Analysis
-
max time kernel
130s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-12-2023 14:05
Static task
static1
Behavioral task
behavioral1
Sample
3d9ae690ce0efb6453b8417a1f2c3fd7.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
3d9ae690ce0efb6453b8417a1f2c3fd7.exe
Resource
win10v2004-20231215-en
General
-
Target
3d9ae690ce0efb6453b8417a1f2c3fd7.exe
-
Size
2.1MB
-
MD5
3d9ae690ce0efb6453b8417a1f2c3fd7
-
SHA1
e64bf38a98608c4c2159fa03d4df1cdd8696e7ef
-
SHA256
2e46b4136c5556e634f1ceec894c9618198d36711f0bb45cf2aee4d1b54b0b10
-
SHA512
2f5b13655c265a4e7d0ba2312b4fab12c7e965fc57f574952c3f84898157defca31609d3eaf474afcb5339bc7d121318fa5403ca0acd47bf9b286d176be90d97
-
SSDEEP
49152:dh+ZkldoPK8YaEWsLotFKuKQcIgBFKDT4QfV4r:O2cPK8761IgCDH9
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\1\Information.txt
qulab
http://teleg.run/QulabZ
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1648 attrib.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000b0000000141d3-10.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 2796 SSShim.module.exe -
Loads dropped DLL 4 IoCs
pid Process 2356 SSShim.exe 2356 SSShim.exe 2356 SSShim.exe 2356 SSShim.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000b0000000141d3-10.dat upx behavioral1/files/0x00080000000147f1-78.dat upx behavioral1/memory/2796-87-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2796-91-0x0000000000400000-0x000000000047D000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ipapi.co 10 ipapi.co -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ SSShim.exe File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ SSShim.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 SSShim.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 SSShim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 SSShim.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ 3d9ae690ce0efb6453b8417a1f2c3fd7.exe File opened for modification C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\winmgmts:\localhost\ SSShim.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2356 SSShim.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2656 3d9ae690ce0efb6453b8417a1f2c3fd7.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 2796 SSShim.module.exe Token: 35 2796 SSShim.module.exe Token: SeSecurityPrivilege 2796 SSShim.module.exe Token: SeSecurityPrivilege 2796 SSShim.module.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2356 2656 3d9ae690ce0efb6453b8417a1f2c3fd7.exe 28 PID 2656 wrote to memory of 2356 2656 3d9ae690ce0efb6453b8417a1f2c3fd7.exe 28 PID 2656 wrote to memory of 2356 2656 3d9ae690ce0efb6453b8417a1f2c3fd7.exe 28 PID 2656 wrote to memory of 2356 2656 3d9ae690ce0efb6453b8417a1f2c3fd7.exe 28 PID 2356 wrote to memory of 2796 2356 SSShim.exe 30 PID 2356 wrote to memory of 2796 2356 SSShim.exe 30 PID 2356 wrote to memory of 2796 2356 SSShim.exe 30 PID 2356 wrote to memory of 2796 2356 SSShim.exe 30 PID 2420 wrote to memory of 544 2420 taskeng.exe 36 PID 2420 wrote to memory of 544 2420 taskeng.exe 36 PID 2420 wrote to memory of 544 2420 taskeng.exe 36 PID 2420 wrote to memory of 544 2420 taskeng.exe 36 PID 2420 wrote to memory of 996 2420 taskeng.exe 37 PID 2420 wrote to memory of 996 2420 taskeng.exe 37 PID 2420 wrote to memory of 996 2420 taskeng.exe 37 PID 2420 wrote to memory of 996 2420 taskeng.exe 37 PID 2356 wrote to memory of 1648 2356 SSShim.exe 38 PID 2356 wrote to memory of 1648 2356 SSShim.exe 38 PID 2356 wrote to memory of 1648 2356 SSShim.exe 38 PID 2356 wrote to memory of 1648 2356 SSShim.exe 38 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1648 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d9ae690ce0efb6453b8417a1f2c3fd7.exe"C:\Users\Admin\AppData\Local\Temp\3d9ae690ce0efb6453b8417a1f2c3fd7.exe"1⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.exeC:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.exe2⤵
- Loads dropped DLL
- Modifies system certificate store
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.module.exeC:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\ENU_687FE9771A274C7E9D41.7z" "C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\1\*"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\msil_napsnap.resources"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1648
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DC4C7068-9E96-48B7-BFD1-48519C7352EA} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.exeC:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.exe2⤵
- Drops file in System32 directory
PID:544
-
-
C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.exeC:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.exe2⤵
- Drops file in System32 directory
PID:996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
3KB
MD5ec7f08dc78feec4ae8a9e78b24e82721
SHA14335266f9d31067ad00b512cb7502177dacedcb9
SHA256d201206031d264cc1c2f34a79514e1a338c8e3e20e7883d458c0b9a5d726dc3a
SHA51224fe4eb6fe2576b6d320ccf8cb20027b515fbf5c374c5490d6f6dced329a6aed52a606f40aabf26df922c9571b04324769407779526b3a9a1760baa0aa9954bb
-
Filesize
47KB
MD500d08b877382588a84b0f985f299b718
SHA13c2cbf9dbf16e228d5aff06172c7ac56bfbf267c
SHA256f61e08cad2a2c3f9bf9e6ed57c33f72cccf449465cb6f52b5c7bae48f931e7b1
SHA512db69f301ba8f503009b1f26ff82299d9422bf681e7cf5676e71e02e18a90b3e7484bda5900e6401531c0153e996279d3b4602693ad32b4801760b3ef1a5c1719
-
Filesize
197KB
MD5bde3266064c287f3acbbd36e2f397d1c
SHA1001f15df928bf9e0d74ae0263b131cda35470d8b
SHA25659e188fcb29afeaef50adecc9473b8a1dc9b25743e14e0911fef2e9c1e62db76
SHA512ba0f1c6b5e52c0b0ff7c0bf8637fca16a6f591e0d0807c50aaf904e95788fc6eec169554f1a8cf47a09bb18b8f94b34c2f8cd67d7bfdc7300180f54c79a62d75
-
Filesize
360KB
MD5f2613cc54e47166dc40f6b26f74f72f3
SHA163f7a6117c80f67697805bcf75c9fb003411039f
SHA2564cb37237ac6ee8150c83a179858e13abfd619416a62b69acf3bf4e28fd7055bb
SHA512ffd714f97f2e39da4a391c99fed72fe8e14b59872e15059ac9874a92c2d2cc3860c0ae2f2c108a3cee39c59d51a817882d0fda8ef6f7d1413ced26da5be99fef
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02