Analysis Overview
SHA256
2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6
Threat Level: Known bad
The file 2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Checks installed software on the system
Drops file in System32 directory
AutoIT Executable
Enumerates physical storage devices
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-12 04:56
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-12 04:56
Reported
2022-06-12 08:16
Platform
win7-20220414-en
Max time kernel
36s
Max time network
43s
Command Line
Signatures
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6.exe
"C:\Users\Admin\AppData\Local\Temp\2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6.exe"
Network
Files
memory/1880-54-0x0000000075311000-0x0000000075313000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-12 04:56
Reported
2022-06-12 08:17
Platform
win10v2004-20220414-en
Max time kernel
151s
Max time network
166s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.module.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.module.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6.exe
"C:\Users\Admin\AppData\Local\Temp\2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.module.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\ENU_801FE97294A87C4E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\1\*"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 52.168.112.66:443 | tcp | |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| NL | 2.17.222.14:80 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/2068-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.sqlite3.module.dll
| MD5 | a6e1b13b0b624094e6fb3a7bedb70930 |
| SHA1 | 84b58920afd8e88181c4286fa2438af81f097781 |
| SHA256 | 3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd |
| SHA512 | 26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.sqlite3.module.dll
| MD5 | a6e1b13b0b624094e6fb3a7bedb70930 |
| SHA1 | 84b58920afd8e88181c4286fa2438af81f097781 |
| SHA256 | 3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd |
| SHA512 | 26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591 |
memory/2068-133-0x0000000061E00000-0x0000000061ED1000-memory.dmp
memory/2068-134-0x0000000061E00000-0x0000000061ED1000-memory.dmp
memory/2068-135-0x0000000061E00000-0x0000000061ED1000-memory.dmp
memory/2068-136-0x0000000061E00000-0x0000000061ED1000-memory.dmp
memory/2228-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.module.exe
| MD5 | 9c5b4e4fcae7eb410f09c9e46ffb4a6d |
| SHA1 | 9d233bbe69676b1064f1deafba8e70a9acc00773 |
| SHA256 | 0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9 |
| SHA512 | 59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5 |
memory/2228-139-0x0000000000400000-0x000000000048E000-memory.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\1\Information.txt
| MD5 | cd7a85bd393ed477e0fca3c15af0e2b4 |
| SHA1 | 16b6c38797c6dffb58d33a7bf55e212cc7e5603c |
| SHA256 | b9203240393263b03f01de46e2976e0d1df1350cf8907b6bc93e0e582a75f1eb |
| SHA512 | c9159db2975333a8cd6c0d4431c9bb40b03c54c0539d37c1daf8025e395ea65e9488b7c0a077d8e7d9ae71bddf349da7a80a0a241140e2ca687f5febeea5fa1c |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\1\Screen.jpg
| MD5 | bccbf126462288a152b86e062cbefe1d |
| SHA1 | 9d5225596957c534bb3fa6825b1f04bc50d84820 |
| SHA256 | b7af541066ecc833b36ef75cb7d6a3796a075f674df3f8db0e0dab5fc945e2af |
| SHA512 | 76c22283e239af81db86cac5d9cc4e0b0f861104918ec53377522e38a56042c187fdb6cbc970a083109f4b93d1fe35b68a55ddcd96419dad2e13a61be18dc341 |
memory/2228-142-0x0000000000400000-0x000000000048E000-memory.dmp