Analysis
-
max time kernel
171s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 15:49
Static task
static1
Behavioral task
behavioral1
Sample
49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe
Resource
win7-20220414-en
General
-
Target
49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe
-
Size
3.7MB
-
MD5
e6d939a4cbc17992753b158c1173451c
-
SHA1
90d8898167449cd08ba3a1728432e681a8754db5
-
SHA256
49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184
-
SHA512
b14222727e86440fe3173f2c6ce5a7b41b1da3151c78e406fdce525bb692fccc71a2df17a1a064dfc9199ce35b8459256a707b698ef06819df354d7df48098c6
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\Information.txt
qulab
http://teleg.run/QulabZ
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00070000000231d9-143.dat acprotect behavioral2/files/0x00070000000231d9-142.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 4496 sbeio.module.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2580 attrib.exe -
resource yara_rule behavioral2/files/0x00070000000231d9-143.dat upx behavioral2/files/0x00070000000231d9-142.dat upx behavioral2/files/0x00070000000231e6-150.dat upx behavioral2/files/0x00070000000231e6-151.dat upx behavioral2/memory/4496-154-0x0000000000400000-0x000000000047D000-memory.dmp upx -
resource yara_rule behavioral2/memory/2696-131-0x0000000000270000-0x0000000000A37000-memory.dmp vmprotect behavioral2/memory/2696-134-0x0000000000270000-0x0000000000A37000-memory.dmp vmprotect behavioral2/memory/2696-136-0x0000000000270000-0x0000000000A37000-memory.dmp vmprotect behavioral2/memory/4056-137-0x0000000000270000-0x0000000000A37000-memory.dmp vmprotect behavioral2/memory/4056-140-0x0000000000270000-0x0000000000A37000-memory.dmp vmprotect behavioral2/memory/4056-141-0x0000000000270000-0x0000000000A37000-memory.dmp vmprotect behavioral2/memory/4056-146-0x0000000000270000-0x0000000000A37000-memory.dmp vmprotect behavioral2/memory/3372-157-0x0000000000270000-0x0000000000A37000-memory.dmp vmprotect behavioral2/memory/3372-160-0x0000000000270000-0x0000000000A37000-memory.dmp vmprotect behavioral2/memory/4812-161-0x0000000000270000-0x0000000000A37000-memory.dmp vmprotect behavioral2/memory/4812-164-0x0000000000270000-0x0000000000A37000-memory.dmp vmprotect behavioral2/memory/4812-165-0x0000000000270000-0x0000000000A37000-memory.dmp vmprotect -
Loads dropped DLL 2 IoCs
pid Process 4056 sbeio.exe 4056 sbeio.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ipapi.co 18 ipapi.co 39 ipapi.co -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2696-131-0x0000000000270000-0x0000000000A37000-memory.dmp autoit_exe behavioral2/memory/2696-134-0x0000000000270000-0x0000000000A37000-memory.dmp autoit_exe behavioral2/memory/2696-136-0x0000000000270000-0x0000000000A37000-memory.dmp autoit_exe behavioral2/memory/4056-137-0x0000000000270000-0x0000000000A37000-memory.dmp autoit_exe behavioral2/memory/4056-140-0x0000000000270000-0x0000000000A37000-memory.dmp autoit_exe behavioral2/memory/4056-141-0x0000000000270000-0x0000000000A37000-memory.dmp autoit_exe behavioral2/memory/4056-146-0x0000000000270000-0x0000000000A37000-memory.dmp autoit_exe behavioral2/memory/3372-157-0x0000000000270000-0x0000000000A37000-memory.dmp autoit_exe behavioral2/memory/3372-160-0x0000000000270000-0x0000000000A37000-memory.dmp autoit_exe behavioral2/memory/4812-161-0x0000000000270000-0x0000000000A37000-memory.dmp autoit_exe behavioral2/memory/4812-164-0x0000000000270000-0x0000000000A37000-memory.dmp autoit_exe behavioral2/memory/4812-165-0x0000000000270000-0x0000000000A37000-memory.dmp autoit_exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ sbeio.exe File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ sbeio.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ 49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\winmgmts:\localhost\ sbeio.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2696 49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe 2696 49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe 2696 49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe 2696 49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe 4056 sbeio.exe 4056 sbeio.exe 4056 sbeio.exe 4056 sbeio.exe 4056 sbeio.exe 4056 sbeio.exe 3372 sbeio.exe 3372 sbeio.exe 3372 sbeio.exe 3372 sbeio.exe 4812 sbeio.exe 4812 sbeio.exe 4812 sbeio.exe 4812 sbeio.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2696 49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 4496 sbeio.module.exe Token: 35 4496 sbeio.module.exe Token: SeSecurityPrivilege 4496 sbeio.module.exe Token: SeSecurityPrivilege 4496 sbeio.module.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2696 wrote to memory of 4056 2696 49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe 82 PID 2696 wrote to memory of 4056 2696 49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe 82 PID 2696 wrote to memory of 4056 2696 49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe 82 PID 4056 wrote to memory of 4496 4056 sbeio.exe 84 PID 4056 wrote to memory of 4496 4056 sbeio.exe 84 PID 4056 wrote to memory of 4496 4056 sbeio.exe 84 PID 4056 wrote to memory of 2580 4056 sbeio.exe 86 PID 4056 wrote to memory of 2580 4056 sbeio.exe 86 PID 4056 wrote to memory of 2580 4056 sbeio.exe 86 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2580 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe"C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe"1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe2⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\ENU_801FE97C5F89A74E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\*"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2580
-
-
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3372
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4812
Network
-
Remote address:8.8.8.8:53Requestapi.telegram.orgIN AResponseapi.telegram.orgIN A149.154.167.220
-
Remote address:149.154.167.220:443RequestGET /bot610711208:AAH_KYdito6nI-oMEXxgOOlOmAm7uhCpPrw/getMe HTTP/1.1
User-Agent: AutoIt
Host: api.telegram.org
Cache-Control: no-cache
ResponseHTTP/1.1 401 Unauthorized
Date: Wed, 13 Jul 2022 04:14:30 GMT
Content-Type: application/json
Content-Length: 58
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
-
Remote address:8.8.8.8:53Requestipapi.coIN AResponseipapi.coIN A104.26.9.44ipapi.coIN A172.67.69.226ipapi.coIN A104.26.8.44
-
Remote address:172.67.69.226:443RequestGET /json HTTP/1.1
User-Agent: AutoIt
Host: ipapi.co
Cache-Control: no-cache
ResponseHTTP/1.1 429 Too Many Requests
Content-Type: application/json
Content-Length: 91
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, HEAD, OPTIONS
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yhS4A%2BHrnbnlv0JCGHhgjG8iQYilXfBhNpriGjVwr8FyoN7p%2FJoGBPOSMy36%2Bb3JRJB3J5ZKuc6X%2BZMSF2I3Pmnt0dOqOMEu8z4%2BghlRoriHvFhavv%2F%2BP40G"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 729f323cbc5db89a-AMS
-
149.154.167.220:443https://api.telegram.org/bot610711208:AAH_KYdito6nI-oMEXxgOOlOmAm7uhCpPrw/getMetls, httpsbeio.exe1.1kB 6.7kB 15 12
HTTP Request
GET https://api.telegram.org/bot610711208:AAH_KYdito6nI-oMEXxgOOlOmAm7uhCpPrw/getMeHTTP Response
401 -
630 B 3.1kB 8 7
-
322 B 7
-
46 B 1
-
322 B 7
-
322 B 7
-
260 B 5
-
879 B 5.3kB 12 10
HTTP Request
GET https://ipapi.co/jsonHTTP Response
429 -
260 B 200 B 5 5
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD593ef7f7acea6b6c7c820f564a119e4d2
SHA1def465acae236ae027a7b1c839957ae8bac30917
SHA256bc2207ed62bf358feea6776e9f07b969eecf8589020b0e81d476a1490a579727
SHA512cde64da388496dbd0f7ce1c4d679ece5d17f01f59e42dda1754c09640536971d61c94aeda661abe6a63c97df2c16a36d0f50c5575c45b2b6044362f9fb3c7705
-
Filesize
49KB
MD57d8789a6db9dd1e923efc3776efc5634
SHA14834cca776f0bef2913d27fe0900c32fdc13ec3e
SHA256872f632526aa8ba4515d062994cd79066ae9d8e116bafff0a87e93a1262bf4b7
SHA5126b37365f533bda00fe8f413985c86b009eb98044c05633dc73a55b20038fef6899480248a67b1c09e29d6c2180b76fa05418ee81477b184210daa206c0be8159
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.sqlite3.module.dll
Filesize360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.sqlite3.module.dll
Filesize360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02