bbeaa86003be4d14ff5643c47d20ca8a44e4d7e655bda8a93439fbe7dd4e9066

General

Target

chthonic_2.23.17.8.vir.exe
Size

414KB
MD5

1f9b928b344e22ea51231035d780c098
SHA1

b9fea85e753702620038d7ae498fe78360dddd1c
SHA256

bbeaa86003be4d14ff5643c47d20ca8a44e4d7e655bda8a93439fbe7dd4e9066
SHA512

a8cd355326908b9c4161e8df7c9177bd7210049a52009d77ab4b15388ab8d1721607cfffbc7666e5ca17d44d59d834f8e5d1696e7b1f932e7c4dce08ee66484d

Score

8^/10

persistence evasion trojan

Malware Config

Signatures

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

chthonic_2.23.17.8.vir.exemsiexec.execmd.exe

description	pid	process	target process
PID 1612 wrote to memory of 1976	1612	chthonic_2.23.17.8.vir.exe	msiexec.exe
PID 1612 wrote to memory of 1976	1612	chthonic_2.23.17.8.vir.exe	msiexec.exe
PID 1612 wrote to memory of 1976	1612	chthonic_2.23.17.8.vir.exe	msiexec.exe
PID 1612 wrote to memory of 1976	1612	chthonic_2.23.17.8.vir.exe	msiexec.exe
PID 1612 wrote to memory of 1976	1612	chthonic_2.23.17.8.vir.exe	msiexec.exe
PID 1612 wrote to memory of 1976	1612	chthonic_2.23.17.8.vir.exe	msiexec.exe
PID 1612 wrote to memory of 1976	1612	chthonic_2.23.17.8.vir.exe	msiexec.exe
PID 1612 wrote to memory of 1976	1612	chthonic_2.23.17.8.vir.exe	msiexec.exe
PID 1976 wrote to memory of 1844	1976	msiexec.exe	cmd.exe
PID 1976 wrote to memory of 1844	1976	msiexec.exe	cmd.exe
PID 1976 wrote to memory of 1844	1976	msiexec.exe	cmd.exe
PID 1976 wrote to memory of 1844	1976	msiexec.exe	cmd.exe
PID 1844 wrote to memory of 2004	1844	cmd.exe	Adobed.exe
PID 1844 wrote to memory of 2004	1844	cmd.exe	Adobed.exe
PID 1844 wrote to memory of 2004	1844	cmd.exe	Adobed.exe
PID 1844 wrote to memory of 2004	1844	cmd.exe	Adobed.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

msiexec.exe

pid process

1976 msiexec.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

msiexec.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe

pid	process
1976	msiexec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msiexec.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1063

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\antivirservice	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	msiexec.exe

Loads dropped DLL 3 IoCs

Processes:

chthonic_2.23.17.8.vir.exemsiexec.execmd.exe

pid process

1612 chthonic_2.23.17.8.vir.exe
1976 msiexec.exe
1844 cmd.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

chthonic_2.23.17.8.vir.exemsiexec.exe

pid process

1612 chthonic_2.23.17.8.vir.exe
1976 msiexec.exe
Deletes itself 1 IoCs

Processes:

msiexec.exe

pid process

1976 msiexec.exe
Executes dropped EXE 1 IoCs

Processes:

Adobed.exe

pid process

2004 Adobed.exe

pid	process
1612	chthonic_2.23.17.8.vir.exe
1976	msiexec.exe
1844	cmd.exe

pid	process
1612	chthonic_2.23.17.8.vir.exe
1976	msiexec.exe

pid	process
1976	msiexec.exe

pid	process
2004	Adobed.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobed = "C:\\Users\\Admin\\AppData\\Roaming\\Adobed\\Adobed.exe"	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.17.8.vir.exe
"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.17.8.vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1612

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Checks whether UAC is enabled
- Checks for any installed AV software in registry
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Deletes itself
- Adds Run key to start application
PID:1976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Adobed\Adobed.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1844

C:\Users\Admin\AppData\Roaming\Adobed\Adobed.exe
C:\Users\Admin\AppData\Roaming\Adobed\Adobed.exe
4⤵
- Executes dropped EXE
PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Security Software Discovery

1

T1063

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobed\Adobed.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Adobed\Adobed.exe

Download Submit
\Users\Admin\AppData\Local\Temp\A3EC.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\A89D.tmp

Download Submit
\Users\Admin\AppData\Roaming\Adobed\Adobed.exe

Download Submit
memory/1844-3-0x0000000000000000-mapping.dmp

Download
memory/1976-1-0x0000000000000000-mapping.dmp

Download
memory/2004-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads