Malware Analysis Report

2024-09-23 04:58

Sample ID 220724-z43w5aghdj
Target b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab
SHA256 b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab
Tags
qulab discovery evasion ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab

Threat Level: Known bad

The file b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab was found to be: Known bad.

Malicious Activity Summary

qulab discovery evasion ransomware spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Sets file to hidden

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Drops file in System32 directory

AutoIT Executable

Enumerates physical storage devices

NTFS ADS

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-07-24 21:17

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-24 21:17

Reported

2022-07-24 21:20

Platform

win7-20220718-en

Max time kernel

122s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 896 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe
PID 896 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe
PID 896 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe
PID 896 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe
PID 1140 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.module.exe
PID 1140 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.module.exe
PID 1140 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.module.exe
PID 1140 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.module.exe
PID 1140 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 1908 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe
PID 1908 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe
PID 1908 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe
PID 1908 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe
PID 1908 wrote to memory of 936 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe
PID 1908 wrote to memory of 936 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe
PID 1908 wrote to memory of 936 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe
PID 1908 wrote to memory of 936 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe

"C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ENU_687FE97ECA04C4CE9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources"

C:\Windows\system32\taskeng.exe

taskeng.exe {CFBF9C8D-790F-44AC-9C9A-715B2056303A} S-1-5-21-4084403625-2215941253-1760665084-1000:LDLTPJLN\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
RU 212.81.38.238:9502 tcp
RU 212.81.38.238:9502 tcp

Files

memory/896-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

memory/1140-55-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/1140-59-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/1140-60-0x0000000061E00000-0x0000000061ED2000-memory.dmp

\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/892-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\Information.txt

MD5 8d11707e19b246d0231a9575b0bca1ee
SHA1 9f56892d4b7ee60273ad21c2474be121e550f0a0
SHA256 46036761b8882f5e627316be399fe63cfae5153d12e7fb32fd5d6d66d3fbd33c
SHA512 91e535f2ee7a57fdff5ebda8f0164d58eb50af94b5bdbd96083f812cf9305073277f39fc8b286cd23005eef9270ba7ff6ec72a672d69fca79e22249025757be5

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\Screen.jpg

MD5 7ac9e8829bcdab7f97a4865f8b93a7f9
SHA1 c64180f68d7377423aee6a8eaccd2246743a0ad0
SHA256 2d77bd1193836b5e72b40db19a01dedcd78739640a91ffd82af0800394e2342b
SHA512 5e6271a7d2e99f9dbfbb43889964f36e092e64da469f8df1dfaa1f47192db69a8b187e795021f589c487ecc0fc8e55fc5f9c1a87723def6f744920abd542c149

memory/892-67-0x0000000000400000-0x000000000047D000-memory.dmp

memory/1140-68-0x0000000004A70000-0x0000000004AED000-memory.dmp

memory/1140-69-0x0000000004A70000-0x0000000004AED000-memory.dmp

memory/1044-70-0x0000000000000000-mapping.dmp

memory/1148-71-0x0000000000000000-mapping.dmp

memory/1940-72-0x0000000000000000-mapping.dmp

memory/1428-73-0x0000000000000000-mapping.dmp

memory/1884-74-0x0000000000000000-mapping.dmp

memory/1664-75-0x0000000000000000-mapping.dmp

memory/936-77-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-24 21:17

Reported

2022-07-24 21:20

Platform

win10v2004-20220721-en

Max time kernel

124s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe
PID 1876 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe
PID 1876 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe
PID 2296 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.module.exe
PID 2296 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.module.exe
PID 2296 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.module.exe
PID 2296 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 2296 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 2296 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 2296 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 2296 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 2296 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 2296 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 2296 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 2296 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 2296 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 2296 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 2296 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 2296 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 2296 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe
PID 2296 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe

"C:\Users\Admin\AppData\Local\Temp\b6618dc084f82d1a1dacc281ee4b33adb88545d2540dc8753840b5f7564a45ab.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ENU_801FE97682E4151E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources"

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.exe

Network

Country Destination Domain Proto
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
US 104.26.9.44:443 ipapi.co tcp
RU 212.81.38.238:9502 tcp
US 20.44.10.122:443 tcp
FR 2.18.109.224:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

memory/2296-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/2296-132-0x0000000061E00000-0x0000000061ED2000-memory.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/2296-134-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/2296-135-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/2296-136-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/2792-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\ContentDeliveryManager.Utilities.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\Information.txt

MD5 077864f191bad3d130f37f29cf0c8f8a
SHA1 453022ebe8e92cf63263ce269c63f821e14ab422
SHA256 e15234a4e24045de1ab2bbf3a6c765eda7f1f35b3d5f4cb4f5b35b73c67e1e6f
SHA512 7681e951854bea963802cf822740fab786658b149b19aa4d56ac4158e9b8f78e46b428fd4309725278a1d9eacbc966bfd343f59bef79d6a0ae8ced7a8b0dea64

C:\Users\Admin\AppData\Roaming\x86_microsoft.windows.c..-controls.resources\1\Screen.jpg

MD5 9a2f3f56f3644f174ce8333b611b8239
SHA1 6f57ea3a62401a523c3df752037622286a9d698f
SHA256 8e1b7c704ee804066fffc6de58f9bf7c53bebbd26fdd1e12b97f380595c237e3
SHA512 43975a65348f1d8d500ff4583240695bc22c00e90940d90bbb867ca22208d3839c19be911cc7cb75f328cb36188a025cb28e12ff72db50f433be7cb577800b97

memory/2792-142-0x0000000000400000-0x000000000047D000-memory.dmp

memory/1808-143-0x0000000000000000-mapping.dmp

memory/2836-144-0x0000000000000000-mapping.dmp

memory/4064-145-0x0000000000000000-mapping.dmp

memory/1688-146-0x0000000000000000-mapping.dmp

memory/3508-147-0x0000000000000000-mapping.dmp