Analysis Overview
SHA256
47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8
Threat Level: Known bad
The file 47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Executes dropped EXE
Sets file to hidden
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
AutoIT Executable
Drops file in System32 directory
Program crash
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
NTFS ADS
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-14 05:28
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-14 05:28
Reported
2022-07-14 09:06
Platform
win7-20220414-en
Max time kernel
121s
Max time network
129s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe
"C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\ENU_687FE975325E824E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows"
C:\Windows\system32\taskeng.exe
taskeng.exe {07CCD7BE-3923-4A04-9250-FF97CBBCF141} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/1964-54-0x0000000075401000-0x0000000075403000-memory.dmp
memory/112-55-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/112-58-0x0000000061E00000-0x0000000061ED2000-memory.dmp
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/1204-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\1\Information.txt
| MD5 | 7131dcddc7333aaa6133e4e16235618f |
| SHA1 | 4fb04484cab5a8a3c4bda929f80656428c70a8d6 |
| SHA256 | f88e8e926294915d1ec205f75463ce5476ff385ea30d1fae04eeb021f5875240 |
| SHA512 | 6abb5f471bcad92cbd46347eef0a393e1534bbf93fc0365f24f4d32b8a49e7dd26efcd93be099b5894e3c40fb03ef57501676cbadd3b8c35a652c7bfba8758f9 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\1\Screen.jpg
| MD5 | 6a56d84c443886e6cc1bf5950f3011a6 |
| SHA1 | 744ac937ff6ead74099e166f1448bea2421da022 |
| SHA256 | 6d0cb97a82debda0dcae5de4e08c7e85454b40a68b0fce6e8e883c7ef1700e68 |
| SHA512 | 8006b0e5498718912ec25804c1ff9d212952066fd8729744a3d3ea09db0adc1c24be3e185cce89607471f9f98fa06914dd5680614bf89a08c754e3f39db2154e |
memory/1204-66-0x0000000000400000-0x000000000047D000-memory.dmp
memory/1884-67-0x0000000000000000-mapping.dmp
memory/112-68-0x0000000002A80000-0x0000000002AFD000-memory.dmp
memory/112-69-0x0000000002A80000-0x0000000002AFD000-memory.dmp
memory/112-70-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/112-71-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1504-72-0x0000000000000000-mapping.dmp
memory/1080-74-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-14 05:28
Reported
2022-07-14 09:06
Platform
win10v2004-20220414-en
Max time kernel
93s
Max time network
158s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe
"C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4352 -ip 4352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 988
Network
| Country | Destination | Domain | Proto |
| GB | 51.104.15.253:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| FR | 2.16.119.157:443 | tcp | |
| FR | 2.16.119.157:443 | tcp |