Analysis
-
max time kernel
123s -
max time network
181s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 18:40
Static task
static1
Behavioral task
behavioral1
Sample
15a65dbe519ad4f4d024fd1695cd9fb20cadde7a5fb914b63c104edede4c037d.exe
Resource
win7-20220414-en
General
-
Target
15a65dbe519ad4f4d024fd1695cd9fb20cadde7a5fb914b63c104edede4c037d.exe
-
Size
1.8MB
-
MD5
da0c668fffa87217cfe27c8d89d299ba
-
SHA1
23c32d49602a5a6a469fb06a395a29e85a0c2c57
-
SHA256
15a65dbe519ad4f4d024fd1695cd9fb20cadde7a5fb914b63c104edede4c037d
-
SHA512
fa9af20cfad0eeff8e3f0ab8a3e015c2d61384c078df062119744684b52ad1138f60d61fa37578faf0a79c9be0997939aa69af169a18a9bf03eea85a8c5b38f4
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources\1\Information.txt
qulab
http://teleg.run/QulabZ
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000a000000012346-57.dat acprotect behavioral1/files/0x000a000000012346-58.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 860 avicap.module.exe -
Sets file to hidden 1 TTPs 9 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1516 attrib.exe 1136 attrib.exe 1756 attrib.exe 1740 attrib.exe 928 attrib.exe 828 attrib.exe 1616 attrib.exe 1720 attrib.exe 992 attrib.exe -
resource yara_rule behavioral1/files/0x000a000000012346-57.dat upx behavioral1/files/0x000a000000012346-58.dat upx behavioral1/files/0x00090000000132d7-62.dat upx behavioral1/files/0x00090000000132d7-61.dat upx behavioral1/files/0x00090000000132d7-64.dat upx behavioral1/memory/860-67-0x0000000000400000-0x000000000047D000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 1484 avicap.exe 1484 avicap.exe 1484 avicap.exe 1484 avicap.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ipapi.co 6 ipapi.co -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ avicap.exe File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ avicap.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 avicap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 avicap.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ 15a65dbe519ad4f4d024fd1695cd9fb20cadde7a5fb914b63c104edede4c037d.exe File opened for modification C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources\winmgmts:\localhost\ avicap.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1484 avicap.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1828 15a65dbe519ad4f4d024fd1695cd9fb20cadde7a5fb914b63c104edede4c037d.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 860 avicap.module.exe Token: 35 860 avicap.module.exe Token: SeSecurityPrivilege 860 avicap.module.exe Token: SeSecurityPrivilege 860 avicap.module.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1828 wrote to memory of 1484 1828 15a65dbe519ad4f4d024fd1695cd9fb20cadde7a5fb914b63c104edede4c037d.exe 28 PID 1828 wrote to memory of 1484 1828 15a65dbe519ad4f4d024fd1695cd9fb20cadde7a5fb914b63c104edede4c037d.exe 28 PID 1828 wrote to memory of 1484 1828 15a65dbe519ad4f4d024fd1695cd9fb20cadde7a5fb914b63c104edede4c037d.exe 28 PID 1828 wrote to memory of 1484 1828 15a65dbe519ad4f4d024fd1695cd9fb20cadde7a5fb914b63c104edede4c037d.exe 28 PID 1484 wrote to memory of 860 1484 avicap.exe 32 PID 1484 wrote to memory of 860 1484 avicap.exe 32 PID 1484 wrote to memory of 860 1484 avicap.exe 32 PID 1484 wrote to memory of 860 1484 avicap.exe 32 PID 1988 wrote to memory of 2020 1988 taskeng.exe 35 PID 1988 wrote to memory of 2020 1988 taskeng.exe 35 PID 1988 wrote to memory of 2020 1988 taskeng.exe 35 PID 1988 wrote to memory of 2020 1988 taskeng.exe 35 PID 1484 wrote to memory of 1756 1484 avicap.exe 36 PID 1484 wrote to memory of 1756 1484 avicap.exe 36 PID 1484 wrote to memory of 1756 1484 avicap.exe 36 PID 1484 wrote to memory of 1756 1484 avicap.exe 36 PID 1484 wrote to memory of 1740 1484 avicap.exe 37 PID 1484 wrote to memory of 1740 1484 avicap.exe 37 PID 1484 wrote to memory of 1740 1484 avicap.exe 37 PID 1484 wrote to memory of 1740 1484 avicap.exe 37 PID 1484 wrote to memory of 928 1484 avicap.exe 40 PID 1484 wrote to memory of 928 1484 avicap.exe 40 PID 1484 wrote to memory of 928 1484 avicap.exe 40 PID 1484 wrote to memory of 928 1484 avicap.exe 40 PID 1484 wrote to memory of 1616 1484 avicap.exe 42 PID 1484 wrote to memory of 1616 1484 avicap.exe 42 PID 1484 wrote to memory of 1616 1484 avicap.exe 42 PID 1484 wrote to memory of 1616 1484 avicap.exe 42 PID 1484 wrote to memory of 1516 1484 avicap.exe 44 PID 1484 wrote to memory of 1516 1484 avicap.exe 44 PID 1484 wrote to memory of 1516 1484 avicap.exe 44 PID 1484 wrote to memory of 1516 1484 avicap.exe 44 PID 1484 wrote to memory of 1720 1484 avicap.exe 46 PID 1484 wrote to memory of 1720 1484 avicap.exe 46 PID 1484 wrote to memory of 1720 1484 avicap.exe 46 PID 1484 wrote to memory of 1720 1484 avicap.exe 46 PID 1484 wrote to memory of 1136 1484 avicap.exe 48 PID 1484 wrote to memory of 1136 1484 avicap.exe 48 PID 1484 wrote to memory of 1136 1484 avicap.exe 48 PID 1484 wrote to memory of 1136 1484 avicap.exe 48 PID 1484 wrote to memory of 992 1484 avicap.exe 50 PID 1484 wrote to memory of 992 1484 avicap.exe 50 PID 1484 wrote to memory of 992 1484 avicap.exe 50 PID 1484 wrote to memory of 992 1484 avicap.exe 50 PID 1484 wrote to memory of 828 1484 avicap.exe 52 PID 1484 wrote to memory of 828 1484 avicap.exe 52 PID 1484 wrote to memory of 828 1484 avicap.exe 52 PID 1484 wrote to memory of 828 1484 avicap.exe 52 PID 1988 wrote to memory of 1520 1988 taskeng.exe 54 PID 1988 wrote to memory of 1520 1988 taskeng.exe 54 PID 1988 wrote to memory of 1520 1988 taskeng.exe 54 PID 1988 wrote to memory of 1520 1988 taskeng.exe 54 -
Views/modifies file attributes 1 TTPs 9 IoCs
pid Process 1740 attrib.exe 1616 attrib.exe 1516 attrib.exe 1136 attrib.exe 1756 attrib.exe 1720 attrib.exe 992 attrib.exe 828 attrib.exe 928 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\15a65dbe519ad4f4d024fd1695cd9fb20cadde7a5fb914b63c104edede4c037d.exe"C:\Users\Admin\AppData\Local\Temp\15a65dbe519ad4f4d024fd1695cd9fb20cadde7a5fb914b63c104edede4c037d.exe"1⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources\avicap.exeC:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources\avicap.exe2⤵
- Loads dropped DLL
- Modifies system certificate store
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources\avicap.module.exeC:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources\avicap.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources\ENU_687FE9762211651E9D41.7z" "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources\1\*"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1756
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1740
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:928
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1616
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1516
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1720
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1136
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:992
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:828
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D5BC37FA-5177-4553-BBDD-B12646F6524B} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources\avicap.exeC:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources\avicap.exe2⤵
- Drops file in System32 directory
PID:2020
-
-
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources\avicap.exeC:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-directui.resources\avicap.exe2⤵
- Drops file in System32 directory
PID:1520
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50a6c61a18194f495326e7c32d497ebc2
SHA190bec6a62f9469779beec3b90b2d1363914d7e5d
SHA25606d6e26a2a87b52bc967cd0ad96e3ac26de63a671aff256f306a9881069bdfa1
SHA5128a5d731aa23a3dd43b5807cf6005abbea930c53872b7f49077cb4724a801d71d3b43431f4971ca4d34c65709e5590977893a9ded18cb204725a5186a89849f31
-
Filesize
44KB
MD516a8a1696e2afda80aeb376015167de6
SHA1474478d796bc10908fced5c67c75f89486be0716
SHA256607ebe922e4f37daf9cb05bdcbf9656d27568f7accd46cf840539a9e8baa8db7
SHA5122ecaa5629c9ecc54243ae7ef571105faa503e1ce5ed9105e6cdd571fdf5561f0753456216ecf01beaff5028c3db5bba289d83971d73485494fbcb250179f2d6d
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02
-
Filesize
360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02