Analysis Overview
SHA256
1ecf815aba32883152cea3a22a8fb2633d948c434d9a746ed0025a4037bb5ee2
Threat Level: Known bad
The file 1ecf815aba32883152cea3a22a8fb2633d948c434d9a746ed0025a4037bb5ee2 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Executes dropped EXE
Sets file to hidden
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops file in System32 directory
AutoIT Executable
Enumerates physical storage devices
NSIS installer
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
NTFS ADS
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-12 19:54
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-12 19:54
Reported
2022-06-13 00:52
Platform
win10v2004-20220414-en
Max time kernel
137s
Max time network
140s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XXMBK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SSJK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CDGH.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XXMBK.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\SSJK.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_dual\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1ecf815aba32883152cea3a22a8fb2633d948c434d9a746ed0025a4037bb5ee2.exe
"C:\Users\Admin\AppData\Local\Temp\1ecf815aba32883152cea3a22a8fb2633d948c434d9a746ed0025a4037bb5ee2.exe"
C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
"C:\Users\Admin\AppData\Local\Temp\XXMBK.exe" -s -pfsdgsdfvsdzcxfsDC
C:\Users\Admin\AppData\Roaming\SSJK.exe
"C:\Users\Admin\AppData\Roaming\SSJK.exe"
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Local\Temp\CDGH.exe
"C:\Users\Admin\AppData\Local\Temp\CDGH.exe"
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_dual\ENU_801FE97294A87C4E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_dual\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_dual"
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| NL | 8.238.24.126:80 | tcp | |
| NL | 8.238.24.126:80 | tcp | |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| IE | 52.109.76.31:443 | tcp | |
| US | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| RU | 46.161.51.230:39635 | tcp | |
| US | 8.8.8.8:53 | 6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
Files
memory/2520-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
| MD5 | eceea2d65991ed05f6954752e9d036e9 |
| SHA1 | 89be5d1bba918a61412b626b9c19fb07150b59d6 |
| SHA256 | 75eb9f06b32f7a10dbd995e7a7422f9ba15ca292c4af18b43b64dcaa14cea407 |
| SHA512 | d3e5ac4b5bc39ae0bf1e5122b951f8bbaa58fbdc524a88a475e99dc54e1471a2f3629b4a9af7dd4ad25f092a514d1166c6ecb788fc97c3adde5a079ff1838a3e |
C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
| MD5 | eceea2d65991ed05f6954752e9d036e9 |
| SHA1 | 89be5d1bba918a61412b626b9c19fb07150b59d6 |
| SHA256 | 75eb9f06b32f7a10dbd995e7a7422f9ba15ca292c4af18b43b64dcaa14cea407 |
| SHA512 | d3e5ac4b5bc39ae0bf1e5122b951f8bbaa58fbdc524a88a475e99dc54e1471a2f3629b4a9af7dd4ad25f092a514d1166c6ecb788fc97c3adde5a079ff1838a3e |
memory/2872-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\SSJK.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
C:\Users\Admin\AppData\Roaming\SSJK.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
memory/2532-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/2532-140-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/2532-141-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/2532-142-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/2532-143-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/3068-144-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\CDGH.exe
| MD5 | 439e839b6ea367af00f7b99c0e9636a4 |
| SHA1 | 72546bc18281613ce3f0a9138136ae33fe4559e8 |
| SHA256 | cfdf8ea497068d151b91d122e0daa28e08a919d39cd0a061f0a66353d4fe3637 |
| SHA512 | eaf8471418db8abb3488e3d11a097ee50c0f5cd44800d29a692fa70a6ec56865ac83ddb98373844801bc8978fa3a42373e22308a7a879c167d9c0a4596aa431b |
C:\Users\Admin\AppData\Local\Temp\CDGH.exe
| MD5 | 439e839b6ea367af00f7b99c0e9636a4 |
| SHA1 | 72546bc18281613ce3f0a9138136ae33fe4559e8 |
| SHA256 | cfdf8ea497068d151b91d122e0daa28e08a919d39cd0a061f0a66353d4fe3637 |
| SHA512 | eaf8471418db8abb3488e3d11a097ee50c0f5cd44800d29a692fa70a6ec56865ac83ddb98373844801bc8978fa3a42373e22308a7a879c167d9c0a4596aa431b |
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
memory/4016-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\amd64_dual\1\Information.txt
| MD5 | 202e1043e3225d3afbddbf274565a3e6 |
| SHA1 | c681dc6dc6427488be805917b7efbdedc395d8fa |
| SHA256 | cb4b9cbbe836e0fa0be08815d65bc7407d1f12b2034a4b67947a1c8824267d37 |
| SHA512 | e042a1afc8e881bceb7b742c89d64075f951435d0964e8dd157ad3bfa38de27de4374406937da252ead835b3e0d8d267b42bf8fc49701df13426bcf0edcfcc6c |
C:\Users\Admin\AppData\Roaming\amd64_dual\1\Screen.jpg
| MD5 | 5fa838882ccea0706e8c2d0bf54551e5 |
| SHA1 | b61e91b86c6e4ac170261bb2703d56a976370731 |
| SHA256 | 3bee0d5781dcf58cb42080b251e318f496ffa465c94ca7980377bfaeea5aeff3 |
| SHA512 | 0b1cf52c228646c87782d437e5b4995686ed63d42cde0b2a5fd21e925af1bb5a22cd7e3bbff4137a78f73f890c94c710485c2e9568dac1e7337f1e2aaf432c8f |
memory/4016-153-0x0000000000400000-0x000000000047D000-memory.dmp
memory/2520-154-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-12 19:54
Reported
2022-06-13 00:52
Platform
win7-20220414-en
Max time kernel
123s
Max time network
132s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XXMBK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SSJK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CDGH.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ecf815aba32883152cea3a22a8fb2633d948c434d9a746ed0025a4037bb5ee2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XXMBK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XXMBK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XXMBK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XXMBK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ecf815aba32883152cea3a22a8fb2633d948c434d9a746ed0025a4037bb5ee2.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_dual\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\SSJK.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1ecf815aba32883152cea3a22a8fb2633d948c434d9a746ed0025a4037bb5ee2.exe
"C:\Users\Admin\AppData\Local\Temp\1ecf815aba32883152cea3a22a8fb2633d948c434d9a746ed0025a4037bb5ee2.exe"
C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
"C:\Users\Admin\AppData\Local\Temp\XXMBK.exe" -s -pfsdgsdfvsdzcxfsDC
C:\Users\Admin\AppData\Roaming\SSJK.exe
"C:\Users\Admin\AppData\Roaming\SSJK.exe"
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_dual\ENU_687FE975325E824E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_dual\1\*"
C:\Users\Admin\AppData\Local\Temp\CDGH.exe
"C:\Users\Admin\AppData\Local\Temp\CDGH.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_dual"
C:\Windows\system32\taskeng.exe
taskeng.exe {003765F7-1D30-4069-A4AE-34ACE0F7791F} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| RU | 46.161.51.230:39635 | tcp | |
| RU | 46.161.51.230:39635 | tcp |
Files
memory/960-54-0x0000000076571000-0x0000000076573000-memory.dmp
\Users\Admin\AppData\Local\Temp\XXMBK.exe
| MD5 | eceea2d65991ed05f6954752e9d036e9 |
| SHA1 | 89be5d1bba918a61412b626b9c19fb07150b59d6 |
| SHA256 | 75eb9f06b32f7a10dbd995e7a7422f9ba15ca292c4af18b43b64dcaa14cea407 |
| SHA512 | d3e5ac4b5bc39ae0bf1e5122b951f8bbaa58fbdc524a88a475e99dc54e1471a2f3629b4a9af7dd4ad25f092a514d1166c6ecb788fc97c3adde5a079ff1838a3e |
memory/948-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
| MD5 | eceea2d65991ed05f6954752e9d036e9 |
| SHA1 | 89be5d1bba918a61412b626b9c19fb07150b59d6 |
| SHA256 | 75eb9f06b32f7a10dbd995e7a7422f9ba15ca292c4af18b43b64dcaa14cea407 |
| SHA512 | d3e5ac4b5bc39ae0bf1e5122b951f8bbaa58fbdc524a88a475e99dc54e1471a2f3629b4a9af7dd4ad25f092a514d1166c6ecb788fc97c3adde5a079ff1838a3e |
C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
| MD5 | eceea2d65991ed05f6954752e9d036e9 |
| SHA1 | 89be5d1bba918a61412b626b9c19fb07150b59d6 |
| SHA256 | 75eb9f06b32f7a10dbd995e7a7422f9ba15ca292c4af18b43b64dcaa14cea407 |
| SHA512 | d3e5ac4b5bc39ae0bf1e5122b951f8bbaa58fbdc524a88a475e99dc54e1471a2f3629b4a9af7dd4ad25f092a514d1166c6ecb788fc97c3adde5a079ff1838a3e |
\Users\Admin\AppData\Roaming\SSJK.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
\Users\Admin\AppData\Roaming\SSJK.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
\Users\Admin\AppData\Roaming\SSJK.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
\Users\Admin\AppData\Roaming\SSJK.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
memory/852-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\SSJK.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
C:\Users\Admin\AppData\Roaming\SSJK.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
memory/848-68-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/848-73-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/848-74-0x0000000061E00000-0x0000000061ED2000-memory.dmp
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/360-77-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_dual\1\Information.txt
| MD5 | e5c06ba7ce7ac34aa2220296b4e49479 |
| SHA1 | f1a20e71f9cb2351bf2c18fc57586628c06408d1 |
| SHA256 | 79593d9ba2eee114b4a30797a180ef6458af1b50d49e18c2234c51811188e13c |
| SHA512 | 74c4d7039039ac49037b7265f6e0b57e7101dde7fe6a5887ffc763aa8749a578c3e23cba57c33e8cb034a6c24d25b28cb7f797f27b2b95c69fa355e1d8572449 |
C:\Users\Admin\AppData\Roaming\amd64_dual\1\Screen.jpg
| MD5 | 883d6ad9cfb48704b09d0316804bcfa1 |
| SHA1 | 508fef7b42fd906e1053dc8fcb26b27eb0e47cd6 |
| SHA256 | a716226f6889770f0d6bfa7de5f7f04fe2fc640bf8c5b70ca16dac91891bacab |
| SHA512 | f6dd526633b0dbc1fe03e588ba5faf28c10158760ddd44d0bb79fe5dd1d58160ddb5f356ca8a747ec690a191cd3f94189f60c1e75e9a169c760cf21971d9aa5a |
memory/360-81-0x0000000000400000-0x000000000047D000-memory.dmp
memory/848-82-0x0000000003BB0000-0x0000000003C2D000-memory.dmp
memory/848-83-0x0000000003BB0000-0x0000000003C2D000-memory.dmp
\Users\Admin\AppData\Local\Temp\CDGH.exe
| MD5 | 439e839b6ea367af00f7b99c0e9636a4 |
| SHA1 | 72546bc18281613ce3f0a9138136ae33fe4559e8 |
| SHA256 | cfdf8ea497068d151b91d122e0daa28e08a919d39cd0a061f0a66353d4fe3637 |
| SHA512 | eaf8471418db8abb3488e3d11a097ee50c0f5cd44800d29a692fa70a6ec56865ac83ddb98373844801bc8978fa3a42373e22308a7a879c167d9c0a4596aa431b |
C:\Users\Admin\AppData\Local\Temp\CDGH.exe
| MD5 | 439e839b6ea367af00f7b99c0e9636a4 |
| SHA1 | 72546bc18281613ce3f0a9138136ae33fe4559e8 |
| SHA256 | cfdf8ea497068d151b91d122e0daa28e08a919d39cd0a061f0a66353d4fe3637 |
| SHA512 | eaf8471418db8abb3488e3d11a097ee50c0f5cd44800d29a692fa70a6ec56865ac83ddb98373844801bc8978fa3a42373e22308a7a879c167d9c0a4596aa431b |
memory/516-85-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\CDGH.exe
| MD5 | 439e839b6ea367af00f7b99c0e9636a4 |
| SHA1 | 72546bc18281613ce3f0a9138136ae33fe4559e8 |
| SHA256 | cfdf8ea497068d151b91d122e0daa28e08a919d39cd0a061f0a66353d4fe3637 |
| SHA512 | eaf8471418db8abb3488e3d11a097ee50c0f5cd44800d29a692fa70a6ec56865ac83ddb98373844801bc8978fa3a42373e22308a7a879c167d9c0a4596aa431b |
memory/1356-89-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |
memory/1456-90-0x0000000000000000-mapping.dmp
memory/1068-93-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
| MD5 | f19b8319668ed8f19956434ca5800731 |
| SHA1 | f2b6a5bdd18dd933f677ee9e964564dd897b69ba |
| SHA256 | 45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21 |
| SHA512 | 67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361 |