bbeaa86003be4d14ff5643c47d20ca8a44e4d7e655bda8a93439fbe7dd4e9066

General

Target

chthonic_2.23.17.8.vir.exe
Size

414KB
MD5

1f9b928b344e22ea51231035d780c098
SHA1

b9fea85e753702620038d7ae498fe78360dddd1c
SHA256

bbeaa86003be4d14ff5643c47d20ca8a44e4d7e655bda8a93439fbe7dd4e9066
SHA512

a8cd355326908b9c4161e8df7c9177bd7210049a52009d77ab4b15388ab8d1721607cfffbc7666e5ca17d44d59d834f8e5d1696e7b1f932e7c4dce08ee66484d

Score

8^/10

persistence evasion trojan

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

chthonic_2.23.17.8.vir.exemsiexec.exe

pid process

2564 chthonic_2.23.17.8.vir.exe
2196 msiexec.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

chthonic_2.23.17.8.vir.exemsiexec.exe

pid process

2564 chthonic_2.23.17.8.vir.exe
2196 msiexec.exe
Deletes itself 1 IoCs

Processes:

msiexec.exe

pid process

2196 msiexec.exe
Executes dropped EXE 1 IoCs

Processes:

lite1.exe

pid process

3832 lite1.exe

pid	process
2564	chthonic_2.23.17.8.vir.exe
2196	msiexec.exe

pid	process
2564	chthonic_2.23.17.8.vir.exe
2196	msiexec.exe

pid	process
2196	msiexec.exe

pid	process
3832	lite1.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1063

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\antivirservice	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	msiexec.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

chthonic_2.23.17.8.vir.exemsiexec.execmd.exe

description	pid	process	target process
PID 2564 wrote to memory of 2196	2564	chthonic_2.23.17.8.vir.exe	msiexec.exe
PID 2564 wrote to memory of 2196	2564	chthonic_2.23.17.8.vir.exe	msiexec.exe
PID 2564 wrote to memory of 2196	2564	chthonic_2.23.17.8.vir.exe	msiexec.exe
PID 2564 wrote to memory of 2196	2564	chthonic_2.23.17.8.vir.exe	msiexec.exe
PID 2196 wrote to memory of 2752	2196	msiexec.exe	cmd.exe
PID 2196 wrote to memory of 2752	2196	msiexec.exe	cmd.exe
PID 2196 wrote to memory of 2752	2196	msiexec.exe	cmd.exe
PID 2752 wrote to memory of 3832	2752	cmd.exe	lite1.exe
PID 2752 wrote to memory of 3832	2752	cmd.exe	lite1.exe
PID 2752 wrote to memory of 3832	2752	cmd.exe	lite1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2196 msiexec.exe
2196 msiexec.exe

pid	process
2196	msiexec.exe
2196	msiexec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\software\microsoft\windows\currentversion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\lite1 = "C:\\Users\\Admin\\AppData\\Roaming\\lite1\\lite1.exe"	msiexec.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

msiexec.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.17.8.vir.exe
"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.17.8.vir.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe
2⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Deletes itself
- Checks for any installed AV software in registry
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Checks whether UAC is enabled
PID:2196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\lite1\lite1.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Roaming\lite1\lite1.exe
C:\Users\Admin\AppData\Roaming\lite1\lite1.exe
4⤵
- Executes dropped EXE
PID:3832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Security Software Discovery

1

T1063

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\lite1\lite1.exe

Download Submit
C:\Users\Admin\AppData\Roaming\lite1\lite1.exe

Download Submit
\Users\Admin\AppData\Local\Temp\2646.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\2C51.tmp

Download Submit
memory/2196-1-0x0000000000000000-mapping.dmp

Download
memory/2752-3-0x0000000000000000-mapping.dmp

Download
memory/3832-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads