Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 17:23
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.14.3.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.14.3.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.23.14.3.vir.exe
-
Size
316KB
-
MD5
c73bb0ecba9a48fa54ce209becf415a1
-
SHA1
71323430b7752734c495e1bbb42889ebc041a5c8
-
SHA256
5124f1b8847074cf927f1fe6dec6657a3a50c32e924f7ff915c926604c207b25
-
SHA512
1aaaf0457a3453c5dc4ec9fbffe69816c412ac3ab987973a095873668688f82129d196f91a7b44ede0a9fcebf52bad9de84ad100b97a135ea77ed6fa21a37c1e
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
chthonic_2.23.14.3.vir.exedescription pid process target process PID 2024 wrote to memory of 2756 2024 chthonic_2.23.14.3.vir.exe msiexec.exe PID 2024 wrote to memory of 2756 2024 chthonic_2.23.14.3.vir.exe msiexec.exe PID 2024 wrote to memory of 2756 2024 chthonic_2.23.14.3.vir.exe msiexec.exe PID 2024 wrote to memory of 2756 2024 chthonic_2.23.14.3.vir.exe msiexec.exe -
Blacklisted process makes network request 21 IoCs
Processes:
msiexec.exeflow pid process 7 2756 msiexec.exe 11 2756 msiexec.exe 12 2756 msiexec.exe 14 2756 msiexec.exe 15 2756 msiexec.exe 16 2756 msiexec.exe 17 2756 msiexec.exe 18 2756 msiexec.exe 19 2756 msiexec.exe 20 2756 msiexec.exe 22 2756 msiexec.exe 24 2756 msiexec.exe 25 2756 msiexec.exe 26 2756 msiexec.exe 27 2756 msiexec.exe 28 2756 msiexec.exe 29 2756 msiexec.exe 31 2756 msiexec.exe 32 2756 msiexec.exe 33 2756 msiexec.exe 36 2756 msiexec.exe -
Disables taskbar notifications via registry modification
-
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
chthonic_2.23.14.3.vir.exedescription pid process Token: SeBackupPrivilege 2024 chthonic_2.23.14.3.vir.exe Token: SeSecurityPrivilege 2024 chthonic_2.23.14.3.vir.exe Token: SeSecurityPrivilege 2024 chthonic_2.23.14.3.vir.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
chthonic_2.23.14.3.vir.exepid process 2024 chthonic_2.23.14.3.vir.exe -
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exepid process 2756 msiexec.exe 2756 msiexec.exe 2756 msiexec.exe 2756 msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UMozillaMaintenanceService = "C:\\ProgramData\\Mozilla Maintenance Service\\UMozillaMaintenanceService.exe" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.14.3.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.14.3.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blacklisted process makes network request
- System policy modification
- Modifies Internet Explorer settings
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Adds policy Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2756-0-0x0000000000000000-mapping.dmp