Analysis Overview
SHA256
4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4
Threat Level: Known bad
The file 4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Sets file to hidden
Executes dropped EXE
VMProtect packed file
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
AutoIT Executable
Drops file in System32 directory
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
NTFS ADS
Suspicious behavior: RenamesItself
Views/modifies file attributes
Script User-Agent
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-29 16:44
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-29 16:44
Reported
2023-01-29 16:48
Platform
win10v2004-20221111-en
Max time kernel
230s
Max time network
242s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe
"C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe"
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ENU_801FE972F9CE8F3E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\*"
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 2416
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 20.189.173.10:443 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 8.8.8.8:53 | ipapi.co | udp |
| N/A | 104.26.9.44:443 | ipapi.co | tcp |
| N/A | 104.26.9.44:443 | ipapi.co | tcp |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/1656-132-0x0000000000750000-0x00000000019C6000-memory.dmp
memory/1656-135-0x0000000000750000-0x00000000019C6000-memory.dmp
memory/1656-136-0x0000000000750000-0x00000000019C6000-memory.dmp
memory/3836-137-0x0000000000000000-mapping.dmp
memory/1656-138-0x0000000000750000-0x00000000019C6000-memory.dmp
memory/3836-139-0x0000000000750000-0x00000000019C6000-memory.dmp
memory/3836-142-0x0000000000750000-0x00000000019C6000-memory.dmp
memory/3836-143-0x0000000000750000-0x00000000019C6000-memory.dmp
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/3836-146-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/3836-147-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/632-148-0x0000000000750000-0x00000000019C6000-memory.dmp
memory/632-151-0x0000000000750000-0x00000000019C6000-memory.dmp
memory/3572-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/3572-155-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\RegisterUnpublish.txt
| MD5 | 5cc76bc870fda765c9291c91a4e9de04 |
| SHA1 | ff577b0e7756517405b560c2ae0af6b0b1e32fd3 |
| SHA256 | 10e3a941f1d1f1fd335848641261a1b12705e658a29bfab7a1d73a17420390de |
| SHA512 | de5801ddb73559cda13b309734d47156ae5a4b50dae1aea11917835729982d101d1c112b11559e7c74354f25e389454dadd3e36afc4c66357352488f4502207c |
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\CheckpointUpdate.docx
| MD5 | 79f7e2d2c14352f4028423ca9e2fa602 |
| SHA1 | a08369d16d38f12048bde9913a61b394cf11876a |
| SHA256 | c950a91cb26f3a4be965f75e7fce70d27af2cf6719e42c0fee1d752edd0486af |
| SHA512 | cbf5a686e566e55ae182a5eb6ca953cb35aff61beecd01d8922c6b5d65bed2baf2f3482ac672d6d282fb00c0162a3f742e3a55649960e58c4aa02ea4333a39c7 |
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\LimitRegister.docx
| MD5 | 06645fc0d6422684d727f7874bafecf3 |
| SHA1 | 529a0096a3d201966ae5542cbf255ccb5dbf49eb |
| SHA256 | 014923193be24bf87d086fb79ba9b67c3f9d1241508ac3a0b2f170a4a2316cb4 |
| SHA512 | 61d9c33351cab3c6c81f5379b8937524cfa220c1210dcf30d2000aa667f312affd421c30e0cf28f0729b36a1c066fb03f5eb9ed796942b0110c9736083d22d1d |
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\RenameCopy.doc
| MD5 | 17b6f318d547dccf0336bf230e9adf1a |
| SHA1 | ffb2c156a67408f9679f2c4a700f07fbd2295b31 |
| SHA256 | ab4e7c1c1e7851c0343ec612fdbe145c62a8f609a214bf29e18cf89d281dfa74 |
| SHA512 | b806116ae335c0d3d42a8ee2a9974fd3ce8718c45259cbde9660bead2e9a764f25fa6a406266294aff685418e1fe3e553bcc097ca5f26e243933de9b0d353b58 |
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\SubmitPublish.docx
| MD5 | e89469b5783baeb1e029386a6c6c2f30 |
| SHA1 | 7e511379484bd6fa9fb4d6f498029dae3a1917ea |
| SHA256 | f3a960a21ec163db85e9cf0dffae38fb491a54780b264dd95b5a4d9359eaecdf |
| SHA512 | 80476405488e78168a481730a5ed19f92ca3a41d1809a9968f15366ebc9705527ba7a684a1906d73c09aac285345577866a853f9f6d1499d6c99093bd2b91e84 |
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Information.txt
| MD5 | 21ab7f9357e6782eed3e261072858b6c |
| SHA1 | c7d16db24d3a44e270eb471c0b6b4288f0cb8399 |
| SHA256 | 617f9a6ffca3da29ebe583458ce85c53abefef5d991891d7c82a1c18f5833266 |
| SHA512 | ae82714180bc06ca76fc37633f84328c2ffef176a70016ec533d4dd5902c61117256a3da505275df700734faa8caae7e29ec5196c05d5d531e16d26b68bca44f |
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Screen.jpg
| MD5 | 915defeb6183868c0b131d637132f2f7 |
| SHA1 | 19dd324bd5057caeedaa07729ce24ce045e02e11 |
| SHA256 | 41a407ed323eaf80e8ce5f6260a19b4bd3fce138906e1d9d4ced927051f0bbbf |
| SHA512 | d74c69d778ffb411931608a438d9d8ac68b5b44c14f596a980ed1a6a47c427589ebfb573fee9e6696ba07a569f95c9f54565d049fc5a396e4b218e5a5f62278a |
memory/3572-168-0x0000000000400000-0x000000000047D000-memory.dmp
memory/4988-169-0x0000000000000000-mapping.dmp
memory/5016-170-0x0000000000000000-mapping.dmp
memory/4988-171-0x0000000000750000-0x00000000019C6000-memory.dmp
memory/4988-174-0x0000000000750000-0x00000000019C6000-memory.dmp
memory/4988-175-0x0000000000750000-0x00000000019C6000-memory.dmp
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\E
| MD5 | ecaa88f7fa0bf610a5a26cf545dcd3aa |
| SHA1 | 57218c316b6921e2cd61027a2387edc31a2d9471 |
| SHA256 | f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5 |
| SHA512 | 37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5 |
memory/4988-177-0x0000000000750000-0x00000000019C6000-memory.dmp
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ShortInformation.txt
| MD5 | 7843de85c848143d59a053d4791bfd19 |
| SHA1 | 9e7400399a865c0d0779eced67fa135aa9c0fd0d |
| SHA256 | a0bd1063192bf459a0a8cccc2dacda17d22181c2f857e3608a81f1e23f48110b |
| SHA512 | acb16e9ec338c83a277c427f562b81c8dc6127d4092a4d69d36a2490d815c3bc9afc740893b3c87873aa4b5907153fa8df0bcfd9330974d631bb87e109cc9434 |
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ENU_801FE972F9CE8F3E9D41.7z
| MD5 | 592bfafe2a9b79e71554cec123de66ef |
| SHA1 | 9b9090f91693ee17f06481d3eeecd454de630bc7 |
| SHA256 | d74d506ddb5622b0d8546c0e93247eb664dc9e707a5bd47b61239573f94f2dea |
| SHA512 | 13bf3a5445e326b400404f052bea7e73c89af686f5e8b3887bc4759d372c405d5d37df58dacff692cc1dd2aeef3d63b8276d5c9fbb5e4a0b4ba6140bd88500e7 |
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ENU_801FE972F9CE8F3E9D41
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4988-181-0x0000000000750000-0x00000000019C6000-memory.dmp
memory/3836-182-0x0000000000750000-0x00000000019C6000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-29 16:44
Reported
2023-01-29 16:47
Platform
win7-20220812-en
Max time kernel
149s
Max time network
45s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe
"C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe"
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {7550BDC3-93C5-4EEF-8A3C-AFC370448836} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
Network
Files
memory/1780-54-0x00000000762F1000-0x00000000762F3000-memory.dmp
memory/1780-56-0x0000000000E90000-0x0000000002106000-memory.dmp
memory/1780-55-0x0000000000E90000-0x0000000002106000-memory.dmp
memory/1292-59-0x0000000000000000-mapping.dmp
memory/1780-61-0x0000000000E90000-0x0000000002106000-memory.dmp
memory/1292-63-0x0000000000E90000-0x0000000002106000-memory.dmp
memory/1292-66-0x0000000000E90000-0x0000000002106000-memory.dmp
memory/1452-67-0x0000000000000000-mapping.dmp
memory/1452-69-0x0000000000E90000-0x0000000002106000-memory.dmp
memory/1452-72-0x0000000000E90000-0x0000000002106000-memory.dmp
memory/1452-73-0x0000000000E90000-0x0000000002106000-memory.dmp
memory/1452-74-0x0000000000E90000-0x0000000002106000-memory.dmp
memory/1540-75-0x0000000000000000-mapping.dmp
memory/1540-77-0x0000000000E90000-0x0000000002106000-memory.dmp
memory/1540-80-0x0000000000E90000-0x0000000002106000-memory.dmp
memory/1540-81-0x0000000000E90000-0x0000000002106000-memory.dmp