Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:30
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.15.12.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.15.12.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.23.15.12.vir.exe
-
Size
427KB
-
MD5
8296372373a0e63024143e6beee29a82
-
SHA1
4fae40c361e7f2da23a7984e06320b89cbad654d
-
SHA256
b6f9f9fa970bf7ec730e0944b1bb0ba8d17a3715de0730bc417aae149ae048dd
-
SHA512
3bf80ceb5cdb03fd5419741c4fabd293ab9003d972ef9bc329528664197287d81f03522d6b3852d480898f2477615d6178995bdc82bc1783978850a5b5647cce
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msiexec.exemsiexec.exepid process 3888 msiexec.exe 3888 msiexec.exe 3888 msiexec.exe 3888 msiexec.exe 572 msiexec.exe 572 msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
0lite.exepid process 1736 0lite.exe -
Blacklisted process makes network request 11 IoCs
Processes:
msiexec.exeflow pid process 10 3888 msiexec.exe 12 3888 msiexec.exe 15 3888 msiexec.exe 16 3888 msiexec.exe 17 3888 msiexec.exe 18 3888 msiexec.exe 20 3888 msiexec.exe 21 3888 msiexec.exe 22 3888 msiexec.exe 23 3888 msiexec.exe 24 3888 msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\software\microsoft\windows\currentversion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\0lite = "C:\\Users\\Admin\\AppData\\Roaming\\0lite\\0lite.exe" msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
chthonic_2.23.15.12.vir.exemsiexec.exe0lite.exepid process 3832 chthonic_2.23.15.12.vir.exe 3888 msiexec.exe 1736 0lite.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
chthonic_2.23.15.12.vir.exemsiexec.execmd.exe0lite.exedescription pid process target process PID 3832 wrote to memory of 3888 3832 chthonic_2.23.15.12.vir.exe msiexec.exe PID 3832 wrote to memory of 3888 3832 chthonic_2.23.15.12.vir.exe msiexec.exe PID 3832 wrote to memory of 3888 3832 chthonic_2.23.15.12.vir.exe msiexec.exe PID 3832 wrote to memory of 3888 3832 chthonic_2.23.15.12.vir.exe msiexec.exe PID 3888 wrote to memory of 3860 3888 msiexec.exe cmd.exe PID 3888 wrote to memory of 3860 3888 msiexec.exe cmd.exe PID 3888 wrote to memory of 3860 3888 msiexec.exe cmd.exe PID 3860 wrote to memory of 1736 3860 cmd.exe 0lite.exe PID 3860 wrote to memory of 1736 3860 cmd.exe 0lite.exe PID 3860 wrote to memory of 1736 3860 cmd.exe 0lite.exe PID 1736 wrote to memory of 572 1736 0lite.exe msiexec.exe PID 1736 wrote to memory of 572 1736 0lite.exe msiexec.exe PID 1736 wrote to memory of 572 1736 0lite.exe msiexec.exe PID 1736 wrote to memory of 572 1736 0lite.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.12.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.12.vir.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Checks whether UAC is enabled
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\0lite\0lite.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\0lite\0lite.exeC:\Users\Admin\AppData\Roaming\0lite\0lite.exe4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe5⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\0lite\0lite.exe
-
C:\Users\Admin\AppData\Roaming\0lite\0lite.exe
-
memory/572-5-0x0000000000000000-mapping.dmp
-
memory/1736-2-0x0000000000000000-mapping.dmp
-
memory/3860-1-0x0000000000000000-mapping.dmp
-
memory/3888-0-0x0000000000000000-mapping.dmp