Malware Analysis Report

2024-09-23 04:58

Sample ID 230129-t8z35sfd7y
Target 4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4
SHA256 4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4
Tags
qulab discovery evasion spyware stealer upx vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4

Threat Level: Known bad

The file 4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4 was found to be: Known bad.

Malicious Activity Summary

qulab discovery evasion spyware stealer upx vmprotect

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Sets file to hidden

Executes dropped EXE

VMProtect packed file

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

AutoIT Executable

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Suspicious behavior: RenamesItself

Views/modifies file attributes

Script User-Agent

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-01-29 16:44

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-29 16:44

Reported

2023-01-29 16:48

Platform

win10v2004-20221111-en

Max time kernel

230s

Max time network

242s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 1656 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 1656 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 3836 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe
PID 3836 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe
PID 3836 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe
PID 3836 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 3836 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 3836 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 3836 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe C:\Windows\SysWOW64\attrib.exe
PID 3836 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe C:\Windows\SysWOW64\attrib.exe
PID 3836 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe

"C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe"

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ENU_801FE972F9CE8F3E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\*"

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3836 -ip 3836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 2416

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe

Network

Country Destination Domain Proto
N/A 87.248.202.1:80 tcp
N/A 20.189.173.10:443 tcp
N/A 87.248.202.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 8.8.8.8:53 ipapi.co udp
N/A 104.26.9.44:443 ipapi.co tcp
N/A 104.26.9.44:443 ipapi.co tcp
N/A 8.8.8.8:53 api.telegram.org udp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp

Files

memory/1656-132-0x0000000000750000-0x00000000019C6000-memory.dmp

memory/1656-135-0x0000000000750000-0x00000000019C6000-memory.dmp

memory/1656-136-0x0000000000750000-0x00000000019C6000-memory.dmp

memory/3836-137-0x0000000000000000-mapping.dmp

memory/1656-138-0x0000000000750000-0x00000000019C6000-memory.dmp

memory/3836-139-0x0000000000750000-0x00000000019C6000-memory.dmp

memory/3836-142-0x0000000000750000-0x00000000019C6000-memory.dmp

memory/3836-143-0x0000000000750000-0x00000000019C6000-memory.dmp

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/3836-146-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/3836-147-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/632-148-0x0000000000750000-0x00000000019C6000-memory.dmp

memory/632-151-0x0000000000750000-0x00000000019C6000-memory.dmp

memory/3572-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/3572-155-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\RegisterUnpublish.txt

MD5 5cc76bc870fda765c9291c91a4e9de04
SHA1 ff577b0e7756517405b560c2ae0af6b0b1e32fd3
SHA256 10e3a941f1d1f1fd335848641261a1b12705e658a29bfab7a1d73a17420390de
SHA512 de5801ddb73559cda13b309734d47156ae5a4b50dae1aea11917835729982d101d1c112b11559e7c74354f25e389454dadd3e36afc4c66357352488f4502207c

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\CheckpointUpdate.docx

MD5 79f7e2d2c14352f4028423ca9e2fa602
SHA1 a08369d16d38f12048bde9913a61b394cf11876a
SHA256 c950a91cb26f3a4be965f75e7fce70d27af2cf6719e42c0fee1d752edd0486af
SHA512 cbf5a686e566e55ae182a5eb6ca953cb35aff61beecd01d8922c6b5d65bed2baf2f3482ac672d6d282fb00c0162a3f742e3a55649960e58c4aa02ea4333a39c7

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\LimitRegister.docx

MD5 06645fc0d6422684d727f7874bafecf3
SHA1 529a0096a3d201966ae5542cbf255ccb5dbf49eb
SHA256 014923193be24bf87d086fb79ba9b67c3f9d1241508ac3a0b2f170a4a2316cb4
SHA512 61d9c33351cab3c6c81f5379b8937524cfa220c1210dcf30d2000aa667f312affd421c30e0cf28f0729b36a1c066fb03f5eb9ed796942b0110c9736083d22d1d

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\Opened.docx

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\Recently.docx

MD5 3b068f508d40eb8258ff0b0592ca1f9c
SHA1 59ac025c3256e9c6c86165082974fe791ff9833a
SHA256 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512 e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\RenameCopy.doc

MD5 17b6f318d547dccf0336bf230e9adf1a
SHA1 ffb2c156a67408f9679f2c4a700f07fbd2295b31
SHA256 ab4e7c1c1e7851c0343ec612fdbe145c62a8f609a214bf29e18cf89d281dfa74
SHA512 b806116ae335c0d3d42a8ee2a9974fd3ce8718c45259cbde9660bead2e9a764f25fa6a406266294aff685418e1fe3e553bcc097ca5f26e243933de9b0d353b58

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\SubmitPublish.docx

MD5 e89469b5783baeb1e029386a6c6c2f30
SHA1 7e511379484bd6fa9fb4d6f498029dae3a1917ea
SHA256 f3a960a21ec163db85e9cf0dffae38fb491a54780b264dd95b5a4d9359eaecdf
SHA512 80476405488e78168a481730a5ed19f92ca3a41d1809a9968f15366ebc9705527ba7a684a1906d73c09aac285345577866a853f9f6d1499d6c99093bd2b91e84

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Desktop TXT Files\ts\These.docx

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Information.txt

MD5 21ab7f9357e6782eed3e261072858b6c
SHA1 c7d16db24d3a44e270eb471c0b6b4288f0cb8399
SHA256 617f9a6ffca3da29ebe583458ce85c53abefef5d991891d7c82a1c18f5833266
SHA512 ae82714180bc06ca76fc37633f84328c2ffef176a70016ec533d4dd5902c61117256a3da505275df700734faa8caae7e29ec5196c05d5d531e16d26b68bca44f

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ABC\Screen.jpg

MD5 915defeb6183868c0b131d637132f2f7
SHA1 19dd324bd5057caeedaa07729ce24ce045e02e11
SHA256 41a407ed323eaf80e8ce5f6260a19b4bd3fce138906e1d9d4ced927051f0bbbf
SHA512 d74c69d778ffb411931608a438d9d8ac68b5b44c14f596a980ed1a6a47c427589ebfb573fee9e6696ba07a569f95c9f54565d049fc5a396e4b218e5a5f62278a

memory/3572-168-0x0000000000400000-0x000000000047D000-memory.dmp

memory/4988-169-0x0000000000000000-mapping.dmp

memory/5016-170-0x0000000000000000-mapping.dmp

memory/4988-171-0x0000000000750000-0x00000000019C6000-memory.dmp

memory/4988-174-0x0000000000750000-0x00000000019C6000-memory.dmp

memory/4988-175-0x0000000000750000-0x00000000019C6000-memory.dmp

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\E

MD5 ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA1 57218c316b6921e2cd61027a2387edc31a2d9471
SHA256 f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA512 37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

memory/4988-177-0x0000000000750000-0x00000000019C6000-memory.dmp

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ShortInformation.txt

MD5 7843de85c848143d59a053d4791bfd19
SHA1 9e7400399a865c0d0779eced67fa135aa9c0fd0d
SHA256 a0bd1063192bf459a0a8cccc2dacda17d22181c2f857e3608a81f1e23f48110b
SHA512 acb16e9ec338c83a277c427f562b81c8dc6127d4092a4d69d36a2490d815c3bc9afc740893b3c87873aa4b5907153fa8df0bcfd9330974d631bb87e109cc9434

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ENU_801FE972F9CE8F3E9D41.7z

MD5 592bfafe2a9b79e71554cec123de66ef
SHA1 9b9090f91693ee17f06481d3eeecd454de630bc7
SHA256 d74d506ddb5622b0d8546c0e93247eb664dc9e707a5bd47b61239573f94f2dea
SHA512 13bf3a5445e326b400404f052bea7e73c89af686f5e8b3887bc4759d372c405d5d37df58dacff692cc1dd2aeef3d63b8276d5c9fbb5e4a0b4ba6140bd88500e7

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\ENU_801FE972F9CE8F3E9D41

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4988-181-0x0000000000750000-0x00000000019C6000-memory.dmp

memory/3836-182-0x0000000000750000-0x00000000019C6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-29 16:44

Reported

2023-01-29 16:47

Platform

win7-20220812-en

Max time kernel

149s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1780 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 1780 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 1780 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 1780 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 924 wrote to memory of 1452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 924 wrote to memory of 1452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 924 wrote to memory of 1452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 924 wrote to memory of 1452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 924 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 924 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 924 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
PID 924 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe

"C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe"

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {7550BDC3-93C5-4EEF-8A3C-AFC370448836} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe

Network

N/A

Files

memory/1780-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

memory/1780-56-0x0000000000E90000-0x0000000002106000-memory.dmp

memory/1780-55-0x0000000000E90000-0x0000000002106000-memory.dmp

memory/1292-59-0x0000000000000000-mapping.dmp

memory/1780-61-0x0000000000E90000-0x0000000002106000-memory.dmp

memory/1292-63-0x0000000000E90000-0x0000000002106000-memory.dmp

memory/1292-66-0x0000000000E90000-0x0000000002106000-memory.dmp

memory/1452-67-0x0000000000000000-mapping.dmp

memory/1452-69-0x0000000000E90000-0x0000000002106000-memory.dmp

memory/1452-72-0x0000000000E90000-0x0000000002106000-memory.dmp

memory/1452-73-0x0000000000E90000-0x0000000002106000-memory.dmp

memory/1452-74-0x0000000000E90000-0x0000000002106000-memory.dmp

memory/1540-75-0x0000000000000000-mapping.dmp

memory/1540-77-0x0000000000E90000-0x0000000002106000-memory.dmp

memory/1540-80-0x0000000000E90000-0x0000000002106000-memory.dmp

memory/1540-81-0x0000000000E90000-0x0000000002106000-memory.dmp