Malware Analysis Report

2024-09-23 04:46

Sample ID 220725-ehc4csdfb8
Target 4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166
SHA256 4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166
Tags
qulab discovery evasion ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166

Threat Level: Known bad

The file 4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166 was found to be: Known bad.

Malicious Activity Summary

qulab discovery evasion ransomware spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

Sets file to hidden

Executes dropped EXE

UPX packed file

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Checks installed software on the system

AutoIT Executable

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-07-25 03:56

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-25 03:56

Reported

2022-07-26 05:22

Platform

win7-20220715-en

Max time kernel

124s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe
PID 1576 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe
PID 1576 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe
PID 1576 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe
PID 1576 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe
PID 1576 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe
PID 1576 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe
PID 1576 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe
PID 1888 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
PID 1888 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
PID 1888 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
PID 1888 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
PID 2032 wrote to memory of 832 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe
PID 2032 wrote to memory of 832 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe
PID 2032 wrote to memory of 832 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe
PID 2032 wrote to memory of 832 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe
PID 2032 wrote to memory of 908 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe C:\Windows\SysWOW64\attrib.exe
PID 2032 wrote to memory of 908 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe C:\Windows\SysWOW64\attrib.exe
PID 2032 wrote to memory of 908 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe C:\Windows\SysWOW64\attrib.exe
PID 2032 wrote to memory of 908 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe C:\Windows\SysWOW64\attrib.exe
PID 1596 wrote to memory of 1068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
PID 1596 wrote to memory of 1068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
PID 1596 wrote to memory of 1068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
PID 1596 wrote to memory of 1068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
PID 1596 wrote to memory of 1896 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
PID 1596 wrote to memory of 1896 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
PID 1596 wrote to memory of 1896 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
PID 1596 wrote to memory of 1896 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe

"C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe"

C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe

"C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe"

C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe

"C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe"

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\ENU_687FE97579347BEE9D41.7z" "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources"

C:\Windows\system32\taskeng.exe

taskeng.exe {8A606476-3A33-4FC4-8344-BD338C617243} S-1-5-21-3440072777-2118400376-1759599358-1000:NKWDSIWE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipapi.co udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 104.26.8.44:443 ipapi.co tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
RU 89.191.230.240:65233 tcp
RU 89.191.230.240:65233 tcp

Files

memory/1576-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe

MD5 2d3271bf27d0b16d36ae52c52a6fecc5
SHA1 b81c84bea56690dabe6344ac073528fafdaa8628
SHA256 0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f
SHA512 dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe

MD5 2d3271bf27d0b16d36ae52c52a6fecc5
SHA1 b81c84bea56690dabe6344ac073528fafdaa8628
SHA256 0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f
SHA512 dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe

MD5 2d3271bf27d0b16d36ae52c52a6fecc5
SHA1 b81c84bea56690dabe6344ac073528fafdaa8628
SHA256 0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f
SHA512 dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe

MD5 2d3271bf27d0b16d36ae52c52a6fecc5
SHA1 b81c84bea56690dabe6344ac073528fafdaa8628
SHA256 0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f
SHA512 dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

memory/1888-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe

MD5 2d3271bf27d0b16d36ae52c52a6fecc5
SHA1 b81c84bea56690dabe6344ac073528fafdaa8628
SHA256 0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f
SHA512 dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe

MD5 2d3271bf27d0b16d36ae52c52a6fecc5
SHA1 b81c84bea56690dabe6344ac073528fafdaa8628
SHA256 0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f
SHA512 dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe

MD5 4c5663d6ec18f7d05fe4ecb100c020aa
SHA1 193c6eccd581e89ea2d85daccb356059e340e89a
SHA256 d99c2d6662e6db724442451c5e83de94a2fb0cd624bb26654e9ef8e3e9df38f6
SHA512 ec938a227aee3bfb92edcc6c20a35faa8f5a04efa25b65dec67b58606e6c199357a6eefe4e9a131e0adea52e612ac537ccb42a664abe8c9ada8108f7e717130a

memory/1332-64-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe

MD5 4c5663d6ec18f7d05fe4ecb100c020aa
SHA1 193c6eccd581e89ea2d85daccb356059e340e89a
SHA256 d99c2d6662e6db724442451c5e83de94a2fb0cd624bb26654e9ef8e3e9df38f6
SHA512 ec938a227aee3bfb92edcc6c20a35faa8f5a04efa25b65dec67b58606e6c199357a6eefe4e9a131e0adea52e612ac537ccb42a664abe8c9ada8108f7e717130a

memory/1332-66-0x000007FEFC3E1000-0x000007FEFC3E3000-memory.dmp

C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe

MD5 4c5663d6ec18f7d05fe4ecb100c020aa
SHA1 193c6eccd581e89ea2d85daccb356059e340e89a
SHA256 d99c2d6662e6db724442451c5e83de94a2fb0cd624bb26654e9ef8e3e9df38f6
SHA512 ec938a227aee3bfb92edcc6c20a35faa8f5a04efa25b65dec67b58606e6c199357a6eefe4e9a131e0adea52e612ac537ccb42a664abe8c9ada8108f7e717130a

\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe

MD5 4c5663d6ec18f7d05fe4ecb100c020aa
SHA1 193c6eccd581e89ea2d85daccb356059e340e89a
SHA256 d99c2d6662e6db724442451c5e83de94a2fb0cd624bb26654e9ef8e3e9df38f6
SHA512 ec938a227aee3bfb92edcc6c20a35faa8f5a04efa25b65dec67b58606e6c199357a6eefe4e9a131e0adea52e612ac537ccb42a664abe8c9ada8108f7e717130a

memory/1332-69-0x000000013FCE0000-0x000000013FECE000-memory.dmp

memory/2032-70-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

MD5 2d3271bf27d0b16d36ae52c52a6fecc5
SHA1 b81c84bea56690dabe6344ac073528fafdaa8628
SHA256 0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f
SHA512 dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/2032-75-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/2032-76-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/1332-77-0x000000013FCE0000-0x000000013FECE000-memory.dmp

\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/832-80-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/2032-82-0x0000000003C70000-0x0000000003CED000-memory.dmp

\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/2032-83-0x0000000003C70000-0x0000000003CED000-memory.dmp

memory/832-84-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\1\Information.txt

MD5 f254964421cff630da092d12a30ce1ec
SHA1 451f5a335848faa7dfbce0b83d374b99c6f6547c
SHA256 22be2d834b09d6fa8c1f67dd41eb274fec05f5f6682d3be6fbc8642695556cc8
SHA512 ec91c8fa3d1cc624e623314003536d17379cbf4660e9b8c2d7e873d4865df9f626d53d1ab3de27ddb42e42bf626713388d818ef001bdbef716f998acb98e4bbd

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\1\Screen.jpg

MD5 d9b2a1278121e8b70325c7b51d431bec
SHA1 874687a530581a614ec6b2b882cb104b84497518
SHA256 b0153060812c3b68cc6e4971768289c5e8a753cf32b22b61c28107487702f8bc
SHA512 03124cd47c60f8e7749e0b9260c182fda0e71b47d7fb0d936de03a4da743be95330b0bc4ae9e50d38a5771c9ec9b203302674cefe55398084a65ad17a7f72a64

memory/832-87-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2032-88-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/2032-89-0x0000000003C70000-0x0000000003CED000-memory.dmp

memory/2032-90-0x0000000003C70000-0x0000000003CED000-memory.dmp

memory/908-91-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

MD5 2d3271bf27d0b16d36ae52c52a6fecc5
SHA1 b81c84bea56690dabe6344ac073528fafdaa8628
SHA256 0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f
SHA512 dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

memory/1068-92-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

MD5 2d3271bf27d0b16d36ae52c52a6fecc5
SHA1 b81c84bea56690dabe6344ac073528fafdaa8628
SHA256 0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f
SHA512 dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

memory/1896-95-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-25 03:56

Reported

2022-07-26 05:22

Platform

win10v2004-20220721-en

Max time kernel

165s

Max time network

187s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe
PID 1616 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe
PID 1616 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe
PID 1616 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe
PID 1616 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe
PID 4020 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
PID 4020 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
PID 4020 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe
PID 2836 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe
PID 2836 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe
PID 2836 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe
PID 2836 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe C:\Windows\SysWOW64\attrib.exe
PID 2836 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe C:\Windows\SysWOW64\attrib.exe
PID 2836 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe

"C:\Users\Admin\AppData\Local\Temp\4c91a53768ca9333752d0c9600d8f1c2e925efd4fa5e884c9aa939f973f8d166.exe"

C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe

"C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe"

C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe

"C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe"

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\ENU_801FE9785E7BA11E9D41.7z" "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources"

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 52.178.17.2:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
US 93.184.221.240:80 tcp
US 104.26.9.44:443 ipapi.co tcp
RU 89.191.230.240:65233 tcp

Files

memory/4020-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe

MD5 2d3271bf27d0b16d36ae52c52a6fecc5
SHA1 b81c84bea56690dabe6344ac073528fafdaa8628
SHA256 0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f
SHA512 dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\Build.exe

MD5 2d3271bf27d0b16d36ae52c52a6fecc5
SHA1 b81c84bea56690dabe6344ac073528fafdaa8628
SHA256 0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f
SHA512 dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe

MD5 4c5663d6ec18f7d05fe4ecb100c020aa
SHA1 193c6eccd581e89ea2d85daccb356059e340e89a
SHA256 d99c2d6662e6db724442451c5e83de94a2fb0cd624bb26654e9ef8e3e9df38f6
SHA512 ec938a227aee3bfb92edcc6c20a35faa8f5a04efa25b65dec67b58606e6c199357a6eefe4e9a131e0adea52e612ac537ccb42a664abe8c9ada8108f7e717130a

memory/1896-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\zkGmqIWWfHbnbQQ\GH Inject.exe

MD5 4c5663d6ec18f7d05fe4ecb100c020aa
SHA1 193c6eccd581e89ea2d85daccb356059e340e89a
SHA256 d99c2d6662e6db724442451c5e83de94a2fb0cd624bb26654e9ef8e3e9df38f6
SHA512 ec938a227aee3bfb92edcc6c20a35faa8f5a04efa25b65dec67b58606e6c199357a6eefe4e9a131e0adea52e612ac537ccb42a664abe8c9ada8108f7e717130a

memory/1896-136-0x00007FF6F2AC0000-0x00007FF6F2CAE000-memory.dmp

memory/2836-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

MD5 2d3271bf27d0b16d36ae52c52a6fecc5
SHA1 b81c84bea56690dabe6344ac073528fafdaa8628
SHA256 0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f
SHA512 dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/2836-141-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/1896-142-0x00007FF6F2AC0000-0x00007FF6F2CAE000-memory.dmp

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/2320-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\1\Information.txt

MD5 1d7a0320835b8bda482865432e0b6c4d
SHA1 b3f9ca1c8aeea472abc53bd15ddcfb8db6f53a63
SHA256 5592dab948159db01c4aca7c0d9d8a59aa2ea7877ca75f947605b24fbd12459d
SHA512 5f8a958364e4a16847406ebe2f95a0331acef779e77461373a5275717acf723abbbece94192741c8c255f403928f088900af689e4106c1d88476b227f0c71cd3

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\1\Screen.jpg

MD5 ef0a80493bd2ffaf719001ce7856ceec
SHA1 d5114e8ef7a3f6c5b348c1b4bb926d5c5cc6c98a
SHA256 38107af5aeb25b974d056fbb54745a1c94d4d96c3d50166acc1f94cf8ddf5fca
SHA512 0fc875299e0676faf2d398101126f8a55eb4bee516f81d766deaa78325a09464557cda8a12ad7506e7faac84d235e351ea51d8a7ea1982b3c21e347dc6d4114c

memory/2320-148-0x0000000000400000-0x000000000047D000-memory.dmp

memory/4812-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

MD5 2d3271bf27d0b16d36ae52c52a6fecc5
SHA1 b81c84bea56690dabe6344ac073528fafdaa8628
SHA256 0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f
SHA512 dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-a..apc-layer.resources\MP3DMOD.exe

MD5 2d3271bf27d0b16d36ae52c52a6fecc5
SHA1 b81c84bea56690dabe6344ac073528fafdaa8628
SHA256 0d198296d0d1e20baaa3d93a18d7b11057cd1ed8a9612bac414d79b5f749792f
SHA512 dcd636b07a973ac2f91d190cc1baa793240d1832cc288aa6e39c421449612966d679cf19a74fe341246129d4b91732df8f6a3429a89739bf59009aa25f0d713b