Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:41
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.2.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.2.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.23.2.0.vir.exe
-
Size
230KB
-
MD5
b2d885727b999b505b91208cafbc1e38
-
SHA1
5144b51a951b132e5ffde6eebbf35de63e9f2b75
-
SHA256
3d990368ceffb435fd2163b10b1b463152d387967de24bd154b627ede96a0326
-
SHA512
f57404e880aa6dcdd22c77c3f0233918626a1e64d3c5b5aa7b0fee16bf9d8ba8c17fab9374fb5ed9efb38b919e277762bb4c70c44070e150d10cbc085aee901a
Score
10/10
Malware Config
Signatures
-
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsNTW = "C:\\ProgramData\\Windows NT\\WindowsNTW.exe" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
msiexec.exepid process 1008 msiexec.exe 1008 msiexec.exe 1008 msiexec.exe 1008 msiexec.exe 1008 msiexec.exe 1008 msiexec.exe 1008 msiexec.exe 1008 msiexec.exe 1008 msiexec.exe 1008 msiexec.exe 1008 msiexec.exe 1008 msiexec.exe 1008 msiexec.exe 1008 msiexec.exe 1008 msiexec.exe 1008 msiexec.exe -
Disables taskbar notifications via registry modification
-
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
chthonic_2.23.2.0.vir.exedescription pid process target process PID 1312 wrote to memory of 1008 1312 chthonic_2.23.2.0.vir.exe msiexec.exe PID 1312 wrote to memory of 1008 1312 chthonic_2.23.2.0.vir.exe msiexec.exe PID 1312 wrote to memory of 1008 1312 chthonic_2.23.2.0.vir.exe msiexec.exe PID 1312 wrote to memory of 1008 1312 chthonic_2.23.2.0.vir.exe msiexec.exe PID 1312 wrote to memory of 1008 1312 chthonic_2.23.2.0.vir.exe msiexec.exe PID 1312 wrote to memory of 1008 1312 chthonic_2.23.2.0.vir.exe msiexec.exe PID 1312 wrote to memory of 1008 1312 chthonic_2.23.2.0.vir.exe msiexec.exe PID 1312 wrote to memory of 1008 1312 chthonic_2.23.2.0.vir.exe msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.2.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.2.0.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Modifies Internet Explorer settings
- Adds policy Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Checks whether UAC is enabled
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1008-0-0x0000000000000000-mapping.dmp