31c32fbd3477f992fd7d611ac2b266f5eb4f492da6bd5474e0475836e7e32a95

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

877cde6af346133b87ddc8e24dca25e8.exe
Size

15.2MB
MD5

877cde6af346133b87ddc8e24dca25e8
SHA1

b697908d3fc2534531511a4009219d3f52e4afa3
SHA256

31c32fbd3477f992fd7d611ac2b266f5eb4f492da6bd5474e0475836e7e32a95
SHA512

7ec31998154b1a6e665b9397940607a3c7b01c19a43c9462ce0b7a686df34da4e69ac4ed77cc4662905bd1f2188a297106632b25b94a65e381b33efe342ab417
SSDEEP

393216:o5oUDm1qNTbdNf5ua7ebDDD9VdhpA+VegWedEFCas:ckqpn5uawz9VdhW+VegWZFls

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1436	svchost.exe
2832	WinampPROFullv5.63+Serials[ChattChittoRG].exe
1788	autorun.exe

Loads dropped DLL 10 IoCs

pid	Process
2144	877cde6af346133b87ddc8e24dca25e8.exe
2144	877cde6af346133b87ddc8e24dca25e8.exe
2832	WinampPROFullv5.63+Serials[ChattChittoRG].exe
1788	autorun.exe
1788	autorun.exe
1788	autorun.exe
1788	autorun.exe
1788	autorun.exe
1788	autorun.exe
1788	autorun.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1436-10-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1436-12-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1436-16-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1436-20-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1436-24-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1436-26-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1436-150-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\desktop.ini	WinampPROFullv5.63+Serials[ChattChittoRG].exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\desktop.ini	WinampPROFullv5.63+Serials[ChattChittoRG].exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2144 set thread context of 1436	2144	877cde6af346133b87ddc8e24dca25e8.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1788	autorun.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	877cde6af346133b87ddc8e24dca25e8.exe
Token: SeDebugPrivilege	1436	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2832	WinampPROFullv5.63+Serials[ChattChittoRG].exe
1788	autorun.exe
1788	autorun.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 1436	2144	877cde6af346133b87ddc8e24dca25e8.exe	28
PID 2144 wrote to memory of 1436	2144	877cde6af346133b87ddc8e24dca25e8.exe	28
PID 2144 wrote to memory of 1436	2144	877cde6af346133b87ddc8e24dca25e8.exe	28
PID 2144 wrote to memory of 1436	2144	877cde6af346133b87ddc8e24dca25e8.exe	28
PID 2144 wrote to memory of 1436	2144	877cde6af346133b87ddc8e24dca25e8.exe	28
PID 2144 wrote to memory of 1436	2144	877cde6af346133b87ddc8e24dca25e8.exe	28
PID 2144 wrote to memory of 1436	2144	877cde6af346133b87ddc8e24dca25e8.exe	28
PID 2144 wrote to memory of 1436	2144	877cde6af346133b87ddc8e24dca25e8.exe	28
PID 2144 wrote to memory of 2832	2144	877cde6af346133b87ddc8e24dca25e8.exe	29
PID 2144 wrote to memory of 2832	2144	877cde6af346133b87ddc8e24dca25e8.exe	29
PID 2144 wrote to memory of 2832	2144	877cde6af346133b87ddc8e24dca25e8.exe	29
PID 2144 wrote to memory of 2832	2144	877cde6af346133b87ddc8e24dca25e8.exe	29
PID 2144 wrote to memory of 2728	2144	877cde6af346133b87ddc8e24dca25e8.exe	30
PID 2144 wrote to memory of 2728	2144	877cde6af346133b87ddc8e24dca25e8.exe	30
PID 2144 wrote to memory of 2728	2144	877cde6af346133b87ddc8e24dca25e8.exe	30
PID 2144 wrote to memory of 2728	2144	877cde6af346133b87ddc8e24dca25e8.exe	30
PID 2832 wrote to memory of 1788	2832	WinampPROFullv5.63+Serials[ChattChittoRG].exe	32
PID 2832 wrote to memory of 1788	2832	WinampPROFullv5.63+Serials[ChattChittoRG].exe	32
PID 2832 wrote to memory of 1788	2832	WinampPROFullv5.63+Serials[ChattChittoRG].exe	32
PID 2832 wrote to memory of 1788	2832	WinampPROFullv5.63+Serials[ChattChittoRG].exe	32
PID 2832 wrote to memory of 1788	2832	WinampPROFullv5.63+Serials[ChattChittoRG].exe	32
PID 2832 wrote to memory of 1788	2832	WinampPROFullv5.63+Serials[ChattChittoRG].exe	32
PID 2832 wrote to memory of 1788	2832	WinampPROFullv5.63+Serials[ChattChittoRG].exe	32

C:\Users\Admin\AppData\Local\Temp\877cde6af346133b87ddc8e24dca25e8.exe
"C:\Users\Admin\AppData\Local\Temp\877cde6af346133b87ddc8e24dca25e8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Users\Admin\AppData\Local\Temp\WinampPROFullv5.63+Serials[ChattChittoRG].exe
  "C:\Users\Admin\AppData\Local\Temp\WinampPROFullv5.63+Serials[ChattChittoRG].exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
    "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\WinampPROFullv5.63+Serials[ChattChittoRG].exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1788
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\j.vbs"
  2⤵
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WinampPROFullv5.63+Serials[ChattChittoRG].exe

Filesize
1.5MB

MD5
e9c3ccac24fb59e089d2bb2b3e19f4ea

SHA1
a3b71449f9acfcb3df64d5dec21f7d5f2e9ee0b2

SHA256
f7606ea7619658aa75c2554db9f55159634ccfd0d6bb151c79c64c661c004a71

SHA512
face4cd71ceac006a66a691ce961763b94984070d6207b0f7fe7846520523c6d59a9c8a2c655f226864f1d52837f2279f536cea17587e90b7c6cdb089d2bb358

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinampPROFullv5.63+Serials[ChattChittoRG].exe

Filesize
1.7MB

MD5
89468eea4ce14c87383d77855ff293ad

SHA1
208798e3c5c12c41b3f93ae941a2982754a0a307

SHA256
9b0a513719ac514b02b6f72d54ec118f612ec56cbd5e580b0961a28070df73d6

SHA512
a0e67bc265f9cc3f499aa37fb9ad4fc9d683e39115cf6f414b7db9ce4e601a36cf3ecc572b935d51caea0486ec1cbdc4b86c3504e99bddacf0dde19488543a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\03 - The King.wma

Filesize
417KB

MD5
0bcffe0a03c60ed584e9b39c26ef18df

SHA1
d042c4338bd8c988f928cac6230791c3023a22eb

SHA256
40f803e04f41879dd24199741275c3f840c065de95f120f946c583b6e1212b9c

SHA512
e8093875f4e9bba82602a99cd5b7acee120522fbd42a1cad32aa7423e45cc077f495b53b0f851a1e764488a3a8619d277983dd99c14cae83fe2520fcd21853da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\3_1644.btn

Filesize
11KB

MD5
7345c48fa6906c62cf83f9ecdfb3fd9e

SHA1
bdb2bb7eb8ad39766cb711a812dc3aca5dd7d309

SHA256
f931b18743751deac39833af769f0bef90f6dacad3391ff9313b7cf1f887d677

SHA512
6721161f597cfec13e1b33c07c7b5e0535bd633bb78f0fa1c6c976e5c346aaa9017b32043e477011f8592eecf00325f37485f966d28c8134ae27eb2c0085dd47

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\50_1644.btn

Filesize
11KB

MD5
ad33ec36bde1ef431d54a45ec58b7963

SHA1
96bd47e23cc140d5071c09ebf785c3deb765db3d

SHA256
4a6e46a278e15b4dc6de46dac31844bad097121ece51fbb53364f85ff67bccc3

SHA512
de7bedba3a8afe489e54211140a1b2ad6be60d71154972638e06b3b50448406f73b620f809c672041e3e4b41932b1c16c11d1d2d382602ff099d1bc0e05013a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\7_1644.btn

Filesize
10KB

MD5
ec0c801a69783dc5e55934573c11b409

SHA1
33a8a25adb0839b5c6a256fbef6a24c8d6b3ffe0

SHA256
57906ceb6ef70fea27a7e582a7d8ad77460e33922f5dd7647e1e569fe26696e4

SHA512
7a4bce2c4191f4280edaf07bb2f1dc5da6fd0da14093cf4dd36a305c67459ffabf0923b8677886d8493e7741756cb4b99f834f583bc5eff2f143a11cfb7d1ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\600px-Feed_Icon_Bl-Or.png

Filesize
1KB

MD5
fc50f99834715964143f275857d8fffa

SHA1
0216cf014c69b97f0828baf267034e2cffad9861

SHA256
5452c3dbdac871c08f8e0f6fdbffe02d46306ab398fede7e802f9c3cc6289e28

SHA512
f327f154b7ccfda7ec1212b962d93f016c21873c0b7ef471052b65d13c37f47fcabb52358290a9eb2743f7fe3c26166f23e83f4c901983101c099a1a1a83dbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\CC85.jpg

Filesize
213KB

MD5
25a4c30a2b06671fdbf6ebfd15ff3d71

SHA1
6f5d9bdfa38fd7f4ff0ded007ba700aa57699340

SHA256
d0be92a079bcf94c7b30fd9a16f9b9c6dcb5a4e0207414476e605881064a895c

SHA512
02f84c5acef691eacb268d3c6fd28fbceaf58034574ff934a466a3ffcc4f0c43c3f263c4d4a58d485926d2f336570b18001ff63fd48b8cb5a2dc302689feea7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\hoBrl77.png

Filesize
25KB

MD5
c366310248b99ca74bbcc68db5d23541

SHA1
3e7fa94b15b380c21c59fc15a48399e376a6beee

SHA256
b318d4ccc1c9c34cbebd0f20975f2a82608ff58f27461b9a2d9a123be5e76551

SHA512
558bccae1040d99c997581b034654ad5eddb41cab332be120a1fb76f501058b45716bf9321304084c12248c65a38565cedde8020d783f0faa8754f5280e9c169

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
658KB

MD5
98d29eee09810500117e3cc5df7d5824

SHA1
1606b82fcfcb19be01558b1b84d5687bdeb7a0a8

SHA256
10edb9747970df5ddab9d2939de7c8a79a446c4dd9884bdfb5bf54ea78062340

SHA512
df58cabb2784c674e646ae56382b1e126cd46aace12334a9eda60b9f4765df6b14f9359fe92511c8ba52eeabf8da94d325ef9b703303663bfa635a56bd053612

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\ChattChittoRG.ico

Filesize
4KB

MD5
8f7b72d2ee6c94342c7bac142124c396

SHA1
ad83800018b826d0d1a57a5354faa3e3594782de

SHA256
4aaa23f4db055167cfa55f1f0e5221342acff83e152602ecf01be703c5dcebdc

SHA512
85f97b294daafe77fa0426a2d799611b365b58361c4d87157e8f36ae41f04849c6471a7ec235e11fddeb3033d48b55e48d1dff0b758421748653baf5eea3ffda

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
1.9MB

MD5
d37990193ffde15c1c95c82b9091aaaf

SHA1
9f4ea136613181cadfb0047e20c779e0d074fc68

SHA256
2f899d2dbc8b5caf989bb71f994069b02dcab0979952a9b141abb53f49a021b2

SHA512
3c74501091f994e24cf145270c5ed12af0ca286a1aad021d8fff6feff5d38fc47103b8d97650b67b90f64566f0994664ef8e3811fcb48a9d4bc39e107cd5cc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
1.5MB

MD5
de33eaa2a6b707babe2d926cfbd80e13

SHA1
f82cd9b7e83ce6edc97b8fca7beb983a1c356b7b

SHA256
eb12f1a99e23619297c2b93201c155c301289616f8b30783197256d7a5406c94

SHA512
7d1dc528f9a128d8339077bb922363969ca0a9737a01771bb9d1dde0b7a5dbb587dd7cf5583b40e3cf42457c00a217015c31adc7dfdd77d01c28da8a52e4e783

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
1.8MB

MD5
be826e7bb8c03426866dc35044da35e1

SHA1
dc90298b09b645bb215e134feb302ce2ecaf7467

SHA256
2acb9e69eabd242f761855834b534532766443451be8ac58e6b0c800030b5d49

SHA512
4955c7a21b022b46cbcfa13a96b7942a1478cec01db55e4183970b851991d3f58757685fdf97a6e0025182a5fd142532faf76a615c4b6f54d20e16657cdf290f

Download Submit
C:\Users\Admin\AppData\Local\Temp\j.vbs

Filesize
343B

MD5
65f94bdf37000c4e117754678961b3df

SHA1
1c923def5d3198b49e4ace9c5054d1a41324d43a

SHA256
a8fd3a5c18a3ba04d4634974ad524c9283089148cc677fee58d311a0aa6b950b

SHA512
f21526e5ccb670e38a18bdd4dd49ca595569df5e0d83a3da2c5853205de440c81724409f84017132df4bb06e1d5e3604b7853669169238bc0a60610eab31dd05

Download Submit
\Users\Admin\AppData\Local\Temp\WinampPROFullv5.63+Serials[ChattChittoRG].exe

Filesize
2.6MB

MD5
12dcb011c5d3e2a02f0726be7fad7328

SHA1
b953c09aeb0a282d060569fd17d9a84b2aaecf6e

SHA256
1bd5dc42e4b276ea9e66c83ada56be6d4630705fd7e4116c780b4bbc9bbadb0c

SHA512
c9d8bea8b4bc71f9db12fcc21b37c82b0b0a25586c28deac7652a02f6ea6810cae0f81d3bff6b660ad14f8711d852a13d772a1bb7f29cbfb3f35cd2c73e6a2ac

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\Clipboard\Clipboard.lmd

Filesize
156KB

MD5
d6fce9ed4ff1e94c7281b56ec8834da0

SHA1
bf82d6e4b046736868c6ab0d3d407e0bd32cd4cb

SHA256
7256c1e68324b4e4ebe77b256056eda19fdd04e64b9618d8cba10c3ca13a2dee

SHA512
7efb6047d29082f06d1a4f38a7512bd339ac38a581f86fae12dcab029433651ea0da7fc8f32947b7c754d98ac768207ecee21691ed4ed3fc388f8da674482f97

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\IRDissolveTransition.tns

Filesize
136KB

MD5
6a9b0ab9341ac4204aafc7fac9872962

SHA1
dc6ceafcb39b7329552d0883f2c3284dddbb0ddc

SHA256
6315b5d1869c3b4cbcbead77ad63da3a60d86ede287eccef338f74178ec181f2

SHA512
76bacf1de5ac883bb47ae8d3299d5f399ae84bcd19eadc3fd8ee01ae2605bbbbddd6aacf7fdec490b8e6baf362ae05dbf972a5710c2bc732e8542a1c5d04bca6

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\IRSlideTransition.tns

Filesize
132KB

MD5
c6fc6f1cd59b8b72ec955d98c29b111e

SHA1
2ce73db8ebea6f243dd0a7eb6691aa7719c7a3ae

SHA256
a251f8506a4a57b1d3b8c152fb64b5a7734de6d604426a248f3b5ea285f16a71

SHA512
f30d67e5ddc19ee968822f757b1856747d6a36e746b9ac1fdec29ac0ea9a78c0b4654db55d34bf74f257ae26021fa1497a2f55400f806e0f63af077e4be4904a

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\IRWipeTransitions.tns

Filesize
132KB

MD5
a539ec7d0360ec3cec602f2efae23431

SHA1
7abfc4b804e48da8959853dadc167ecad7c55f08

SHA256
56bccf800014462ea1393f0d6008fbecff6fbb8d1761dbf1aed8880bdd0a6408

SHA512
17984c3eaf5eb51780f83a5575b074473c88bb7239ff24b0f3b7ff767d26b08beeaab58ac7d122d5588c2d648cc1ec61fd9d3d4807793a95e6e91942db89f2bb

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
1.8MB

MD5
c2ab1bded33a48ee8c943260922438e3

SHA1
d58fd3f92aa136fe7c3bea5cc88ba08656176111

SHA256
4c24651286c24b1b70a5a27a75a72fbb81a61a53468c848cabf18321cf5cfa3c

SHA512
fe2d2b09ec0d1c683c2054c2852a6a9db299b131c1e88df3b1d2fa33716056a5bccd2bf58cee7a17af691231e5e0e4de98c8357cc908617b8adbb3ae55291bf1

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/1436-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1436-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1436-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1436-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1436-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1436-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1436-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1436-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1436-26-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1788-144-0x0000000073CC0000-0x0000000073DA0000-memory.dmp

Filesize
896KB

Download
memory/1788-151-0x0000000073CC0000-0x0000000073DA0000-memory.dmp

Filesize
896KB

Download
memory/2144-38-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

Filesize
256KB

Download
memory/2144-68-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2144-3-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

Filesize
256KB

Download
memory/2144-2-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

Filesize
256KB

Download
memory/2144-1-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2144-67-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

Filesize
256KB

Download
memory/2144-0-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download