Malware Analysis Report

2024-09-23 04:56

Sample ID 220612-ffnmrabbf8
Target 228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075
SHA256 228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075
Tags
qulab discovery evasion ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075

Threat Level: Known bad

The file 228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075 was found to be: Known bad.

Malicious Activity Summary

qulab discovery evasion ransomware spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

Sets file to hidden

UPX packed file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

AutoIT Executable

Drops file in System32 directory

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-06-12 04:49

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-12 04:49

Reported

2022-06-12 09:01

Platform

win7-20220414-en

Max time kernel

125s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
PID 2032 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
PID 2032 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
PID 2032 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
PID 940 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe
PID 940 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe
PID 940 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe
PID 940 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe
PID 940 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe C:\Windows\SysWOW64\attrib.exe
PID 940 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe C:\Windows\SysWOW64\attrib.exe
PID 940 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe C:\Windows\SysWOW64\attrib.exe
PID 940 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe C:\Windows\SysWOW64\attrib.exe
PID 1328 wrote to memory of 1720 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
PID 1328 wrote to memory of 1720 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
PID 1328 wrote to memory of 1720 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
PID 1328 wrote to memory of 1720 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
PID 1328 wrote to memory of 1408 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
PID 1328 wrote to memory of 1408 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
PID 1328 wrote to memory of 1408 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
PID 1328 wrote to memory of 1408 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe

"C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\ENU_687FE978D73A864E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources"

C:\Windows\system32\taskeng.exe

taskeng.exe {753C4C1B-0798-4896-B855-9130E111F08C} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
RU 185.142.97.228:65233 tcp
RU 185.142.97.228:65233 tcp

Files

memory/2032-54-0x0000000075221000-0x0000000075223000-memory.dmp

memory/940-55-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.sqlite3.module.dll

MD5 71000fc34d27d2016846743d1dcce548
SHA1 f75456389b8c0dd0398bb3d58f0b4745d862e1b5
SHA256 bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03
SHA512 d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c

\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.sqlite3.module.dll

MD5 71000fc34d27d2016846743d1dcce548
SHA1 f75456389b8c0dd0398bb3d58f0b4745d862e1b5
SHA256 bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03
SHA512 d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c

memory/940-59-0x0000000061E00000-0x0000000061ED2000-memory.dmp

\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe

MD5 965119091c292c96af5011f40dae87a5
SHA1 85708f7bab07528f1b6e9dfbf64648189a513043
SHA256 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b
SHA512 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629

memory/972-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe

MD5 965119091c292c96af5011f40dae87a5
SHA1 85708f7bab07528f1b6e9dfbf64648189a513043
SHA256 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b
SHA512 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\1\Information.txt

MD5 184b0dfd70b5e601d7d29c2869498a18
SHA1 3a22f4eee33c0b5415f61d2190e5c81ecf172896
SHA256 2a4f1e7939d6a2d458456885a4942472c54d031a639a86df2eefc329b478489c
SHA512 1420a38d211b9d813a3022d45be14c42886d2747f78b9038c1bf70a6deb6a851ad3c449f031f6882bcde2822aaf02ec8c8d0194fe45bcb34e5ec2870be7431f1

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\1\Screen.jpg

MD5 ad45db7ebf83291fb1f01831fd86ecc2
SHA1 9d2916f907669774a2ce851ada6c16f5903e8122
SHA256 1243f45b8b8332542a14331768e5318306d49ed7ee0b61b5b33fd72005ebe59d
SHA512 f140a5469de90fd60ade43623182f63e5bb1ef53f54490d7a33a8cf5d24c23b9abaca6661b60cea95aa907bcb4326100779ca0fa809b0e2d15309c46d9877273

memory/972-65-0x0000000000DD0000-0x0000000000E5F000-memory.dmp

memory/940-66-0x0000000002F30000-0x0000000002FBF000-memory.dmp

memory/1192-67-0x0000000000000000-mapping.dmp

memory/1720-68-0x0000000000000000-mapping.dmp

memory/1408-70-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-12 04:49

Reported

2022-06-12 09:02

Platform

win10v2004-20220414-en

Max time kernel

131s

Max time network

178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c0000000100000004000000000800000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3368 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
PID 3368 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
PID 3368 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
PID 4396 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe
PID 4396 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe
PID 4396 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe
PID 4396 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe C:\Windows\SysWOW64\attrib.exe
PID 4396 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe C:\Windows\SysWOW64\attrib.exe
PID 4396 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe

"C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\ENU_801FE97294A87C4E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\1\*"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe

Network

Country Destination Domain Proto
NL 87.248.202.1:80 tcp
US 52.109.8.21:443 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 67.26.205.254:80 tcp
US 67.26.205.254:80 tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.8.44:443 ipapi.co tcp
US 20.42.65.88:443 tcp
US 104.26.8.44:443 ipapi.co tcp
NL 88.221.144.192:80 tcp
US 67.26.205.254:80 tcp
US 67.26.205.254:80 tcp
US 67.26.205.254:80 tcp
US 8.8.8.8:53 crl.godaddy.com udp
US 192.124.249.31:80 crl.godaddy.com tcp
US 52.242.97.97:443 tcp
RU 185.142.97.228:65233 tcp
US 192.124.249.41:80 crl.godaddy.com tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp

Files

memory/4396-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.sqlite3.module.dll

MD5 71000fc34d27d2016846743d1dcce548
SHA1 f75456389b8c0dd0398bb3d58f0b4745d862e1b5
SHA256 bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03
SHA512 d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.sqlite3.module.dll

MD5 71000fc34d27d2016846743d1dcce548
SHA1 f75456389b8c0dd0398bb3d58f0b4745d862e1b5
SHA256 bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03
SHA512 d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c

memory/4396-133-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/4396-134-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/4396-135-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/4396-136-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/4064-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe

MD5 965119091c292c96af5011f40dae87a5
SHA1 85708f7bab07528f1b6e9dfbf64648189a513043
SHA256 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b
SHA512 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\1\Information.txt

MD5 3aa341af136cd04e25f90ab6361dae79
SHA1 dff370748d9b85f1e9bcc37c63333fb865ae3ae1
SHA256 7446ab1c6c5ba0d19c3c5097fa0e0c5d79bf76d4ecb0c4780faf39f4c7ad0bb6
SHA512 902442649a5f805cf618759ffe6292f2105c15e5261c35afbc5b4b236d9c32a1bab97d6391949505ab85e47e0a5c909bbf1f122d2d891feeb6e091747f54feb0

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\1\Screen.jpg

MD5 c99974b8f0eb799a334282cecb8656fb
SHA1 93a207014e2177b275696adb8698139a3766ead1
SHA256 d4d7896a9dd04f529da32d02995055f1620724b739d25a4912755acc30aa8e29
SHA512 50eb67f7295fa6fcf23b01c6ca87451e82b785f4e73ee57f028e103ac1581575167d98557cb2df0534812afb546e3e63ab61342b910d895aa07d0891c89ced15

memory/4064-141-0x0000000000C30000-0x0000000000CBF000-memory.dmp

memory/4788-142-0x0000000000000000-mapping.dmp