Analysis Overview
SHA256
2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30
Threat Level: Known bad
The file 2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
UPX packed file
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
AutoIT Executable
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Script User-Agent
Suspicious behavior: RenamesItself
NTFS ADS
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-21 23:34
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-21 23:34
Reported
2022-06-21 23:37
Platform
win10v2004-20220414-en
Max time kernel
162s
Max time network
144s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.module.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.module.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30.exe
"C:\Users\Admin\AppData\Local\Temp\2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30.exe"
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.module.exe
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\ENU_801FE97C5F89A74E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\1\*"
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| RU | 89.191.233.38:65233 | tcp |
Files
memory/2552-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.sqlite3.module.dll
| MD5 | a6e1b13b0b624094e6fb3a7bedb70930 |
| SHA1 | 84b58920afd8e88181c4286fa2438af81f097781 |
| SHA256 | 3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd |
| SHA512 | 26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591 |
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.sqlite3.module.dll
| MD5 | a6e1b13b0b624094e6fb3a7bedb70930 |
| SHA1 | 84b58920afd8e88181c4286fa2438af81f097781 |
| SHA256 | 3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd |
| SHA512 | 26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591 |
memory/2552-133-0x0000000061E00000-0x0000000061ED1000-memory.dmp
memory/2552-134-0x0000000061E00000-0x0000000061ED1000-memory.dmp
memory/2552-135-0x0000000061E00000-0x0000000061ED1000-memory.dmp
memory/2552-136-0x0000000061E00000-0x0000000061ED1000-memory.dmp
memory/1192-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.module.exe
| MD5 | 9c5b4e4fcae7eb410f09c9e46ffb4a6d |
| SHA1 | 9d233bbe69676b1064f1deafba8e70a9acc00773 |
| SHA256 | 0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9 |
| SHA512 | 59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5 |
memory/1192-139-0x0000000000400000-0x000000000048E000-memory.dmp
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\1\Information.txt
| MD5 | 6db01f44febdb758d91b1a69cac23114 |
| SHA1 | 2b0aa18eb4cc0445d5e6bb51e4fc2de71def770f |
| SHA256 | 191cd40110af40421e796cff2d6e1876f811a5e0b49849b40b98aa7d66279136 |
| SHA512 | 604eb605142937b5d7638bbd949380eee20d0aac7d26b468552da0b023b51dc5d59cf14cc9dbb8d9bc7404d058961ca4c19ee6ce3744426a397931d5a51c3d43 |
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\1\Screen.jpg
| MD5 | 5aa624ded5ec21c9c1a558ef4c732673 |
| SHA1 | 178a3122878404c5d1a5ad4dd48586ef540d80fe |
| SHA256 | aa0dfea7582d30fb0d6bf1fc1f7c7a72d39d3cdccafbbaebbbf4ec8ea19835ae |
| SHA512 | c919c894b260151068f8cebb7ff5a85103ef5e896049292f9ba62c1e10bb9ccafbf37192768c3e8447c234a8b8e8dd630513850ade15e1f502bce0a64d219ce6 |
memory/1192-142-0x0000000000400000-0x000000000048E000-memory.dmp
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\ENU_801FE97C5F89A74E9D41.7z
| MD5 | fc3e605571dde7c793fe8b3299bd31b3 |
| SHA1 | e8c420f6de92af7107b5db213e2d7dc7ef74cea6 |
| SHA256 | d9856b7b0bfd78c718f4171606010aa38e71cb7d531fc2b19c52e35141326109 |
| SHA512 | 249926d96188f399bf35867d43dc2b0b73ef06a9647b221ef37dc4b6296f7be22f9c7b0dd674dff50c53f6679157077162d205b92d38ac8b0ac595990c4e9e57 |
C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\ENU_801FE97C5F89A74E9D41
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-21 23:34
Reported
2022-06-21 23:37
Platform
win7-20220414-en
Max time kernel
34s
Max time network
46s
Command Line
Signatures
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30.exe
"C:\Users\Admin\AppData\Local\Temp\2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30.exe"
Network
Files
memory/1216-54-0x00000000759F1000-0x00000000759F3000-memory.dmp