b6f9f9fa970bf7ec730e0944b1bb0ba8d17a3715de0730bc417aae149ae048dd

General

Target

chthonic_2.23.15.12.vir.exe
Size

427KB
MD5

8296372373a0e63024143e6beee29a82
SHA1

4fae40c361e7f2da23a7984e06320b89cbad654d
SHA256

b6f9f9fa970bf7ec730e0944b1bb0ba8d17a3715de0730bc417aae149ae048dd
SHA512

3bf80ceb5cdb03fd5419741c4fabd293ab9003d972ef9bc329528664197287d81f03522d6b3852d480898f2477615d6178995bdc82bc1783978850a5b5647cce

Score

8^/10

evasion trojan persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msiexec.exemsiexec.exe

pid process

3888 msiexec.exe
3888 msiexec.exe
3888 msiexec.exe
3888 msiexec.exe
572 msiexec.exe
572 msiexec.exe
Executes dropped EXE 1 IoCs

Processes:

0lite.exe

pid process

1736 0lite.exe

pid	process
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
572	msiexec.exe
572	msiexec.exe

pid	process
1736	0lite.exe

Blacklisted process makes network request 11 IoCs

Processes:

msiexec.exe

flow	pid	process
10	3888	msiexec.exe
12	3888	msiexec.exe
15	3888	msiexec.exe
16	3888	msiexec.exe
17	3888	msiexec.exe
18	3888	msiexec.exe
20	3888	msiexec.exe
21	3888	msiexec.exe
22	3888	msiexec.exe
23	3888	msiexec.exe
24	3888	msiexec.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

msiexec.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msiexec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\software\microsoft\windows\currentversion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\0lite = "C:\\Users\\Admin\\AppData\\Roaming\\0lite\\0lite.exe"	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

chthonic_2.23.15.12.vir.exemsiexec.exe0lite.exe

pid process

3832 chthonic_2.23.15.12.vir.exe
3888 msiexec.exe
1736 0lite.exe

pid	process
3832	chthonic_2.23.15.12.vir.exe
3888	msiexec.exe
1736	0lite.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

chthonic_2.23.15.12.vir.exemsiexec.execmd.exe0lite.exe

description	pid	process	target process
PID 3832 wrote to memory of 3888	3832	chthonic_2.23.15.12.vir.exe	msiexec.exe
PID 3832 wrote to memory of 3888	3832	chthonic_2.23.15.12.vir.exe	msiexec.exe
PID 3832 wrote to memory of 3888	3832	chthonic_2.23.15.12.vir.exe	msiexec.exe
PID 3832 wrote to memory of 3888	3832	chthonic_2.23.15.12.vir.exe	msiexec.exe
PID 3888 wrote to memory of 3860	3888	msiexec.exe	cmd.exe
PID 3888 wrote to memory of 3860	3888	msiexec.exe	cmd.exe
PID 3888 wrote to memory of 3860	3888	msiexec.exe	cmd.exe
PID 3860 wrote to memory of 1736	3860	cmd.exe	0lite.exe
PID 3860 wrote to memory of 1736	3860	cmd.exe	0lite.exe
PID 3860 wrote to memory of 1736	3860	cmd.exe	0lite.exe
PID 1736 wrote to memory of 572	1736	0lite.exe	msiexec.exe
PID 1736 wrote to memory of 572	1736	0lite.exe	msiexec.exe
PID 1736 wrote to memory of 572	1736	0lite.exe	msiexec.exe
PID 1736 wrote to memory of 572	1736	0lite.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.12.vir.exe
"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.12.vir.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Checks whether UAC is enabled
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\0lite\0lite.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Users\Admin\AppData\Roaming\0lite\0lite.exe
C:\Users\Admin\AppData\Roaming\0lite\0lite.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0lite\0lite.exe

Download Submit
C:\Users\Admin\AppData\Roaming\0lite\0lite.exe

Download Submit
memory/572-5-0x0000000000000000-mapping.dmp

Download
memory/1736-2-0x0000000000000000-mapping.dmp

Download
memory/3860-1-0x0000000000000000-mapping.dmp

Download
memory/3888-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads