Analysis
-
max time kernel
135s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 05:55
General
-
Target
c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe
-
Size
2.7MB
-
MD5
c37a90a51d440a83a7096423c8e04809
-
SHA1
7094470281801383ed8991407359e339e58cf6f3
-
SHA256
c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3
-
SHA512
70a1b9181a3de343d541ecfc73b76f5e7229653a2c15e82d985e558786ce3a5bb9804dfcc34a96b11d3f49dadc015c005f9adc62fda0aec957e87dc1e75d21b2
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Information.txt
qulab
http://teleg.run/QulabZ
Signatures
-
Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe"C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe"C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe"2⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"4⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\ENU_801FE970A758A6AE9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\*"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources"5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"2⤵
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"2⤵
- Drops file in System32 directory
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD51a0f4856bcb50ba46a0c5367cb0c6489
SHA11df28e7fa394d35ef228e398f84cb0376a5b70f1
SHA256beaadd758a648bb9645528c0553e2afc7dea4bdbb06c4f20eda1dd77cd4112fe
SHA512223f22196809e50b1148e2623ffd592712338b1d2a1b8f7cf39f773676f1b6204510e3d08ec46fe4bf12ef1787f175155220a35f13891fae62594b83c713372a
-
Filesize
46KB
MD5999faf5539a5ad7ac9cffaca3df59770
SHA1801d39da33f57a93762bcc86c1bf38bf1d24f730
SHA256a240fb1c08cf76fe1d43f267709bae0f83ff364a47d49979e48d687b111476d3
SHA512dd0fa91127c020abfc6a50ee45d586a896ba2c7feb203e60520ecea68f8def844ab97b43e29ecfeaef931722a90ef9993ae9eb709967dc5f2a9eb80298d175bd
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02
-
Filesize
360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02
-
Filesize
1.8MB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
1.8MB
-
Filesize
840KB
