Overview

overview

10

Static

static

10

chappo_3_d...ew.rar

windows10-2004-x64

3

chappo 3 d...I2.dll

windows10-2004-x64

1

chappo 3 d...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    224s
  • max time network
    225s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-04-2024 21:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    chappo_3_days_key_new.rar

  • Size

    17.7MB

  • MD5

    abaac60d2349aef781d8697b26a09442

  • SHA1

    f48b43b226cbbf16852f8c27710367c696b291e9

  • SHA256

    f6c17feb9634d46a34ba851526576f947805135b368ff079936cdf0492553f70

  • SHA512

    b4724a24e11000ae90e6a089125bbc4b140faab194d8f2dc4fb69b3f2112d4181c671bb242cf635dabd25b29071a3cdf1548d94ce06d7d14fd2c8ff2954dbcac

  • SSDEEP

    393216:L3nwfyVg2kesEiwEOQ3kh+EjiRdiEAPo+kyfsC0Zwt5cnL0xfttDFBnUD9:zHaL1OQ+jjEAPo+kyfsCiU5co7tJG9

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 14 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 33 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\chappo_3_days_key_new.rar
    1⤵
    • Modifies registry class
    PID:1072
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4556
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\chappo_3_days_key_new.rar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\chappo_3_days_key_new.rar
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1920
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4be9b1c1-316b-49a9-a5cc-2329b9008e38} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" gpu
          4⤵
            PID:2520
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 26377 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16d6cdeb-05e0-4e67-ba9e-bddf5b98ae90} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" socket
            4⤵
              PID:2868
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3532 -childID 1 -isForBrowser -prefsHandle 3576 -prefMapHandle 3404 -prefsLen 26518 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8789a67-03a4-420e-8da9-70f9365f6cd6} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" tab
              4⤵
                PID:3664
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2644 -childID 2 -isForBrowser -prefsHandle 4068 -prefMapHandle 2616 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76f8d721-fc0d-4858-ab43-23810ab1ad8d} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" tab
                4⤵
                  PID:608
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5164 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7e1d9ab-7c17-454f-bc0b-2634fd17adde} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" utility
                  4⤵
                  • Checks processor information in registry
                  PID:3536
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 3 -isForBrowser -prefsHandle 5316 -prefMapHandle 5312 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23adaf86-3694-40dc-955f-bdbe885a3239} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" tab
                  4⤵
                    PID:1880
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 4 -isForBrowser -prefsHandle 5464 -prefMapHandle 5468 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {351160e5-8272-45dd-8beb-86b190d586e9} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" tab
                    4⤵
                      PID:4104
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 5 -isForBrowser -prefsHandle 5340 -prefMapHandle 5672 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee1a8e8b-4e07-452f-929e-687125089cac} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" tab
                      4⤵
                        PID:2740
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\chappo_3_days_key_new.rar"
                  1⤵
                    PID:1076
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\chappo_3_days_key_new.rar
                      2⤵
                      • Checks processor information in registry
                      PID:4964

                  Network

                  MITRE ATT&CK Matrix ATT&CK v13

                  Initial Access

                  Execution

                  Persistence

                  Privilege Escalation

                  Defense Evasion

                  Credential Access

                  Discovery

                  System Information Discovery

                  2
                  T1082

                  Query Registry

                  2
                  T1012

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Resource Development

                  Reconnaissance

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\l594d31n.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    18KB

                    MD5

                    ef3d9ba1da53774cc2c310e9350719e1

                    SHA1

                    d5534954a557151030c1f2fe5593cb384a549a88

                    SHA256

                    d0fb0d5f57ac0a697888dbde128b932b1425a7341db2946cdee7992dc8cf69db

                    SHA512

                    f2985b119de8d25b205fee43e0562f1ce169e181c43fb1261cd68adf1d9213ba72ab58a7bbdb11f4b61759dc938e3c6e0877ae2ff024e51654eabfe5108aaa9d

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    5KB

                    MD5

                    b872a5ab536ed1c609fe4083d1a7b6f9

                    SHA1

                    630128d1aa421ad7e1e67f9ac33e2f7dd90afdf4

                    SHA256

                    d3625d05f0fa0c15ca06c92fb12e05411a3bf484b7b8463949861d8a7c038f57

                    SHA512

                    434b3d7e8d56881cf96deef5f97b83f36061dc470b8a9d27d6cf484ff54cbba1da04c006ad31e38e51dc2bb8ad058904dd346521a3b8fc88b68c1751def8171c

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    13KB

                    MD5

                    1017bb362c3c86627f317c4427c25934

                    SHA1

                    dbc51f99dcc518795876da0795aa3b83c8b996f0

                    SHA256

                    f82a2e623f5646e1159dd54a78a8614f79ea55c8237ec7f1a32eaeb553edd97b

                    SHA512

                    008af7969f6cdeb39d33cf8f11c6f6a97824720b74f87726dc7c1d85614b7b8eb810ad092c6cf9f89322e2b6562b2e56e0576d907c1d30992d2d880e79f9c481

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\3f158063-7d66-4122-a1ea-68d57818f851
                    Filesize

                    26KB

                    MD5

                    7a29467cd2bd1a5181fb9266b25f1e7d

                    SHA1

                    4531af3fb350763a35b765a847e73257016dbaeb

                    SHA256

                    97a689634b863a3bd0c7a65611bd47086e899c46d16e70bc5d1f0c4c9ca454aa

                    SHA512

                    04b132a60e88041cb68766ba23e8fe5ca28b68db77ddcfe0f6e8127debef9e1bc8ba7145b2566a97656d14f06d4c3cf885ba3e3cb23f013705f983ebf4a4c319

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\54bf90d6-423a-49af-bb6b-1df20de5c31c
                    Filesize

                    982B

                    MD5

                    25ae2cfe2360b9b5e0339bd34387b30c

                    SHA1

                    8701d4ccf8dba5490e211113d10060f2ffaf4f3f

                    SHA256

                    f60941736fd1ed6f8889b0bacec1d19103e96a67e39cda4533b4f26d96a4e8c7

                    SHA512

                    582397a1b70ea6f697e254daa4ab1a981b999338d12928f9b98ede3a63a88e4f79fd9295ab9541314c97ba525246ff6309be19627eb816ac77b0d82b03b1bac8

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\c2d4abd1-87b8-459f-9567-ac1568cce1d0
                    Filesize

                    671B

                    MD5

                    8efd426f0607720aebfe12ad66d83285

                    SHA1

                    8b041f9e1e4bbed8484cc5729f102973138562dc

                    SHA256

                    f3c8ea6fb3f20a9c70a733d5c599ea314c1c7488506c3668ba354aad78ba6dab

                    SHA512

                    8135410934896081754ba6c5e6e598a0be6a2f8a7af8cf73938412e4da434949156150f1786324e46c80c6d24ddb6b0a1cb5273dbf43e55db3cec5e6b2b040f8

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\prefs-1.js
                    Filesize

                    8KB

                    MD5

                    1615050a007683e900d61d2290835eca

                    SHA1

                    771a746eaf4f992bec1782fa5e2ff56cc32aa9cd

                    SHA256

                    2203bcc63df7b24c86636110124564a187d2d35e9c61168ac939533711462ace

                    SHA512

                    7ff7edcff716f3afa0348f3b51177f87b7b31bdc729673c13dd18fb8e7fa856c20b262c5c72eb765c5db9f7ec368d2b80bd1ebd60d6754d2094710951e02ea65

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\prefs-1.js
                    Filesize

                    9KB

                    MD5

                    cd3bd67d32e863cdbed90661ebdcdf9d

                    SHA1

                    d1965fe12ef61f9357d8d8cf1ec28a469f4ce8d0

                    SHA256

                    87a5ac4c6fcf606139c885583c2f77c37445ecd9da15dd5bf0518421694a34f2

                    SHA512

                    c05d93e09b9f12e4fb45ed016496a69e4f3ff6739d0b035130197584d9046c82e8d140ce04c5c839fc233c4def6787e639ac00fc6a956e67febcf7a693e95109

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\prefs.js
                    Filesize

                    8KB

                    MD5

                    31bb2c29e4a24cb257c002b0a3f65e3a

                    SHA1

                    218842c4e90940494009dd942137ef478a36873c

                    SHA256

                    4299435fbe312022f5ebc21b32f977dbc303b6d92aad1ebcfd6bcb51d4994ff6

                    SHA512

                    f75a290c42cdf208e4fb858879f15661c2cff4d2f989b644c298e6edfaf9cd196c5485c345fd998e3f902e6f47668a3a062218020770a8cb9e5499b353f2cb16

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\sessionstore-backups\recovery.baklz4
                    Filesize

                    1KB

                    MD5

                    c2a4aad01ec96648353631d79ebe9475

                    SHA1

                    bb768e56e8b394c3b81cc66b098bcc06930f296d

                    SHA256

                    3d427809fe92e1809a5cdeb01c8f4192b31568882dcef098fe5151e2bc5ad195

                    SHA512

                    fab30a89197f68b2e315f51065f9b3c3427c2fbacd35879d151dc841c89f87e29f6eaff203975acd18af8ee4f81e39fd93f053b881d7fb2d6ffa5b857b732f3d

                    Download Submit
                  • C:\Users\Admin\Downloads\Q0vqSK6e.rar.part
                    Filesize

                    17.7MB

                    MD5

                    abaac60d2349aef781d8697b26a09442

                    SHA1

                    f48b43b226cbbf16852f8c27710367c696b291e9

                    SHA256

                    f6c17feb9634d46a34ba851526576f947805135b368ff079936cdf0492553f70

                    SHA512

                    b4724a24e11000ae90e6a089125bbc4b140faab194d8f2dc4fb69b3f2112d4181c671bb242cf635dabd25b29071a3cdf1548d94ce06d7d14fd2c8ff2954dbcac

                    Download Submit