Analysis
-
max time kernel
692s -
max time network
456s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
27-04-2024 21:16
General
-
Target
chappo 3 days key new/arfarf_protected.exe
-
Size
17.2MB
-
MD5
e235f21d7011f180d78ee3ef14a242da
-
SHA1
a5b61d7126cd4a5b98faf765dcab344bf4a61aef
-
SHA256
9ee7c83712c548764248b9aebec255d7678197ae3fb8c6947e93cd0a8c113249
-
SHA512
8605961845973597739f8a7184987593e61bf8cba582d2fda22f58ad9515644c39b4e0eb2e4c853203efeefc250756083043ed341283695a4c11cfad2e94731d
-
SSDEEP
393216:rJN6WaFIrwSZc1ujdGtZjq4HsuEaBtz4rUrlB7WBGB:D6WoAwzsQZdHsCtz4G6gB
Score
10/10
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 24 IoCs
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: LoadsDriver 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 49 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\chappo 3 days key new\arfarf_protected.exe"C:\Users\Admin\AppData\Local\Temp\chappo 3 days key new\arfarf_protected.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /IVN "CAUH-NYTE"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /IV "LOUE-IMUJ"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /SM "XIML-BQNP"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /SP "YOAQ-MMHI"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /SU "Auto"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /SS "RTOK-BLBB"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CSK "CHYB-QAXE"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CM "BMBD-FUCL"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /SF "NEIY-XCRY"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BM "GLMP-YJIL"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BP "GLIT-SLYY"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BV "RWPA-LEDX"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BT "RCXW-DCEA"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BLC "PZUF-NIGR"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /PSN "DPWT-MITB"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /PAT "FJHB-NRNB"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /PPN "HPYV-MMIE"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CS "HIET-QTKJ"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CV "PXWV-IJKI"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CA "IVQT-VCMY"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CO "LSXX-JLER"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CT "GSME-EALM"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BS "YXMP-VRTX"2⤵
- Executes dropped EXE
-
C:\Windows\IME\Volumeid.exe"C:\Windows\IME\Volumeid.exe" C: "FPMR-WOIE"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Fonts\AMIDEWINx64.EXEFilesize
377KB
MD564ae4aa4904d3b259dda8cc53769064f
SHA124be8fb54afd8182652819b9a307b6f66f3fc58d
SHA2562c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4
SHA5126c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16
-
C:\Windows\IME\Volumeid.exeFilesize
228KB
MD54d867033b27c8a603de4885b449c4923
SHA1f1ace1a241bab6efb3c7059a68b6e9bbe258da83
SHA25622a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3
SHA512b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702
-
memory/3548-14-0x0000000004030000-0x0000000004042000-memory.dmpFilesize
72KB
-
memory/3548-4-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-0-0x0000000000150000-0x0000000001812000-memory.dmpFilesize
22.8MB
-
memory/3548-2-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-1-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-7-0x0000000077674000-0x0000000077676000-memory.dmpFilesize
8KB
-
memory/3548-10-0x0000000000150000-0x0000000001812000-memory.dmpFilesize
22.8MB
-
memory/3548-11-0x0000000000150000-0x0000000001812000-memory.dmpFilesize
22.8MB
-
memory/3548-12-0x0000000006710000-0x0000000006CB4000-memory.dmpFilesize
5.6MB
-
memory/3548-16-0x0000000006440000-0x000000000644A000-memory.dmpFilesize
40KB
-
memory/3548-3-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-5-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-13-0x0000000006200000-0x0000000006292000-memory.dmpFilesize
584KB
-
memory/3548-17-0x0000000009980000-0x00000000099BC000-memory.dmpFilesize
240KB
-
memory/3548-18-0x0000000006470000-0x0000000006480000-memory.dmpFilesize
64KB
-
memory/3548-20-0x0000000000150000-0x0000000001812000-memory.dmpFilesize
22.8MB
-
memory/3548-21-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-22-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-23-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-25-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-26-0x0000000006470000-0x0000000006480000-memory.dmpFilesize
64KB
-
memory/3548-6-0x0000000077480000-0x0000000077570000-memory.dmpFilesize
960KB
-
memory/3548-15-0x0000000006CC0000-0x0000000006ED2000-memory.dmpFilesize
2.1MB