Analysis
-
max time kernel
14s -
max time network
1s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:40
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.15.15.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.15.15.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
Errors
Reason
Machine shutdown
General
-
Target
chthonic_2.23.15.15.vir.exe
-
Size
138KB
-
MD5
58e7485d3b615edfaa1be2dc05dff4f6
-
SHA1
b47548e82ceec9e930b7a21651023fd0c7e83426
-
SHA256
248ecff90346c947fda3ab80b686cdb4a3ea72ce5641a17e72b3cd48262d0b69
-
SHA512
fd1ce644248bc33188b9939cfdc26950ce907536121d56ac250be76edc9b9cb65ae98db9f3de7ede4fbd2590f83c304e22bfed62c64f988fc5ac30b9fb9d397c
Score
10/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
msiexec.exepid process 1424 msiexec.exe -
Deletes itself 1 IoCs
Processes:
msiexec.exepid process 1424 msiexec.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1572 cmd.exe 1572 cmd.exe -
Modifies registry class 23 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings msiexec.exe -
Modifies service 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\diagnosticshub.standardcollector.service msiexec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\diagnosticshub.standardcollector.service\Start = "4" msiexec.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
chthonic_2.23.15.15.vir.exemsiexec.execmd.exeWindowsNTC.exedescription pid process target process PID 1360 wrote to memory of 1424 1360 chthonic_2.23.15.15.vir.exe msiexec.exe PID 1360 wrote to memory of 1424 1360 chthonic_2.23.15.15.vir.exe msiexec.exe PID 1360 wrote to memory of 1424 1360 chthonic_2.23.15.15.vir.exe msiexec.exe PID 1360 wrote to memory of 1424 1360 chthonic_2.23.15.15.vir.exe msiexec.exe PID 1360 wrote to memory of 1424 1360 chthonic_2.23.15.15.vir.exe msiexec.exe PID 1360 wrote to memory of 1424 1360 chthonic_2.23.15.15.vir.exe msiexec.exe PID 1360 wrote to memory of 1424 1360 chthonic_2.23.15.15.vir.exe msiexec.exe PID 1360 wrote to memory of 1424 1360 chthonic_2.23.15.15.vir.exe msiexec.exe PID 1424 wrote to memory of 1572 1424 msiexec.exe cmd.exe PID 1424 wrote to memory of 1572 1424 msiexec.exe cmd.exe PID 1424 wrote to memory of 1572 1424 msiexec.exe cmd.exe PID 1424 wrote to memory of 1572 1424 msiexec.exe cmd.exe PID 1572 wrote to memory of 328 1572 cmd.exe WindowsNTC.exe PID 1572 wrote to memory of 328 1572 cmd.exe WindowsNTC.exe PID 1572 wrote to memory of 328 1572 cmd.exe WindowsNTC.exe PID 1572 wrote to memory of 328 1572 cmd.exe WindowsNTC.exe PID 328 wrote to memory of 740 328 WindowsNTC.exe msiexec.exe PID 328 wrote to memory of 740 328 WindowsNTC.exe msiexec.exe PID 328 wrote to memory of 740 328 WindowsNTC.exe msiexec.exe PID 328 wrote to memory of 740 328 WindowsNTC.exe msiexec.exe PID 328 wrote to memory of 740 328 WindowsNTC.exe msiexec.exe PID 328 wrote to memory of 740 328 WindowsNTC.exe msiexec.exe PID 328 wrote to memory of 740 328 WindowsNTC.exe msiexec.exe PID 328 wrote to memory of 740 328 WindowsNTC.exe msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid process 1424 msiexec.exe -
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\AvastUI.exe = "AvastUI.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealth = "system" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealth = "system" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "system" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "system" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AvastUI.exe = "AvastUI.exe" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\software\microsoft\windows\currentversion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsNTC = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsNTC\\WindowsNTC.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
WindowsNTC.exepid process 328 WindowsNTC.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe -
Disables taskbar notifications via registry modification
-
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
msiexec.exedescription pid process Token: SeShutdownPrivilege 1424 msiexec.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.15.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.15.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Deletes itself
- Modifies registry class
- Modifies service
- Suspicious use of WriteProcessMemory
- Suspicious behavior: GetForegroundWindowSpam
- Modifies Internet Explorer settings
- Adds Run key to start application
- System policy modification
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\WindowsNTC\WindowsNTC.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsNTC\WindowsNTC.exeC:\Users\Admin\AppData\Roaming\WindowsNTC\WindowsNTC.exe4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe5⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WindowsNTC\WindowsNTC.exe
-
C:\Users\Admin\AppData\Roaming\WindowsNTC\WindowsNTC.exe
-
\Users\Admin\AppData\Roaming\WindowsNTC\WindowsNTC.exe
-
\Users\Admin\AppData\Roaming\WindowsNTC\WindowsNTC.exe
-
memory/328-5-0x0000000000000000-mapping.dmp
-
memory/740-7-0x0000000000000000-mapping.dmp
-
memory/1424-0-0x0000000000000000-mapping.dmp
-
memory/1572-1-0x0000000000000000-mapping.dmp