Analysis
-
max time kernel
14s -
max time network
1s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:40
Errors
Reason
Machine shutdown
General
-
Target
chthonic_2.23.15.15.vir.exe
-
Size
138KB
-
MD5
58e7485d3b615edfaa1be2dc05dff4f6
-
SHA1
b47548e82ceec9e930b7a21651023fd0c7e83426
-
SHA256
248ecff90346c947fda3ab80b686cdb4a3ea72ce5641a17e72b3cd48262d0b69
-
SHA512
fd1ce644248bc33188b9939cfdc26950ce907536121d56ac250be76edc9b9cb65ae98db9f3de7ede4fbd2590f83c304e22bfed62c64f988fc5ac30b9fb9d397c
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies registry class 23 IoCs
-
Modifies service 2 TTPs 2 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Executes dropped EXE 1 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Disables taskbar notifications via registry modification
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Checks for any installed AV software in registry 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.15.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.15.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Deletes itself
- Modifies registry class
- Modifies service
- Suspicious use of WriteProcessMemory
- Suspicious behavior: GetForegroundWindowSpam
- Modifies Internet Explorer settings
- Adds Run key to start application
- System policy modification
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\WindowsNTC\WindowsNTC.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsNTC\WindowsNTC.exeC:\Users\Admin\AppData\Roaming\WindowsNTC\WindowsNTC.exe4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe5⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WindowsNTC\WindowsNTC.exe
-
C:\Users\Admin\AppData\Roaming\WindowsNTC\WindowsNTC.exe
-
\Users\Admin\AppData\Roaming\WindowsNTC\WindowsNTC.exe
-
\Users\Admin\AppData\Roaming\WindowsNTC\WindowsNTC.exe
-
memory/328-5-0x0000000000000000-mapping.dmp
-
memory/740-7-0x0000000000000000-mapping.dmp
-
memory/1424-0-0x0000000000000000-mapping.dmp
-
memory/1572-1-0x0000000000000000-mapping.dmp