Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:41
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.2.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.2.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.23.2.0.vir.exe
-
Size
230KB
-
MD5
b2d885727b999b505b91208cafbc1e38
-
SHA1
5144b51a951b132e5ffde6eebbf35de63e9f2b75
-
SHA256
3d990368ceffb435fd2163b10b1b463152d387967de24bd154b627ede96a0326
-
SHA512
f57404e880aa6dcdd22c77c3f0233918626a1e64d3c5b5aa7b0fee16bf9d8ba8c17fab9374fb5ed9efb38b919e277762bb4c70c44070e150d10cbc085aee901a
Score
10/10
Malware Config
Signatures
-
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsPortableDevicesC = "C:\\ProgramData\\Windows Portable Devices\\WindowsPortableDevicesC.exe" msiexec.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
chthonic_2.23.2.0.vir.exedescription pid process target process PID 3900 wrote to memory of 776 3900 chthonic_2.23.2.0.vir.exe msiexec.exe PID 3900 wrote to memory of 776 3900 chthonic_2.23.2.0.vir.exe msiexec.exe PID 3900 wrote to memory of 776 3900 chthonic_2.23.2.0.vir.exe msiexec.exe PID 3900 wrote to memory of 776 3900 chthonic_2.23.2.0.vir.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
msiexec.exepid process 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe 776 msiexec.exe -
Disables taskbar notifications via registry modification
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.2.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.2.0.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Modifies Internet Explorer settings
- System policy modification
- Checks whether UAC is enabled
- Adds policy Run key to start application
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/776-0-0x0000000000000000-mapping.dmp