Analysis
-
max time kernel
126s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 06:16
General
-
Target
3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe
-
Size
2.4MB
-
MD5
ca279fdcd6bdc39b7b847135d5de8970
-
SHA1
f3e8f811b9ba5d0d54d72c5562c5a09b64fdeb97
-
SHA256
3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351
-
SHA512
5c0a70b91250261f272d39d7ca4073e9b40d22dc31626dc0e3de567deb86eedeaf2ea91af65830c278c7a26e09b2d721ecbafeb42a41c1695b92cf6af28c7fc8
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Information.txt
qulab
http://teleg.run/QulabZ
Signatures
-
Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe"C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe"C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe"2⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"4⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\ENU_687FE978D73A864E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\*"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources"5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {441ED35D-117B-454F-839F-42123461DFB9} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"3⤵
- Drops file in System32 directory
-
-
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"3⤵
- Drops file in System32 directory
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5be653cc67df80bdeee409aecddc1876f
SHA1b38071652663b4c065608e618d07c661c055bfe8
SHA2561d55e5d948db45e6524f672c85ea59174f1246f136d8c67ec7ae6b005abf401c
SHA5127d9af2270fce1756e0a4a7b78091ec68ae5b1e7ba949dab6196a7cb8d9e2f59caa81ded7980377ed23d753c02824e5afca95097dc19c20816ed1af678daee1b8
-
Filesize
45KB
MD5ce599b0766239e284bb7c9f2ffb2e805
SHA1dfbcf08713734cc5fca7e517821da338b9070e2d
SHA2567d7f531b2048e62fb029cb9b2de8e826258412608101f1fab6f5b6e59274c089
SHA5127bc4aec2621db42c1cc2776b6190736d4823494c74c609eb7908e6f01482259a04587b7099c25a0726a69bdd17019c3d94d0016e0f7dc5fac2bb06089ced26e0
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02
-
Filesize
360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02
-
Filesize
8KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
1.8MB
-
Filesize
1.8MB
