Malware Analysis Report

2024-09-23 04:45

Sample ID 220712-s9e9pabec2
Target 49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184
SHA256 49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184
Tags
vmprotect qulab discovery evasion ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184

Threat Level: Known bad

The file 49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184 was found to be: Known bad.

Malicious Activity Summary

vmprotect qulab discovery evasion ransomware spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

UPX packed file

Sets file to hidden

VMProtect packed file

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Drops file in System32 directory

AutoIT Executable

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

Suspicious behavior: RenamesItself

NTFS ADS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-07-12 15:49

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-12 15:49

Reported

2022-07-13 04:16

Platform

win7-20220414-en

Max time kernel

127s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 780 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 780 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 780 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 780 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 948 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe
PID 948 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe
PID 948 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe
PID 948 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe
PID 948 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 948 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 948 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 948 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 1904 wrote to memory of 1420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1904 wrote to memory of 1420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1904 wrote to memory of 1420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1904 wrote to memory of 1420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1904 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1904 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1904 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 1904 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe

"C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\ENU_687FE975325E824E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db"

C:\Windows\system32\taskeng.exe

taskeng.exe {9414762E-B7DB-4339-A384-EC5E3410D69B} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipapi.co udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 172.67.69.226:443 ipapi.co tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
RU 193.233.30.150:65233 tcp
RU 193.233.30.150:65233 tcp

Files

memory/780-54-0x0000000074E91000-0x0000000074E93000-memory.dmp

memory/780-55-0x0000000000D60000-0x0000000001527000-memory.dmp

memory/780-58-0x0000000000D60000-0x0000000001527000-memory.dmp

memory/780-59-0x0000000000D60000-0x0000000001527000-memory.dmp

memory/948-60-0x0000000000000000-mapping.dmp

memory/780-62-0x0000000000D60000-0x0000000001527000-memory.dmp

memory/948-63-0x0000000000D60000-0x0000000001527000-memory.dmp

memory/948-66-0x0000000000D60000-0x0000000001527000-memory.dmp

\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/948-69-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/948-70-0x0000000061E00000-0x0000000061ED2000-memory.dmp

\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/1696-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\Information.txt

MD5 7f54e84fcf43c774bb0d03cff43d95bc
SHA1 ca29ff820452ee89b67e1895df1d904ebbb8d226
SHA256 1fb748b7cd02831cacb6aa94258295d03830ba6329ab7a54aaaec1cdfbda82ff
SHA512 9fd86b9ac15b6e39d5cd2e3da44788fe9f7c02ac0c749f78d11a0cd42cc55efb84df6dd0b96abfc00f3dbbad09170f6f8206d195a111b57230a21e62f402fc0c

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\Screen.jpg

MD5 dfcd97caabde4ada8a800e6893a93e44
SHA1 d57013c95ff2123229c21a3c2195748683c2ccd1
SHA256 fb01d435eb19715b8296828c34c17e612ab28ad762c78a3475bd8a79edd379f9
SHA512 5ea5fdb06e234eceaef579ea0cd2107584cdd410ef2644b4862d1bc1e036f0e3c3a366ed7ac4108174749c133d9c4aa4db07f1355541bb082c0360d57193b082

memory/1696-77-0x0000000000400000-0x000000000047D000-memory.dmp

memory/948-78-0x0000000003350000-0x00000000033CD000-memory.dmp

memory/1656-79-0x0000000000000000-mapping.dmp

memory/948-80-0x0000000000D60000-0x0000000001527000-memory.dmp

memory/948-81-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/948-82-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/1420-83-0x0000000000000000-mapping.dmp

memory/1420-85-0x0000000000D60000-0x0000000001527000-memory.dmp

memory/1420-88-0x0000000000D60000-0x0000000001527000-memory.dmp

memory/1420-89-0x0000000000D60000-0x0000000001527000-memory.dmp

memory/1676-90-0x0000000000000000-mapping.dmp

memory/1676-92-0x0000000000D60000-0x0000000001527000-memory.dmp

memory/1676-95-0x0000000000D60000-0x0000000001527000-memory.dmp

memory/1676-96-0x0000000000D60000-0x0000000001527000-memory.dmp

memory/1676-97-0x0000000000D60000-0x0000000001527000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-12 15:49

Reported

2022-07-13 04:16

Platform

win10v2004-20220414-en

Max time kernel

171s

Max time network

179s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 2696 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 2696 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
PID 4056 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe
PID 4056 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe
PID 4056 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe
PID 4056 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 4056 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe
PID 4056 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe

"C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\ENU_801FE97C5F89A74E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
IE 13.69.239.74:443 tcp
IE 20.54.110.249:443 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 104.26.9.44:443 ipapi.co tcp
US 172.67.69.226:443 ipapi.co tcp
RU 193.233.30.150:65233 tcp

Files

memory/2696-131-0x0000000000270000-0x0000000000A37000-memory.dmp

memory/2696-134-0x0000000000270000-0x0000000000A37000-memory.dmp

memory/4056-135-0x0000000000000000-mapping.dmp

memory/2696-136-0x0000000000270000-0x0000000000A37000-memory.dmp

memory/4056-137-0x0000000000270000-0x0000000000A37000-memory.dmp

memory/4056-140-0x0000000000270000-0x0000000000A37000-memory.dmp

memory/4056-141-0x0000000000270000-0x0000000000A37000-memory.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/4056-145-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/4056-144-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/4056-146-0x0000000000270000-0x0000000000A37000-memory.dmp

memory/4056-148-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/4056-147-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/4496-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\Information.txt

MD5 93ef7f7acea6b6c7c820f564a119e4d2
SHA1 def465acae236ae027a7b1c839957ae8bac30917
SHA256 bc2207ed62bf358feea6776e9f07b969eecf8589020b0e81d476a1490a579727
SHA512 cde64da388496dbd0f7ce1c4d679ece5d17f01f59e42dda1754c09640536971d61c94aeda661abe6a63c97df2c16a36d0f50c5575c45b2b6044362f9fb3c7705

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\Screen.jpg

MD5 7d8789a6db9dd1e923efc3776efc5634
SHA1 4834cca776f0bef2913d27fe0900c32fdc13ec3e
SHA256 872f632526aa8ba4515d062994cd79066ae9d8e116bafff0a87e93a1262bf4b7
SHA512 6b37365f533bda00fe8f413985c86b009eb98044c05633dc73a55b20038fef6899480248a67b1c09e29d6c2180b76fa05418ee81477b184210daa206c0be8159

memory/4496-154-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2580-155-0x0000000000000000-mapping.dmp

memory/3372-157-0x0000000000270000-0x0000000000A37000-memory.dmp

memory/3372-160-0x0000000000270000-0x0000000000A37000-memory.dmp

memory/4812-161-0x0000000000270000-0x0000000000A37000-memory.dmp

memory/4812-164-0x0000000000270000-0x0000000000A37000-memory.dmp

memory/4812-165-0x0000000000270000-0x0000000000A37000-memory.dmp