Overview

overview

10

Static

static

5

4c91a53768...66.exe

windows7-x64

10

4c91a53768...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    165s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2022 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe

  • Size

    3.2MB

  • MD5

    36cec5d837f6c92e84a1f3e3e684c75d

  • SHA1

    25b9335f00f4c5df73b15075d80caacd7c1a61f4

  • SHA256

    4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166

  • SHA512

    d4a1ffcd1dc5583cc968056c64480733652d7d2de7cb5c85788ddc92c78b486b5d7019ec5ddb90d309c80d74f234f0d1bd9b0cf9a9531c86abaa9a130360aa26

Score
10/10
qulabdiscoveryevasionransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\1\Information.txt

Family

qulab

Ransom Note
# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 26.07.2022, 07:20:52 Main Information: - OS: Windows 10 X64 / Build: 19041 - UserName: Admin - ComputerName: QAZKGNUX - Processor: Intel Core Processor (Broadwell) - VideoCard: Microsoft Basic Display Adapter - Memory: 4.00 Gb - KeyBoard Layout ID: 00000409 - Resolution: 1280x720x32, 64 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Google Chrome - Microsoft Edge - Microsoft Edge Update - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Java Auto Updater - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Acrobat Reader DC - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - Registry / PID: 92 - smss.exe / PID: 352 - csrss.exe / PID: 436 - wininit.exe / PID: 528 - csrss.exe / PID: 536 - winlogon.exe / PID: 616 - services.exe / PID: 664 - lsass.exe / PID: 672 - fontdrvhost.exe / PID: 768 - fontdrvhost.exe / PID: 776 - svchost.exe / PID: 792 - svchost.exe / PID: 904 - svchost.exe / PID: 956 - dwm.exe / PID: 332 - svchost.exe / PID: 440 - svchost.exe / PID: 736 - svchost.exe / PID: 660 - svchost.exe / PID: 1044 - svchost.exe / PID: 1056 - svchost.exe / PID: 1124 - svchost.exe / PID: 1176 - svchost.exe / PID: 1228 - svchost.exe / PID: 1240 - svchost.exe / PID: 1312 - svchost.exe / PID: 1348 - svchost.exe / PID: 1432 - svchost.exe / PID: 1448 - svchost.exe / PID: 1460 - svchost.exe / PID: 1592 - svchost.exe / PID: 1636 - svchost.exe / PID: 1644 - svchost.exe / PID: 1676 - svchost.exe / PID: 1752 - svchost.exe / PID: 1796 - svchost.exe / PID: 1840 - svchost.exe / PID: 1852 - svchost.exe / PID: 1904 - svchost.exe / PID: 1932 - spoolsv.exe / PID: 1340 - svchost.exe / PID: 1620 - svchost.exe / PID: 1792 - svchost.exe / PID: 2064 - svchost.exe / PID: 2344 - svchost.exe / PID: 2352 - sihost.exe / PID: 2372 - svchost.exe / PID: 2444 - OfficeClickToRun.exe / PID: 2548 - svchost.exe / PID: 2556 - taskhostw.exe / PID: 2576 - svchost.exe / PID: 2624 - svchost.exe / PID: 2640 - svchost.exe / PID: 2656 - svchost.exe / PID: 2676 - svchost.exe / PID: 2996 - explorer.exe / PID: 3068 - svchost.exe / PID: 1384 - dllhost.exe / PID: 3236 - StartMenuExperienceHost.exe / PID: 3320 - RuntimeBroker.exe / PID: 3392 - SearchApp.exe / PID: 3504 - RuntimeBroker.exe / PID: 3664 - dllhost.exe / PID: 1660 - RuntimeBroker.exe / PID: 3308 - svchost.exe / PID: 2572 - svchost.exe / PID: 3932 - svchost.exe / PID: 4136 - sppsvc.exe / PID: 4828 - svchost.exe / PID: 4920 - svchost.exe / PID: 5072 - svchost.exe / PID: 4768 - SppExtComObj.Exe / PID: 2288 - svchost.exe / PID: 3576 - svchost.exe / PID: 4836 - backgroundTaskHost.exe / PID: 4272 - backgroundTaskHost.exe / PID: 3420 - RuntimeBroker.exe / PID: 4132 - SIHClient.exe / PID: 4236 - WmiPrvSE.exe / PID: 3628 - svchost.exe / PID: 3056 - GH Inject.exe / PID: 1896 - MP3DMOD.exe / PID: 2836
URLs

http://teleg.run/QulabZ

Signatures

  • Qulab Stealer & Clipper

    Infostealer and clipper created with AutoIt.

    stealerqulab
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 6 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe
    "C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe
      "C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe"
      2⤵
      • Executes dropped EXE
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
        C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2836
        • C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe
          C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\ENU_801FE9785E7BA11E9D41.7z" "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\1\*"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2320
        • C:\Windows\SysWOW64\attrib.exe
          attrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4812
    • C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe
      "C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1896
  • C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
    C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:896
  • C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
    C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:2316

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\1\Information.txt
    Filesize

    3KB

    MD5

    1d7a0320835b8bda482865432e0b6c4d

    SHA1

    b3f9ca1c8aeea472abc53bd15ddcfb8db6f53a63

    SHA256

    5592dab948159db01c4aca7c0d9d8a59aa2ea7877ca75f947605b24fbd12459d

    SHA512

    5f8a958364e4a16847406ebe2f95a0331acef779e77461373a5275717acf723abbbece94192741c8c255f403928f088900af689e4106c1d88476b227f0c71cd3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\1\Screen.jpg
    Filesize

    50KB

    MD5

    ef0a80493bd2ffaf719001ce7856ceec

    SHA1

    d5114e8ef7a3f6c5b348c1b4bb926d5c5cc6c98a

    SHA256

    38107af5aeb25b974d056fbb54745a1c94d4d96c3d50166acc1f94cf8ddf5fca

    SHA512

    0fc875299e0676faf2d398101126f8a55eb4bee516f81d766deaa78325a09464557cda8a12ad7506e7faac84d235e351ea51d8a7ea1982b3c21e347dc6d4114c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
    Filesize

    1.8MB

    MD5

    2d3271bf27d0b16d36ae52c52a6fecc5

    SHA1

    b81c84bea56690dabe6344ac073528fafdaa8628

    SHA256

    0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f

    SHA512

    dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
    Filesize

    1.8MB

    MD5

    2d3271bf27d0b16d36ae52c52a6fecc5

    SHA1

    b81c84bea56690dabe6344ac073528fafdaa8628

    SHA256

    0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f

    SHA512

    dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
    Filesize

    1.8MB

    MD5

    2d3271bf27d0b16d36ae52c52a6fecc5

    SHA1

    b81c84bea56690dabe6344ac073528fafdaa8628

    SHA256

    0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f

    SHA512

    dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe
    Filesize

    197KB

    MD5

    946285055913d457fda78a4484266e96

    SHA1

    668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

    SHA256

    23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

    SHA512

    30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe
    Filesize

    197KB

    MD5

    946285055913d457fda78a4484266e96

    SHA1

    668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

    SHA256

    23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

    SHA512

    30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.sqlite3.module.dll
    Filesize

    360KB

    MD5

    8c127ce55bfbb55eb9a843c693c9f240

    SHA1

    75c462c935a7ff2c90030c684440d61d48bb1858

    SHA256

    4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

    SHA512

    d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.sqlite3.module.dll
    Filesize

    360KB

    MD5

    8c127ce55bfbb55eb9a843c693c9f240

    SHA1

    75c462c935a7ff2c90030c684440d61d48bb1858

    SHA256

    4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

    SHA512

    d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

    Download Submit

  • C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe
    Filesize

    1.8MB

    MD5

    2d3271bf27d0b16d36ae52c52a6fecc5

    SHA1

    b81c84bea56690dabe6344ac073528fafdaa8628

    SHA256

    0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f

    SHA512

    dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe
    Filesize

    1.8MB

    MD5

    2d3271bf27d0b16d36ae52c52a6fecc5

    SHA1

    b81c84bea56690dabe6344ac073528fafdaa8628

    SHA256

    0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f

    SHA512

    dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe
    Filesize

    880KB

    MD5

    4c5663d6ec18f7d05fe4ecb100c020aa

    SHA1

    193c6eccd581e89ea2d85daccb356059e340e89a

    SHA256

    d99c2d6662e6db724442451c5e83de94a2fb0cd624bb26654e9ef8e3e9df38f6

    SHA512

    ec938a227aee3bfb92edcc6c20a35faa8f5a04efa25b65dec67b58606e6c199357a6eefe4e9a131e0adea52e612ac537ccb42a664abe8c9ada8108f7e717130a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe
    Filesize

    880KB

    MD5

    4c5663d6ec18f7d05fe4ecb100c020aa

    SHA1

    193c6eccd581e89ea2d85daccb356059e340e89a

    SHA256

    d99c2d6662e6db724442451c5e83de94a2fb0cd624bb26654e9ef8e3e9df38f6

    SHA512

    ec938a227aee3bfb92edcc6c20a35faa8f5a04efa25b65dec67b58606e6c199357a6eefe4e9a131e0adea52e612ac537ccb42a664abe8c9ada8108f7e717130a

    Download Submit

  • memory/1896-142-0x00007FF6F2AC0000-0x00007FF6F2CAE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1896-136-0x00007FF6F2AC0000-0x00007FF6F2CAE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1896-133-0x0000000000000000-mapping.dmp

    Download

  • memory/2320-143-0x0000000000000000-mapping.dmp

    Download

  • memory/2320-148-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/2836-137-0x0000000000000000-mapping.dmp

    Download

  • memory/2836-141-0x0000000061E00000-0x0000000061ED2000-memory.dmp

    Filesize

    840KB

    Download

  • memory/4020-130-0x0000000000000000-mapping.dmp

    Download

  • memory/4812-149-0x0000000000000000-mapping.dmp

    Download