4a510be7576654be456de5ad |
| SHA512 | 338697d0e29ec48bcc3e8cea7828628472773e2b72a820a81d306f774d81a7e060d70b5a97f4b29c9086c0fc1f0d4a2cc675318e54c4a0f6bdd152754c853936 |
memory/1256-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\SSJK.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
C:\Users\Admin\AppData\Roaming\SSJK.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
memory/1684-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/1684-140-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1684-141-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/2628-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/2628-144-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\amd64_dual\1\Information.txt
| MD5 | b6b123fb86a4560a4cdaa1a5fbb6c7ef |
| SHA1 | b290b57709d2f069d810fe545fe223659e3cc075 |
| SHA256 | b9fbf41df701ad41d2d6a83128a2cea09adee50fa827343209e6777335cef873 |
| SHA512 | 5c4c3ed2dfb361b12733edd73925fd16ab34c702efe8a8060240326574534c65c9939e790d2f259f3956c07d59f057108f310792b63ded4b2ad04309953a1906 |
C:\Users\Admin\AppData\Roaming\amd64_dual\1\Screen.jpg
| MD5 | 28a486717c7c13fd5e9452be89838098 |
| SHA1 | 85ee0b66be266575be1e063fc8d0edc6d76e9d50 |
| SHA256 | ccb3cc9e2d2c4f2aab2a594820fec61cbc7a2324f7e4e74d10398630b09123d3 |
| SHA512 | e9515c6ad61141c8d8da4c83a7dd895013328a0d734b1045f1a50f715530a4dddf682fb1dff1f7ad692e17c8c265c7be679e4f80e5d5df6e3eb8ee353b9a7cb6 |
memory/2628-148-0x0000000000400000-0x000000000047D000-memory.dmp
memory/4252-149-0x0000000000000000-mapping.dmp
memory/1684-150-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1684-151-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1868-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\CDGH.exe
| MD5 | 439e839b6ea367af00f7b99c0e9636a4 |
| SHA1 | 72546bc18281613ce3f0a9138136ae33fe4559e8 |
| SHA256 | cfdf8ea497068d151b91d122e0daa28e08a919d39cd0a061f0a66353d4fe3637 |
| SHA512 | eaf8471418db8abb3488e3d11a097ee50c0f5cd44800d29a692fa70a6ec56865ac83ddb98373844801bc8978fa3a42373e22308a7a879c167d9c0a4596aa431b |
C:\Users\Admin\AppData\Local\Temp\CDGH.exe
| MD5 | 439e839b6ea367af00f7b99c0e9636a4 |
| SHA1 | 72546bc18281613ce3f0a9138136ae33fe4559e8 |
| SHA256 | cfdf8ea497068d151b91d122e0daa28e08a919d39cd0a061f0a66353d4fe3637 |
| SHA512 | eaf8471418db8abb3488e3d11a097ee50c0f5cd44800d29a692fa70a6ec56865ac83ddb98373844801bc8978fa3a42373e22308a7a879c167d9c0a4596aa431b |
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |