Analysis
-
max time kernel
692s -
max time network
456s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 21:16
Behavioral task
behavioral1
Sample
chappo_3_days_key_new.rar
Resource
win10v2004-20240419-en
Behavioral task
behavioral2
Sample
chappo 3 days key new/Guna.UI2.dll
Resource
win10v2004-20240426-en
General
-
Target
chappo 3 days key new/arfarf_protected.exe
-
Size
17.2MB
-
MD5
e235f21d7011f180d78ee3ef14a242da
-
SHA1
a5b61d7126cd4a5b98faf765dcab344bf4a61aef
-
SHA256
9ee7c83712c548764248b9aebec255d7678197ae3fb8c6947e93cd0a8c113249
-
SHA512
8605961845973597739f8a7184987593e61bf8cba582d2fda22f58ad9515644c39b4e0eb2e4c853203efeefc250756083043ed341283695a4c11cfad2e94731d
-
SSDEEP
393216:rJN6WaFIrwSZc1ujdGtZjq4HsuEaBtz4rUrlB7WBGB:D6WoAwzsQZdHsCtz4G6gB
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/3548-15-0x0000000006CC0000-0x0000000006ED2000-memory.dmp family_agenttesla -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
arfarf_protected.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ arfarf_protected.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
arfarf_protected.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion arfarf_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion arfarf_protected.exe -
Executes dropped EXE 24 IoCs
Processes:
AMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEVolumeid.exepid process 1780 AMIDEWINx64.EXE 3040 AMIDEWINx64.EXE 5060 AMIDEWINx64.EXE 3056 AMIDEWINx64.EXE 4388 AMIDEWINx64.EXE 3684 AMIDEWINx64.EXE 1960 AMIDEWINx64.EXE 1364 AMIDEWINx64.EXE 2572 AMIDEWINx64.EXE 4112 AMIDEWINx64.EXE 5048 AMIDEWINx64.EXE 3532 AMIDEWINx64.EXE 3384 AMIDEWINx64.EXE 3988 AMIDEWINx64.EXE 1004 AMIDEWINx64.EXE 2728 AMIDEWINx64.EXE 4260 AMIDEWINx64.EXE 1060 AMIDEWINx64.EXE 2228 AMIDEWINx64.EXE 3500 AMIDEWINx64.EXE 3904 AMIDEWINx64.EXE 2496 AMIDEWINx64.EXE 3488 AMIDEWINx64.EXE 4104 Volumeid.exe -
Processes:
resource yara_rule behavioral3/memory/3548-10-0x0000000000150000-0x0000000001812000-memory.dmp themida behavioral3/memory/3548-11-0x0000000000150000-0x0000000001812000-memory.dmp themida -
Processes:
arfarf_protected.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA arfarf_protected.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
arfarf_protected.exepid process 3548 arfarf_protected.exe -
Drops file in Windows directory 4 IoCs
Processes:
arfarf_protected.exedescription ioc process File created C:\Windows\Fonts\AMIDEWINx64.EXE arfarf_protected.exe File created C:\Windows\Fonts\amigendrv64.sys arfarf_protected.exe File created C:\Windows\Fonts\amifldrv64.sys arfarf_protected.exe File created C:\Windows\IME\Volumeid.exe arfarf_protected.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
arfarf_protected.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion arfarf_protected.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS arfarf_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer arfarf_protected.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
arfarf_protected.exepid process 3548 arfarf_protected.exe 3548 arfarf_protected.exe -
Suspicious behavior: LoadsDriver 23 IoCs
Processes:
pid process 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
arfarf_protected.exedescription pid process Token: SeDebugPrivilege 3548 arfarf_protected.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
arfarf_protected.exedescription pid process target process PID 3548 wrote to memory of 1780 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 1780 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3040 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3040 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 5060 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 5060 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3056 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3056 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 4388 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 4388 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3684 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3684 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 1960 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 1960 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 1364 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 1364 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 2572 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 2572 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 4112 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 4112 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 5048 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 5048 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3532 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3532 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3384 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3384 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3988 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3988 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 1004 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 1004 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 2728 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 2728 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 4260 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 4260 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 1060 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 1060 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 2228 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 2228 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3500 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3500 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3904 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3904 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 2496 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 2496 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3488 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 3488 3548 arfarf_protected.exe AMIDEWINx64.EXE PID 3548 wrote to memory of 4104 3548 arfarf_protected.exe Volumeid.exe PID 3548 wrote to memory of 4104 3548 arfarf_protected.exe Volumeid.exe PID 3548 wrote to memory of 4104 3548 arfarf_protected.exe Volumeid.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chappo 3 days key new\arfarf_protected.exe"C:\Users\Admin\AppData\Local\Temp\chappo 3 days key new\arfarf_protected.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /IVN "CAUH-NYTE"2⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /IV "LOUE-IMUJ"2⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /SM "XIML-BQNP"2⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /SP "YOAQ-MMHI"2⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /SU "Auto"2⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /SS "RTOK-BLBB"2⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CSK "CHYB-QAXE"2⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CM "BMBD-FUCL"2⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /SF "NEIY-XCRY"2⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BM "GLMP-YJIL"2⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BP "GLIT-SLYY"2⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BV "RWPA-LEDX"2⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BT "RCXW-DCEA"2⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BLC "PZUF-NIGR"2⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /PSN "DPWT-MITB"2⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /PAT "FJHB-NRNB"2⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /PPN "HPYV-MMIE"2⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CS "HIET-QTKJ"2⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CV "PXWV-IJKI"2⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CA "IVQT-VCMY"2⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CO "LSXX-JLER"2⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CT "GSME-EALM"2⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BS "YXMP-VRTX"2⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\IME\Volumeid.exe"C:\Windows\IME\Volumeid.exe" C: "FPMR-WOIE"2⤵
- Executes dropped EXE
PID:4104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Fonts\AMIDEWINx64.EXEFilesize
377KB
MD564ae4aa4904d3b259dda8cc53769064f
SHA124be8fb54afd8182652819b9a307b6f66f3fc58d
SHA2562c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4
SHA5126c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16
-
C:\Windows\IME\Volumeid.exeFilesize
228KB
MD54d867033b27c8a603de4885b449c4923
SHA1f1ace1a241bab6efb3c7059a68b6e9bbe258da83
SHA25622a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3
SHA512b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702
-
memory/3548-14-0x0000000004030000-0x0000000004042000-memory.dmpFilesize
72KB
-
memory/3548-4-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-0-0x0000000000150000-0x0000000001812000-memory.dmpFilesize
22.8MB
-
memory/3548-2-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-1-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-7-0x0000000077674000-0x0000000077676000-memory.dmpFilesize
8KB
-
memory/3548-10-0x0000000000150000-0x0000000001812000-memory.dmpFilesize
22.8MB
-
memory/3548-11-0x0000000000150000-0x0000000001812000-memory.dmpFilesize
22.8MB
-
memory/3548-12-0x0000000006710000-0x0000000006CB4000-memory.dmpFilesize
5.6MB
-
memory/3548-16-0x0000000006440000-0x000000000644A000-memory.dmpFilesize
40KB
-
memory/3548-3-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-5-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-13-0x0000000006200000-0x0000000006292000-memory.dmpFilesize
584KB
-
memory/3548-17-0x0000000009980000-0x00000000099BC000-memory.dmpFilesize
240KB
-
memory/3548-18-0x0000000006470000-0x0000000006480000-memory.dmpFilesize
64KB
-
memory/3548-20-0x0000000000150000-0x0000000001812000-memory.dmpFilesize
22.8MB
-
memory/3548-21-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-22-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-23-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-25-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-26-0x0000000006470000-0x0000000006480000-memory.dmpFilesize
64KB
-
memory/3548-6-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-15-0x0000000006CC0000-0x0000000006ED2000-memory.dmpFilesize
2.1MB