Analysis
-
max time kernel
124s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 05:31
General
-
Target
ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe
-
Size
2.5MB
-
MD5
fc5526afdeff71b02ef8a3678ee3ee06
-
SHA1
20c9bc6fa983e52145cc0833781217e0c00de992
-
SHA256
ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867
-
SHA512
92765f3248e4be0782fb795c206612354ef3fbe1c32807e1b9be207480e54c483bbe8de9ae67978e5f2e9286182a77965ccdf4fefd33a73784be657458143d3c
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Information.txt
qulab
http://teleg.run/QulabZ
Signatures
-
Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe"C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe"C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe"2⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"4⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\ENU_687FE975325E824E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\*"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources"5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A74E6793-C8B3-4304-B3C9-369B768BAD92} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"3⤵
- Drops file in System32 directory
-
-
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"3⤵
- Drops file in System32 directory
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f9ee4fd20a98e030fbfa95ef1d8925cb
SHA1cdc8105f5d85bb6c47feee3377d271e5c8214fb8
SHA256c99a33c4b71f99633ec76cd5e78db83451fa079e4ee3315c8cd93abfbc69246f
SHA512b47c0dfdd37df806c0979885796b2eb27942c098fa4f953a2c26af717e20e2e7bd9264ded5b2f116c83e23116df7a8a6936916bcc10a98a8f050e900fa6d848d
-
Filesize
49KB
MD50cc2316953ce2fa330fee5b902691281
SHA1422ae6e575a17b5d8f842fb4b2d30500d3987624
SHA2560e95298b49ce76a4ae7fa2f7671004e1295e138b7557c65c3de3cc1385807acd
SHA512f5e5646a324eaf803f287c032ac64bfd31d11dbc35b8e75c552ba2a4a23923f2ef381abdcc90fba66ef99fda0310ba7be1e0775f3f64e72fc97fe16b86802618
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02
-
Filesize
360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02
-
Filesize
500KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
1.8MB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
8KB
