Malware Analysis Report

2024-09-23 04:46

Sample ID 220612-fk2eeafbhq
Target 2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6
SHA256 2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6
Tags
qulab discovery ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6

Threat Level: Known bad

The file 2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6 was found to be: Known bad.

Malicious Activity Summary

qulab discovery ransomware spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Checks installed software on the system

Drops file in System32 directory

AutoIT Executable

Enumerates physical storage devices

Script User-Agent

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-06-12 04:56

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-12 04:56

Reported

2022-06-12 08:16

Platform

win7-20220414-en

Max time kernel

36s

Max time network

43s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6.exe"

Signatures

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6.exe

"C:\Users\Admin\AppData\Local\Temp\2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6.exe"

Network

N/A

Files

memory/1880-54-0x0000000075311000-0x0000000075313000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-12 04:56

Reported

2022-06-12 08:17

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.module.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6.exe

"C:\Users\Admin\AppData\Local\Temp\2286c65c1d15837f5568a91ca8000d2be89001123a842533258d5df16ca366e6.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\ENU_801FE97294A87C4E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\1\*"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
US 104.26.8.44:443 ipapi.co tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 52.168.112.66:443 tcp
US 104.26.8.44:443 ipapi.co tcp
US 209.197.3.8:80 tcp
US 172.67.69.226:443 ipapi.co tcp
US 104.26.9.44:443 ipapi.co tcp
NL 2.17.222.14:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2068-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.sqlite3.module.dll

MD5 a6e1b13b0b624094e6fb3a7bedb70930
SHA1 84b58920afd8e88181c4286fa2438af81f097781
SHA256 3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd
SHA512 26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.sqlite3.module.dll

MD5 a6e1b13b0b624094e6fb3a7bedb70930
SHA1 84b58920afd8e88181c4286fa2438af81f097781
SHA256 3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd
SHA512 26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

memory/2068-133-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/2068-134-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/2068-135-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/2068-136-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/2228-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\SndVolSSO.module.exe

MD5 9c5b4e4fcae7eb410f09c9e46ffb4a6d
SHA1 9d233bbe69676b1064f1deafba8e70a9acc00773
SHA256 0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9
SHA512 59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5

memory/2228-139-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\1\Information.txt

MD5 cd7a85bd393ed477e0fca3c15af0e2b4
SHA1 16b6c38797c6dffb58d33a7bf55e212cc7e5603c
SHA256 b9203240393263b03f01de46e2976e0d1df1350cf8907b6bc93e0e582a75f1eb
SHA512 c9159db2975333a8cd6c0d4431c9bb40b03c54c0539d37c1daf8025e395ea65e9488b7c0a077d8e7d9ae71bddf349da7a80a0a241140e2ca687f5febeea5fa1c

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-i..er-engine.resources\1\Screen.jpg

MD5 bccbf126462288a152b86e062cbefe1d
SHA1 9d5225596957c534bb3fa6825b1f04bc50d84820
SHA256 b7af541066ecc833b36ef75cb7d6a3796a075f674df3f8db0e0dab5fc945e2af
SHA512 76c22283e239af81db86cac5d9cc4e0b0f861104918ec53377522e38a56042c187fdb6cbc970a083109f4b93d1fe35b68a55ddcd96419dad2e13a61be18dc341

memory/2228-142-0x0000000000400000-0x000000000048E000-memory.dmp