b6f9f9fa970bf7ec730e0944b1bb0ba8d17a3715de0730bc417aae149ae048dd

General

Target

chthonic_2.23.15.12.vir.exe
Size

427KB
MD5

8296372373a0e63024143e6beee29a82
SHA1

4fae40c361e7f2da23a7984e06320b89cbad654d
SHA256

b6f9f9fa970bf7ec730e0944b1bb0ba8d17a3715de0730bc417aae149ae048dd
SHA512

3bf80ceb5cdb03fd5419741c4fabd293ab9003d972ef9bc329528664197287d81f03522d6b3852d480898f2477615d6178995bdc82bc1783978850a5b5647cce

Score

8^/10

persistence evasion trojan

Malware Config

Signatures

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

chthonic_2.23.15.12.vir.exemsiexec.execmd.exeMozillaMaintenanceService1.exe

description	pid	process	target process
PID 672 wrote to memory of 776	672	chthonic_2.23.15.12.vir.exe	msiexec.exe
PID 672 wrote to memory of 776	672	chthonic_2.23.15.12.vir.exe	msiexec.exe
PID 672 wrote to memory of 776	672	chthonic_2.23.15.12.vir.exe	msiexec.exe
PID 672 wrote to memory of 776	672	chthonic_2.23.15.12.vir.exe	msiexec.exe
PID 672 wrote to memory of 776	672	chthonic_2.23.15.12.vir.exe	msiexec.exe
PID 672 wrote to memory of 776	672	chthonic_2.23.15.12.vir.exe	msiexec.exe
PID 672 wrote to memory of 776	672	chthonic_2.23.15.12.vir.exe	msiexec.exe
PID 672 wrote to memory of 776	672	chthonic_2.23.15.12.vir.exe	msiexec.exe
PID 776 wrote to memory of 1056	776	msiexec.exe	cmd.exe
PID 776 wrote to memory of 1056	776	msiexec.exe	cmd.exe
PID 776 wrote to memory of 1056	776	msiexec.exe	cmd.exe
PID 776 wrote to memory of 1056	776	msiexec.exe	cmd.exe
PID 1056 wrote to memory of 1532	1056	cmd.exe	MozillaMaintenanceService1.exe
PID 1056 wrote to memory of 1532	1056	cmd.exe	MozillaMaintenanceService1.exe
PID 1056 wrote to memory of 1532	1056	cmd.exe	MozillaMaintenanceService1.exe
PID 1056 wrote to memory of 1532	1056	cmd.exe	MozillaMaintenanceService1.exe
PID 1532 wrote to memory of 1832	1532	MozillaMaintenanceService1.exe	msiexec.exe
PID 1532 wrote to memory of 1832	1532	MozillaMaintenanceService1.exe	msiexec.exe
PID 1532 wrote to memory of 1832	1532	MozillaMaintenanceService1.exe	msiexec.exe
PID 1532 wrote to memory of 1832	1532	MozillaMaintenanceService1.exe	msiexec.exe
PID 1532 wrote to memory of 1832	1532	MozillaMaintenanceService1.exe	msiexec.exe
PID 1532 wrote to memory of 1832	1532	MozillaMaintenanceService1.exe	msiexec.exe
PID 1532 wrote to memory of 1832	1532	MozillaMaintenanceService1.exe	msiexec.exe
PID 1532 wrote to memory of 1832	1532	MozillaMaintenanceService1.exe	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

msiexec.exemsiexec.exe

pid process

776 msiexec.exe
776 msiexec.exe
1832 msiexec.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1056 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MozillaMaintenanceService1.exe

pid process

1532 MozillaMaintenanceService1.exe

pid	process
776	msiexec.exe
776	msiexec.exe
1832	msiexec.exe

pid	process
1056	cmd.exe

pid	process
1532	MozillaMaintenanceService1.exe

Blacklisted process makes network request 11 IoCs

Processes:

msiexec.exe

flow	pid	process
3	776	msiexec.exe
6	776	msiexec.exe
7	776	msiexec.exe
8	776	msiexec.exe
9	776	msiexec.exe
10	776	msiexec.exe
11	776	msiexec.exe
14	776	msiexec.exe
15	776	msiexec.exe
16	776	msiexec.exe
17	776	msiexec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\MozillaMaintenanceService1 = "C:\\Users\\Admin\\AppData\\Roaming\\MozillaMaintenanceService1\\MozillaMaintenanceService1.exe"	msiexec.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

msiexec.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe
Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

chthonic_2.23.15.12.vir.exemsiexec.exeMozillaMaintenanceService1.exe

pid process

672 chthonic_2.23.15.12.vir.exe
776 msiexec.exe
1532 MozillaMaintenanceService1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msiexec.exe

pid	process
672	chthonic_2.23.15.12.vir.exe
776	msiexec.exe
1532	MozillaMaintenanceService1.exe

C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.12.vir.exe
"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.12.vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: GetForegroundWindowSpam
PID:672

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MozillaMaintenanceService1\MozillaMaintenanceService1.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1056

C:\Users\Admin\AppData\Roaming\MozillaMaintenanceService1\MozillaMaintenanceService1.exe
C:\Users\Admin\AppData\Roaming\MozillaMaintenanceService1\MozillaMaintenanceService1.exe
4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1532

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MozillaMaintenanceService1\MozillaMaintenanceService1.exe

Download Submit
C:\Users\Admin\AppData\Roaming\MozillaMaintenanceService1\MozillaMaintenanceService1.exe

Download Submit
\Users\Admin\AppData\Roaming\MozillaMaintenanceService1\MozillaMaintenanceService1.exe

Download Submit
memory/776-0-0x0000000000000000-mapping.dmp

Download
memory/1056-1-0x0000000000000000-mapping.dmp

Download
memory/1532-4-0x0000000000000000-mapping.dmp

Download
memory/1832-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads