Analysis
-
max time kernel
139s -
max time network
141s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:26
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.11.7.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.11.7.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.23.11.7.vir.exe
-
Size
147KB
-
MD5
da35953c97d7ae09edc85da33296e993
-
SHA1
b545abc8bce08d197f38512062391152ee859ade
-
SHA256
c79649b70f1680062355e956dcabe0fa2ecb58faf5c22d4454a3dbb67e1db6b7
-
SHA512
26856d338a4f71151f448ffc805176d294aaf7e248de6d3c54a1b69f054a7fa10530b6f4a3ff33c261a5533e130f16ea994660354762fe3cf959f726c7d4bc15
Score
10/10
Malware Config
Signatures
-
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe -
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
chthonic_2.23.11.7.vir.exedescription pid process target process PID 732 wrote to memory of 2800 732 chthonic_2.23.11.7.vir.exe msiexec.exe PID 732 wrote to memory of 2800 732 chthonic_2.23.11.7.vir.exe msiexec.exe PID 732 wrote to memory of 2800 732 chthonic_2.23.11.7.vir.exe msiexec.exe PID 732 wrote to memory of 2800 732 chthonic_2.23.11.7.vir.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
msiexec.exepid process 2800 msiexec.exe 2800 msiexec.exe 2800 msiexec.exe 2800 msiexec.exe 2800 msiexec.exe 2800 msiexec.exe 2800 msiexec.exe 2800 msiexec.exe 2800 msiexec.exe 2800 msiexec.exe 2800 msiexec.exe 2800 msiexec.exe 2800 msiexec.exe 2800 msiexec.exe 2800 msiexec.exe 2800 msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid process 2800 msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aGoogle = "C:\\ProgramData\\Google\\aGoogle.exe" msiexec.exe -
Disables taskbar notifications via registry modification
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.11.7.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.11.7.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Modifies Internet Explorer settings
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
- Suspicious behavior: GetForegroundWindowSpam
- Adds policy Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2800-0-0x0000000000000000-mapping.dmp