Analysis
-
max time kernel
1028s -
max time network
967s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
25-04-2024 09:52
General
-
Target
https://samples.vx-underground.org/Samples/Families/Chapak/00810b59644d1610f9eb57e2d9e175e4.7z
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://samples.vx-underground.org/Samples/Families/Chapak/00810b59644d1610f9eb57e2d9e175e4.7z1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff90be63cb8,0x7ff90be63cc8,0x7ff90be63cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,2252708468800559697,10322911723733080445,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,2252708468800559697,10322911723733080445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,2252708468800559697,10322911723733080445,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2252708468800559697,10322911723733080445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2252708468800559697,10322911723733080445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2252708468800559697,10322911723733080445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,2252708468800559697,10322911723733080445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,2252708468800559697,10322911723733080445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,2252708468800559697,10322911723733080445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3820 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2252708468800559697,10322911723733080445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2252708468800559697,10322911723733080445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2252708468800559697,10322911723733080445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2252708468800559697,10322911723733080445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,2252708468800559697,10322911723733080445,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4804 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\00810b59644d1610f9eb57e2d9e175e4.7z"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\00810b59644d1610f9eb57e2d9e175e4.7z"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\00810b59644d1610f9eb57e2d9e175e4.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\00810b59644d1610f9eb57e2d9e175e4.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\00810b59644d1610f9eb57e2d9e175e4.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\00810b59644d1610f9eb57e2d9e175e4.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56e15af8f29dec1e606c7774ef749eaf2
SHA115fbec608e4aa6ddd0e7fd8ea64c2e8197345e97
SHA256de9124e3fddde204df6a6df22b8b87a51823ba227d3e304a6a6aced9da00c74c
SHA5121c9c9acd158273749e666271a5cdb2a6aebf6e2b43b835ebcc49d5b48490cbbf4deddef08c232417cee33d4809dec9ddac2478765c1f3d7ed8ea7441f5fd1d15
-
Filesize
152B
MD53e5a2dac1f49835cf442fde4b7f74b88
SHA17b2cf4e2820f304adf533d43e6d75b3008941f72
SHA25630bd1e1bafb4502c91c1fb568372c0fb046d32a4b732e6b88ce59ea23663e4ce
SHA512933ac835894ce6cb8aac0261153823c96b6abec955173653dd56e534d644efd03aec71acb4f8cb0b9af871962296ec06cd03e570a0ac53098b8cd55657543786
-
Filesize
194B
MD5c753a51b344f5e0b7614e6b335efce1a
SHA1ecab6c44f7f65a04b594d3c1f5ccc151e1fbbea5
SHA256b9be628c5d1925240917e40326ded59765a86dfc8580b59d2e51f9925f3fc494
SHA512c579bb93537ef2b84bf17b99354eaf60da7719432451d916f15084675ab7fa9c5b24c8e370108b0fec1244d2a8ff44e1ace16fca9abf18c5a12f91f8801a68c5
-
Filesize
5KB
MD5f9d1968792fa2a36a25efd4233230211
SHA1435e733dd8e8b2787d265f72f577a4b813edafdb
SHA25658e66e8d3df0e24ecf803deb2416f01a4efb18ad6bb5715197bbf6774ed7e8ed
SHA512455bb21f49ad8cc453839a0043f66b4dc2284393f06af9765f1994f55fcf7cd7786fb8304922eb38abf9bef911aee61b155431ed90c33890a4554c74d70eab9c
-
Filesize
5KB
MD59f5b6148c19ad0f2c913ae5ee5a217fa
SHA1b0cae5ff1450dddbc71c99b3e4a2ae0624e11ec2
SHA256a54f256e65ef81bfdd7545a9660b14c8183d6df3f283cf1ed2fb178fcc0eb9ce
SHA5126b3ffa2111842406522fb8e0213f96b4d42717bc2a0b5319399fe6acfbfde254be3be89979812de86ce808de5efa509c53d6677205ec91c24c055ea6bce14e35
-
Filesize
5KB
MD502c0f7d1bf058f6e5a8581366ee83047
SHA12089ba79642acfc55bae1746e5a00073d147156a
SHA25674bf109f9dbcb881717323f026d25c871d3afe579249436e886e3e29fb405e17
SHA512b274d81a3bda984856625790b90f3ff12339e7735ba7bf1b2c0018863a9ff1784dbfe5a1a61479a16d8ee80b1cb15a9d705e42b1ddd6ee1a3dcc8e013b44a5e0
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD50b86a765c5556b2d9e024ac73870dd4c
SHA1e67b402c200542fec7049e2c050a62d53dc88704
SHA2561675ced1c7d345be69fdc9d4c1a3f44a8166276df16b98d89c0dac279810a797
SHA5125b24093101236d0469d853ed6468f9378a6795181308687e993e2d0d47ed4f492e8c9fc14721240591d1cddebd61a879accb04ec6ed4db6342a74291b9b2d973
-
Filesize
11KB
MD532d373f904f425ad34fec1a77bf2a7df
SHA134b1124e0800da157ae77b5abbfbe1700cb2f62f
SHA25601cca0d2b92671c50ae6c3a353780aeb4a0cdf91426a3c7d4934de8925cdae98
SHA512fe08f95ecdc236885ae5076aa787c81ddd451418da603074c07532f415860687b1d7dc63079723b9766ff4098debc21feef33ef3510521b212ab008652596020
-
Filesize
4.0MB
MD50a342580ea68c1b99fcb6c1de323d8c2
SHA1bb305448a01d21392b89c1f0922e2a69663a299c
SHA256f4c90a0ef515c5c63d0e1f4fdaacefd32d0c8222d476fa7e9c0c3823f508084a
SHA512eb012df1728ae59b0b4074390b1b37a3bce04b3f7f2dd9498c48fe8f0f9e8c1e82e52ed1fba3acc6f140b6a0be29264ffb6ff912e558e766c76bfbb6725fb601
-
Filesize
130B
MD50e01f174741c7011763bee8193dfbc59
SHA1554f1a49e49ee510410cb6374faf721ee9259044
SHA256afff28f3cdc559f7f99492fdd8c2adcb10ac061841210fecca552f90a2c7a26e
SHA512798a4e3a04570816e9641465aa8aedac8a9a3aac6ca95131b8b846c9dc339e71aacd202c9a27b080e1363dec7b284cc833aa0d89764b0c719d0c665ffc6f7bf8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e