Analysis Overview
SHA256
c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3
Threat Level: Known bad
The file c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
UPX packed file
Sets file to hidden
Reads user/profile data of web browsers
Loads dropped DLL
Looks up external IP address via web service
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in System32 directory
AutoIT Executable
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious behavior: RenamesItself
Views/modifies file attributes
NTFS ADS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-25 05:55
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-25 05:55
Reported
2022-06-25 06:27
Platform
win7-20220414-en
Max time kernel
127s
Max time network
146s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1596 set thread context of 1556 | N/A | C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe | C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe |
| PID 1260 set thread context of 1660 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe |
| PID 1004 set thread context of 1420 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe |
| PID 1368 set thread context of 676 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe
"C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe"
C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe
"C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\ENU_687FE975325E824E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources"
C:\Windows\system32\taskeng.exe
taskeng.exe {693C149F-AFA5-47F5-B336-7FC08E789F6B} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
Network
| Country | Destination | Domain | Proto |
| IE | 52.19.185.150:80 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/1596-54-0x0000000076181000-0x0000000076183000-memory.dmp
memory/1556-55-0x0000000000710000-0x00000000008E5000-memory.dmp
memory/1556-57-0x0000000000710000-0x00000000008E5000-memory.dmp
memory/1556-64-0x000000000073800A-mapping.dmp
memory/1556-66-0x0000000000710000-0x00000000008E5000-memory.dmp
memory/1260-67-0x0000000000000000-mapping.dmp
memory/1660-71-0x0000000000730000-0x0000000000905000-memory.dmp
memory/1660-78-0x000000000075800A-mapping.dmp
memory/1660-80-0x0000000000730000-0x0000000000905000-memory.dmp
\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/1660-83-0x0000000061E00000-0x0000000061ED2000-memory.dmp
\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/1920-86-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Information.txt
| MD5 | 3db71bacd6dcfccc7e390b9d8d3f3af8 |
| SHA1 | 10f12deb7a4f2bf3f0106c18e9592c74cdde21f6 |
| SHA256 | cf73d85afe7487fa84c636f7a6be38c0521ce7156f6c32868238a06dbf4c252a |
| SHA512 | 04c49ee1b117c54ff2f77edb88a4525d7f91445abf9c407e8e048054ccf5d1b3c76803b41ff88743709c70f58fb863a81bb2907a8327f4b366bd01b4ee7d74bf |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Screen.jpg
| MD5 | 6a65021d5394f88d6edc53e21c022db6 |
| SHA1 | 3e4ec0a97d669bead1220f31ae486638de55ce51 |
| SHA256 | 989f413d553993734a8a74a0b31a946f1a0d7b2ff042d0c2447d242f778b10cf |
| SHA512 | 818071114bbb55eda18c68926e5940deb24297983dee5847abb431e6dc62125e086c83f65067dae643245d30ccf2a9a39d56085285ca6e45bdaf01ca4b6a0c5d |
memory/1920-90-0x0000000000400000-0x000000000047D000-memory.dmp
memory/876-91-0x0000000000000000-mapping.dmp
memory/1660-93-0x00000000044B0000-0x000000000452D000-memory.dmp
memory/1660-92-0x00000000044B0000-0x000000000452D000-memory.dmp
memory/1660-94-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1660-95-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1660-96-0x00000000044B0000-0x000000000452D000-memory.dmp
memory/1004-97-0x0000000000000000-mapping.dmp
memory/1420-101-0x0000000000270000-0x0000000000445000-memory.dmp
memory/1420-108-0x000000000029800A-mapping.dmp
memory/1420-110-0x0000000000270000-0x0000000000445000-memory.dmp
memory/1368-111-0x0000000000000000-mapping.dmp
memory/676-115-0x0000000000670000-0x0000000000845000-memory.dmp
memory/676-122-0x000000000069800A-mapping.dmp
memory/676-124-0x0000000000670000-0x0000000000845000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-25 05:55
Reported
2022-06-25 06:27
Platform
win10v2004-20220414-en
Max time kernel
135s
Max time network
147s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2340 set thread context of 4616 | N/A | C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe | C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe |
| PID 1428 set thread context of 4712 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe |
| PID 448 set thread context of 3756 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe |
| PID 4872 set thread context of 2764 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe
"C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe"
C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe
"C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\ENU_801FE970A758A6AE9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| BE | 8.238.110.126:80 | tcp |
Files
memory/4616-130-0x0000000000000000-mapping.dmp
memory/4616-131-0x0000000000400000-0x00000000005D5000-memory.dmp
memory/4616-138-0x0000000000400000-0x00000000005D5000-memory.dmp
memory/1428-139-0x0000000000000000-mapping.dmp
memory/4712-140-0x0000000000000000-mapping.dmp
memory/4712-148-0x0000000000400000-0x00000000005D5000-memory.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/4712-151-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/4712-152-0x0000000061E00000-0x0000000061ED2000-memory.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/3156-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Information.txt
| MD5 | 1a0f4856bcb50ba46a0c5367cb0c6489 |
| SHA1 | 1df28e7fa394d35ef228e398f84cb0376a5b70f1 |
| SHA256 | beaadd758a648bb9645528c0553e2afc7dea4bdbb06c4f20eda1dd77cd4112fe |
| SHA512 | 223f22196809e50b1148e2623ffd592712338b1d2a1b8f7cf39f773676f1b6204510e3d08ec46fe4bf12ef1787f175155220a35f13891fae62594b83c713372a |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Screen.jpg
| MD5 | 999faf5539a5ad7ac9cffaca3df59770 |
| SHA1 | 801d39da33f57a93762bcc86c1bf38bf1d24f730 |
| SHA256 | a240fb1c08cf76fe1d43f267709bae0f83ff364a47d49979e48d687b111476d3 |
| SHA512 | dd0fa91127c020abfc6a50ee45d586a896ba2c7feb203e60520ecea68f8def844ab97b43e29ecfeaef931722a90ef9993ae9eb709967dc5f2a9eb80298d175bd |
memory/3156-158-0x0000000000400000-0x000000000047D000-memory.dmp
memory/3156-159-0x0000000000400000-0x000000000047D000-memory.dmp
memory/1908-160-0x0000000000000000-mapping.dmp
memory/4712-161-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/3756-162-0x0000000000000000-mapping.dmp
memory/3756-170-0x0000000000400000-0x00000000005D5000-memory.dmp
memory/2764-171-0x0000000000000000-mapping.dmp
memory/2764-179-0x0000000000400000-0x00000000005D5000-memory.dmp