Overview

overview

10

Static

static

1

1ecf815aba...e2.exe

windows7_x64

10

1ecf815aba...e2.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    123s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-06-2022 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ecf815aba32883152cea3a22a8fb2633d948c434d9a746ed0025a4037bb5ee2.exe

  • Size

    1.6MB

  • MD5

    be947dbfee390f2fe39a82e4f3f8615e

  • SHA1

    c303c52cf8de2e903c20a922050055f1a78f63c9

  • SHA256

    1ecf815aba32883152cea3a22a8fb2633d948c434d9a746ed0025a4037bb5ee2

  • SHA512

    f0ead47a4c11dd17c6d8f6e26e670bdc81c90bc3de5c07436c5f5cecce6db70a3437d18b7510ed89762999e4275553b3a0c7a7964bcc2a13bf2aa8ba75d9c53d

Score
10/10
qulabdiscoveryevasionransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\amd64_dual\1\Information.txt

Family

qulab

Ransom Note
# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 13.06.2022, 00:49:59 Main Information: - OS: Windows 7 X64 / Build: 7601 - UserName: Admin - ComputerName: TBHNEBSE - Processor: Intel Core Processor (Broadwell) - VideoCard: Standard VGA Graphics Adapter - Memory: 2.00 Gb - KeyBoard Layout ID: 00000409 - Resolution: 1280x720x32, 1 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Adobe AIR - Google Chrome - Microsoft Office Professional Plus 2010 - Adobe AIR - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Office Professional Plus 2010 - Microsoft Office Access MUI (English) 2010 - Microsoft Office Excel MUI (English) 2010 - Microsoft Office PowerPoint MUI (English) 2010 - Microsoft Office Publisher MUI (English) 2010 - Microsoft Office Outlook MUI (English) 2010 - Microsoft Office Word MUI (English) 2010 - Microsoft Office Proof (English) 2010 - Microsoft Office Proof (French) 2010 - Microsoft Office Proof (Spanish) 2010 - Microsoft Office Proofing (English) 2010 - Microsoft Office InfoPath MUI (English) 2010 - Microsoft Office Shared MUI (English) 2010 - Microsoft Office OneNote MUI (English) 2010 - Microsoft Office Groove MUI (English) 2010 - Microsoft Office Shared Setup Metadata MUI (English) 2010 - Microsoft Office Access Setup Metadata MUI (English) 2010 - Update for Microsoft .NET Framework 4.7.2 (KB4087364) - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Reader 9 - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - smss.exe / PID: 260 - csrss.exe / PID: 332 - wininit.exe / PID: 368 - csrss.exe / PID: 380 - winlogon.exe / PID: 420 - services.exe / PID: 464 - lsass.exe / PID: 480 - lsm.exe / PID: 488 - svchost.exe / PID: 580 - svchost.exe / PID: 660 - svchost.exe / PID: 736 - svchost.exe / PID: 804 - svchost.exe / PID: 836 - svchost.exe / PID: 880 - svchost.exe / PID: 292 - spoolsv.exe / PID: 280 - svchost.exe / PID: 1040 - taskhost.exe / PID: 1200 - dwm.exe / PID: 1300 - explorer.exe / PID: 1368 - svchost.exe / PID: 1720 - sppsvc.exe / PID: 1788 - WMIADAP.exe / PID: 1872 - 1ecf815aba32883152cea3a22a8fb2633d948c434d9a746ed0025a4037bb5ee2.exe / PID: 960 - RTWorkQ.exe / PID: 848
URLs

http://teleg.run/QulabZ

Signatures

  • Qulab Stealer & Clipper

    Infostealer and clipper created with AutoIt.

    stealerqulab
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 7 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ecf815aba32883152cea3a22a8fb2633d948c434d9a746ed0025a4037bb5ee2.exe
    "C:\Users\Admin\AppData\Local\Temp\1ecf815aba32883152cea3a22a8fb2633d948c434d9a746ed0025a4037bb5ee2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
      "C:\Users\Admin\AppData\Local\Temp\XXMBK.exe" -s -pfsdgsdfvsdzcxfsDC
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Users\Admin\AppData\Roaming\SSJK.exe
        "C:\Users\Admin\AppData\Roaming\SSJK.exe"
        3⤵
        • Executes dropped EXE
        • NTFS ADS
        • Suspicious use of WriteProcessMemory
        PID:852
        • C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
          C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • NTFS ADS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:848
          • C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
            C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_dual\ENU_687FE975325E824E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_dual\1\*"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:360
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_dual"
            5⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:1356
    • C:\Users\Admin\AppData\Local\Temp\CDGH.exe
      "C:\Users\Admin\AppData\Local\Temp\CDGH.exe"
      2⤵
      • Executes dropped EXE
      PID:516
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {003765F7-1D30-4069-A4AE-34ACE0F7791F} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
      C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:1456
    • C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
      C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:1068

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CDGH.exe
    Filesize

    35KB

    MD5

    439e839b6ea367af00f7b99c0e9636a4

    SHA1

    72546bc18281613ce3f0a9138136ae33fe4559e8

    SHA256

    cfdf8ea497068d151b91d122e0daa28e08a919d39cd0a061f0a66353d4fe3637

    SHA512

    eaf8471418db8abb3488e3d11a097ee50c0f5cd44800d29a692fa70a6ec56865ac83ddb98373844801bc8978fa3a42373e22308a7a879c167d9c0a4596aa431b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CDGH.exe
    Filesize

    35KB

    MD5

    439e839b6ea367af00f7b99c0e9636a4

    SHA1

    72546bc18281613ce3f0a9138136ae33fe4559e8

    SHA256

    cfdf8ea497068d151b91d122e0daa28e08a919d39cd0a061f0a66353d4fe3637

    SHA512

    eaf8471418db8abb3488e3d11a097ee50c0f5cd44800d29a692fa70a6ec56865ac83ddb98373844801bc8978fa3a42373e22308a7a879c167d9c0a4596aa431b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
    Filesize

    1.6MB

    MD5

    eceea2d65991ed05f6954752e9d036e9

    SHA1

    89be5d1bba918a61412b626b9c19fb07150b59d6

    SHA256

    75eb9f06b32f7a10dbd995e7a7422f9ba15ca292c4af18b43b64dcaa14cea407

    SHA512

    d3e5ac4b5bc39ae0bf1e5122b951f8bbaa58fbdc524a88a475e99dc54e1471a2f3629b4a9af7dd4ad25f092a514d1166c6ecb788fc97c3adde5a079ff1838a3e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
    Filesize

    1.6MB

    MD5

    eceea2d65991ed05f6954752e9d036e9

    SHA1

    89be5d1bba918a61412b626b9c19fb07150b59d6

    SHA256

    75eb9f06b32f7a10dbd995e7a7422f9ba15ca292c4af18b43b64dcaa14cea407

    SHA512

    d3e5ac4b5bc39ae0bf1e5122b951f8bbaa58fbdc524a88a475e99dc54e1471a2f3629b4a9af7dd4ad25f092a514d1166c6ecb788fc97c3adde5a079ff1838a3e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SSJK.exe
    Filesize

    1.8MB

    MD5

    f19b8319668ed8f19956434ca5800731

    SHA1

    f2b6a5bdd18dd933f677ee9e964564dd897b69ba

    SHA256

    45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

    SHA512

    67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SSJK.exe
    Filesize

    1.8MB

    MD5

    f19b8319668ed8f19956434ca5800731

    SHA1

    f2b6a5bdd18dd933f677ee9e964564dd897b69ba

    SHA256

    45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

    SHA512

    67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

    Download Submit

  • C:\Users\Admin\AppData\Roaming\amd64_dual\1\Information.txt
    Filesize

    3KB

    MD5

    e5c06ba7ce7ac34aa2220296b4e49479

    SHA1

    f1a20e71f9cb2351bf2c18fc57586628c06408d1

    SHA256

    79593d9ba2eee114b4a30797a180ef6458af1b50d49e18c2234c51811188e13c

    SHA512

    74c4d7039039ac49037b7265f6e0b57e7101dde7fe6a5887ffc763aa8749a578c3e23cba57c33e8cb034a6c24d25b28cb7f797f27b2b95c69fa355e1d8572449

    Download Submit

  • C:\Users\Admin\AppData\Roaming\amd64_dual\1\Screen.jpg
    Filesize

    50KB

    MD5

    883d6ad9cfb48704b09d0316804bcfa1

    SHA1

    508fef7b42fd906e1053dc8fcb26b27eb0e47cd6

    SHA256

    a716226f6889770f0d6bfa7de5f7f04fe2fc640bf8c5b70ca16dac91891bacab

    SHA512

    f6dd526633b0dbc1fe03e588ba5faf28c10158760ddd44d0bb79fe5dd1d58160ddb5f356ca8a747ec690a191cd3f94189f60c1e75e9a169c760cf21971d9aa5a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
    Filesize

    1.8MB

    MD5

    f19b8319668ed8f19956434ca5800731

    SHA1

    f2b6a5bdd18dd933f677ee9e964564dd897b69ba

    SHA256

    45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

    SHA512

    67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

    Download Submit

  • C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
    Filesize

    1.8MB

    MD5

    f19b8319668ed8f19956434ca5800731

    SHA1

    f2b6a5bdd18dd933f677ee9e964564dd897b69ba

    SHA256

    45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

    SHA512

    67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

    Download Submit

  • C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
    Filesize

    1.8MB

    MD5

    f19b8319668ed8f19956434ca5800731

    SHA1

    f2b6a5bdd18dd933f677ee9e964564dd897b69ba

    SHA256

    45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

    SHA512

    67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

    Download Submit

  • C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
    Filesize

    197KB

    MD5

    946285055913d457fda78a4484266e96

    SHA1

    668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

    SHA256

    23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

    SHA512

    30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

    Download Submit

  • \Users\Admin\AppData\Local\Temp\CDGH.exe
    Filesize

    35KB

    MD5

    439e839b6ea367af00f7b99c0e9636a4

    SHA1

    72546bc18281613ce3f0a9138136ae33fe4559e8

    SHA256

    cfdf8ea497068d151b91d122e0daa28e08a919d39cd0a061f0a66353d4fe3637

    SHA512

    eaf8471418db8abb3488e3d11a097ee50c0f5cd44800d29a692fa70a6ec56865ac83ddb98373844801bc8978fa3a42373e22308a7a879c167d9c0a4596aa431b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\XXMBK.exe
    Filesize

    1.6MB

    MD5

    eceea2d65991ed05f6954752e9d036e9

    SHA1

    89be5d1bba918a61412b626b9c19fb07150b59d6

    SHA256

    75eb9f06b32f7a10dbd995e7a7422f9ba15ca292c4af18b43b64dcaa14cea407

    SHA512

    d3e5ac4b5bc39ae0bf1e5122b951f8bbaa58fbdc524a88a475e99dc54e1471a2f3629b4a9af7dd4ad25f092a514d1166c6ecb788fc97c3adde5a079ff1838a3e

    Download Submit

  • \Users\Admin\AppData\Roaming\SSJK.exe
    Filesize

    1.8MB

    MD5

    f19b8319668ed8f19956434ca5800731

    SHA1

    f2b6a5bdd18dd933f677ee9e964564dd897b69ba

    SHA256

    45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

    SHA512

    67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

    Download Submit

  • \Users\Admin\AppData\Roaming\SSJK.exe
    Filesize

    1.8MB

    MD5

    f19b8319668ed8f19956434ca5800731

    SHA1

    f2b6a5bdd18dd933f677ee9e964564dd897b69ba

    SHA256

    45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

    SHA512

    67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

    Download Submit

  • \Users\Admin\AppData\Roaming\SSJK.exe
    Filesize

    1.8MB

    MD5

    f19b8319668ed8f19956434ca5800731

    SHA1

    f2b6a5bdd18dd933f677ee9e964564dd897b69ba

    SHA256

    45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

    SHA512

    67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

    Download Submit

  • \Users\Admin\AppData\Roaming\SSJK.exe
    Filesize

    1.8MB

    MD5

    f19b8319668ed8f19956434ca5800731

    SHA1

    f2b6a5bdd18dd933f677ee9e964564dd897b69ba

    SHA256

    45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

    SHA512

    67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

    Download Submit

  • \Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
    Filesize

    197KB

    MD5

    946285055913d457fda78a4484266e96

    SHA1

    668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

    SHA256

    23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

    SHA512

    30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

    Download Submit

  • \Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
    Filesize

    197KB

    MD5

    946285055913d457fda78a4484266e96

    SHA1

    668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

    SHA256

    23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

    SHA512

    30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

    Download Submit

  • \Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.sqlite3.module.dll
    Filesize

    360KB

    MD5

    8c127ce55bfbb55eb9a843c693c9f240

    SHA1

    75c462c935a7ff2c90030c684440d61d48bb1858

    SHA256

    4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

    SHA512

    d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

    Download Submit

  • \Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.sqlite3.module.dll
    Filesize

    360KB

    MD5

    8c127ce55bfbb55eb9a843c693c9f240

    SHA1

    75c462c935a7ff2c90030c684440d61d48bb1858

    SHA256

    4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

    SHA512

    d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

    Download Submit

  • memory/360-81-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/848-73-0x0000000061E00000-0x0000000061ED2000-memory.dmp

    Filesize

    840KB

    Download

  • memory/848-83-0x0000000003BB0000-0x0000000003C2D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/848-82-0x0000000003BB0000-0x0000000003C2D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/848-74-0x0000000061E00000-0x0000000061ED2000-memory.dmp

    Filesize

    840KB

    Download

  • memory/960-54-0x0000000076571000-0x0000000076573000-memory.dmp

    Filesize

    8KB

    Download