Analysis
-
max time kernel
142s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
24-12-2023 02:06
General
-
Target
e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe
-
Size
3.5MB
-
MD5
40447a9f2376de63982646d8df22fb55
-
SHA1
958e4c23f9a4387f11165f2534347dbd43010d80
-
SHA256
e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272
-
SHA512
79350e8b916a404d21911e38578275fdcccef56b363af4a10a16d81a904ee9d53146361e6337576bf68b49e9734e71312285bdf5256e3668b83da1ffa8280017
-
SSDEEP
49152:qh+ZkldoPK8Yahamthw94PNgX4h0mM8bVZSY886fynFkzOhFYg0NNT+lxkGvfME4:j2cPK8iEC4Pu4M8nBFkGUTJGv0E6
Malware Config
Signatures
-
Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
NTFS ADS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe"C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe"1⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exeC:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe2⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exeC:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_c\ENU_801FE97BE7B671AE9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_c\ABC\*"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_c"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exeC:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe3⤵
- NTFS ADS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 31243⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exeC:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe1⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4996 -ip 49961⤵
-
C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exeC:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exeC:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe2⤵
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771Filesize
2KB
MD513d08eefa7e9ac0e758212659a090d83
SHA10aafde37165d310664c2c416a42c16ae2082be71
SHA256f9e1f27031ec344b0403395369661e4796e403e7a0fbb4c0709ad3c2f81fb6b8
SHA512e306f0f014eeb7f0fb76ebf2e19cd9be6e5f4a58282de15787453791e86979921f0a955e8d28c7d55750138889a54873d907160ca432b30256656ae4fa26baa7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A0E67F3F72679DC8EF1F04D13A5B779_5DB5152ADADE9B60A5DDA0E2DEAA7549Filesize
2KB
MD52c955be05e97fe3b9a837049f04def6a
SHA186ec861e7df94920bca4d0d5ece5d6309f5805b3
SHA2564bb142816923152930c11a006c90ad99abbc532baf0536cc881d0b3d9673b6e4
SHA5125385533083a940b9782dd8d0da5fcd69975af4ab2b7b2a51286b7266cb8cb761508bbb7a11047048701605f15ac1704e67a3d33fa6b02437ec9ff1e88e3a2515
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2DFilesize
1KB
MD582e99ff1e05dddaef2b2c9ff59081493
SHA1c4d4906fa5cdd83cd36e05a9c745092cbcf48314
SHA25609b56e50fbb20e7e89213073f816a29d6ef914a63162b71c7a488ea7af6f1eb5
SHA5123d9b9de726965bee51a10468d3d2065457bbc794c91a79f0487a78881a4793661efd4bbe50f65eac96498d5f81034dd6e0f5fb199f476463ff1464d01114ebdf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771Filesize
450B
MD53141827734b9216b9c969a61c6535bc5
SHA1b9ce8fb1a23eb4bdb64adac1b91368a815122fb5
SHA2567b5442faa19c00d80e9d6d3c7cf5ca62842ec6185534cd161ed825ec4f51bcfa
SHA512ff860f8d02ae2ab31474e11f3d6c8d0c7acbe0024972364b078a3df3659afe3ab8fa08325852a56e8119c3ad27f9a6767ea6d9ddd4db1b4b882228e92ecee740
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A0E67F3F72679DC8EF1F04D13A5B779_5DB5152ADADE9B60A5DDA0E2DEAA7549Filesize
478B
MD5ecbc9f772a8da2daf5e6c91030441753
SHA1d9526f45a821b779805f988e1904bda15eea06c4
SHA256a1a2d10a9f087ba6bafcfc98be64e7f194bc1f937c1c12da95e24054acafc747
SHA51243a2f5bf5817f9f34410c0777bb56e54ba3e7c7b4ef275f5f84355ef4b7fbca1a327b1e295214b02b4ba43490e597937b3d4fb77da239ae68edf7a95ba799d52
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2DFilesize
458B
MD58f978e693392c72946020dded1d32349
SHA113f85c4e9a817bbf9842fa42a7a0817dd6e49ce0
SHA25692722b0d98cb8199619b702f43c39c93b8ff7640bea7be3087328ae748a23870
SHA5126c7423a7cf291780b516173235a6cab4d65bf2b5d674cdfa3c362cb7a56f3533530a0cef5d3c13345f5b215430bda67ada298cbe8ba363762b657ccbd7f2672c
-
C:\Users\Admin\AppData\Local\Temp\aut6273.tmpFilesize
360KB
MD52b11bd827ac4323b96cf8adcdd8e3d54
SHA14a170b694a547f4267e714e0195baa9a32338ba9
SHA2568e9b45ec752dfdf7f2c86a69ee0bb0e0ea9bc73d0c02276b19121f29974f1dbb
SHA51215f967cad7815fd71eaf3d86e89a6de3cbc0cb36a5c2cd7793d5ccc4c794f13c45fc74a3b311f89edf86819f72b2994209ab17382ab66e62e526b9d26fb7ee80
-
C:\Users\Admin\AppData\Local\Temp\~dqrjsol.tmpFilesize
679KB
MD521509c1306314862e3d0d015cdc1477f
SHA1380861e237895663b91bff5cb99345b581896358
SHA256b49c88e727629802e5e8e065fa8a3f66cb6fe0874c3c0ea27f19b0f9dd5e43c2
SHA512674fd90d59a39a54a87fbceb2a082336116634a88d3167a4686921934c804bb2228a11b49233fd0849125cb0e8055ae80d3f8d6de0519ac0428d8e318c769b1d
-
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\EnterUnblock.docxFilesize
831KB
MD5d196c1f2f7cecf048e65e3766e68cd27
SHA10bf92b11c89b83dabe40aae0103836ee7e0b5cf8
SHA2565daac90b20ad504185791222d91b216beeacb0f982804213e49cc117e1540277
SHA512f448b99cd8e9229e7eaea26b19f6cb258b450c91ef3d81d27ba784745cd0b9337fdf4892a6e9737f24e848e397c669006aaefcaaf79270772efe11313dbe9aa7
-
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\Files.docxFilesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\Opened.docxFilesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\Recently.docxFilesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\These.docxFilesize
11KB
MD587cbab2a743fb7e0625cc332c9aac537
SHA150f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA25657e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA5126b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa
-
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Information.txtFilesize
4KB
MD545dd544a8228adaee404402f3f700804
SHA175d7ddd8866a1cfa1f0a5026188a4dccee62a48b
SHA25648be0a94f54b0bcd22b3929fa7db1f0335e2d37122761f65e53fc6c51ceedcd4
SHA512702706c016d727f83b58f787c724d9d126542e696a0c768200569ffdfde8888ce0edd7ae37586b90a31cb1cdb65dcf93483403ea2252650946e460c2ac2c5189
-
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Screen.jpgFilesize
49KB
MD539a75eec06471cae3b6a759b367d0c50
SHA1aefbe6d433901e2199a0c3bf1ac06f7a27389eba
SHA256cfad377b49d0462ef84343a8ada0177865ce63df0b118f4513db2058e1a8d098
SHA512d6db2dc93086d27c8074cb28e68aaafd0abcf4095edbbfba06065ecba89752ac5a0ece686f24bfcb96283a8e04ca7044bbe2784aaef7324941c3a1a16da4c9f7
-
C:\Users\Admin\AppData\Roaming\amd64_c\EFilesize
3B
MD5ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA157218c316b6921e2cd61027a2387edc31a2d9471
SHA256f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA51237c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5
-
C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exeFilesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe.3Filesize
197KB
MD51f8044b1008b5d23d7bc7aba14f87a7d
SHA1455987e9bdb83d371ea21b577228ecb3c563cb38
SHA2563b50d7eba0f50d118c95efd8de04443084a8ca3dcd5a5719df23c87640adb44a
SHA512a89b2e082625ee3001ec2cb407aaee80effd73232d1ac9ad363f24bee0b8d0e38815e61ea589b02587980fa156216c1507cd425a745528c2ebc604c75bea0885
-
C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.sqlite3.module.dllFilesize
256KB
MD514c0972d841002002d2ffdcfe7e35f71
SHA1f9615ff97738240e1596d6894b40493dd364113a
SHA2566c3079ee41b377984c6f2c35f116241d607fd252920ff82f8d2559b9f133856d
SHA51296acfe4ed5953b9ddf285c3c1f26bf5cf1180c8a559105c497b0ab18418048351af7784c64d5a90f1a7a8264ba78d593a639b0df38f59bee5e2b550bf4c9295c
-
C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.sqlite3.module.dllFilesize
360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02
-
memory/1432-62-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/1432-73-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/3472-89-0x0000000004160000-0x0000000004161000-memory.dmpFilesize
4KB
-
memory/3472-88-0x0000000004140000-0x0000000004141000-memory.dmpFilesize
4KB
-
memory/3472-86-0x0000000004130000-0x0000000004131000-memory.dmpFilesize
4KB
-
memory/3472-87-0x0000000004150000-0x0000000004151000-memory.dmpFilesize
4KB
-
memory/4996-91-0x00000000041F0000-0x00000000041F1000-memory.dmpFilesize
4KB
-
memory/4996-38-0x0000000017B10000-0x0000000017B11000-memory.dmpFilesize
4KB
-
memory/4996-90-0x0000000061E00000-0x0000000061ED2000-memory.dmpFilesize
840KB
-
memory/4996-35-0x0000000017AE0000-0x0000000017AE1000-memory.dmpFilesize
4KB
-
memory/4996-37-0x0000000017AF0000-0x0000000017AF1000-memory.dmpFilesize
4KB
-
memory/4996-36-0x0000000017B00000-0x0000000017B01000-memory.dmpFilesize
4KB
-
memory/4996-25-0x0000000065080000-0x0000000065237000-memory.dmpFilesize
1.7MB
-
memory/4996-27-0x00000000041F0000-0x00000000041F1000-memory.dmpFilesize
4KB
-
memory/4996-16-0x0000000061E00000-0x0000000061ED2000-memory.dmpFilesize
840KB
-
memory/4996-13-0x0000000061E00000-0x0000000061ED2000-memory.dmpFilesize
840KB
