4db9e6043c7ddc8a04114e731a22d16d4cba065931b2cebd4dc61570e5c45c4b

Reason

Machine shutdown

General

Target

chthonic_2.23.20.3.vir.exe
Size

531KB
MD5

e9fe4925d273ae94a34d8a13b9ceff52
SHA1

9ef3857d88ea840504e9fe96f97e5e19dc782ef4
SHA256

4db9e6043c7ddc8a04114e731a22d16d4cba065931b2cebd4dc61570e5c45c4b
SHA512

10bce84ba0c0907faab5a8a67099077582f2eed4fd73aaf322c60077b5935c47ed04033ff2e1883083fe33011b4b3968181419a42239b8b7fae70a3ef1341a11

Score

8^/10

ransomware bootkit persistence

Malware Config

Signatures

Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chthonic_2.23.20.3.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\software\microsoft\windows\currentversion\RunOnce	chthonic_2.23.20.3.vir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bWindowsMail = "C:\\Users\\Admin\\AppData\\Roaming\\bWindowsMail\\bWindowsMail.exe"	chthonic_2.23.20.3.vir.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

chthonic_2.23.20.3.vir.exe

pid process

1616 chthonic_2.23.20.3.vir.exe

Loads dropped DLL 6 IoCs

Processes:

chthonic_2.23.20.3.vir.exe

pid	process
1616	chthonic_2.23.20.3.vir.exe
1616	chthonic_2.23.20.3.vir.exe
1616	chthonic_2.23.20.3.vir.exe
1616	chthonic_2.23.20.3.vir.exe
1616	chthonic_2.23.20.3.vir.exe
1616	chthonic_2.23.20.3.vir.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

chthonic_2.23.20.3.vir.exe

description	pid	process
Token: SeShutdownPrivilege	1616	chthonic_2.23.20.3.vir.exe
Token: SeBackupPrivilege	1616	chthonic_2.23.20.3.vir.exe
Token: SeRestorePrivilege	1616	chthonic_2.23.20.3.vir.exe
Token: SeShutdownPrivilege	1616	chthonic_2.23.20.3.vir.exe
Token: SeShutdownPrivilege	1616	chthonic_2.23.20.3.vir.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2704 LogonUI.exe

pid	process
2704	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.20.3.vir.exe
"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.20.3.vir.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3acc855 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\334D3038.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\534E3339.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\58375066.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\66686337.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\68373361.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\72433377.tmp

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads