Analysis
-
max time kernel
144s -
max time network
131s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:27
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.4.20.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.4.20.0.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.4.20.0.vir.exe
-
Size
108KB
-
MD5
28a022dc9c6bd2f51e77a7db5b27be21
-
SHA1
dc1b7c5b86fe4fe84e03d7087b7e1e9c05d855ef
-
SHA256
a2e7dd2a1d4dfada76d1cb58d0736805e8372789de39e317a8edb34a313a039c
-
SHA512
db86cb837d2751d46588b25078139237e7a0c6d42dcc41e7c9142a87a8b511fa8f0ec4d76a62595ac4212550b652a826231759da197cd17e6598f9a0d2a71df3
Score
10/10
Malware Config
Signatures
-
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
chthonic_2.4.20.0.vir.exepid process 1612 chthonic_2.4.20.0.vir.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
chthonic_2.4.20.0.vir.exechthonic_2.4.20.0.vir.exedescription pid process target process PID 1612 wrote to memory of 1120 1612 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 1612 wrote to memory of 1120 1612 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 1612 wrote to memory of 1120 1612 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 1612 wrote to memory of 1120 1612 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 1612 wrote to memory of 1120 1612 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 1612 wrote to memory of 1120 1612 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 1612 wrote to memory of 1120 1612 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 1612 wrote to memory of 1120 1612 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 1612 wrote to memory of 1120 1612 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 1120 wrote to memory of 1544 1120 chthonic_2.4.20.0.vir.exe msiexec.exe PID 1120 wrote to memory of 1544 1120 chthonic_2.4.20.0.vir.exe msiexec.exe PID 1120 wrote to memory of 1544 1120 chthonic_2.4.20.0.vir.exe msiexec.exe PID 1120 wrote to memory of 1544 1120 chthonic_2.4.20.0.vir.exe msiexec.exe PID 1120 wrote to memory of 1544 1120 chthonic_2.4.20.0.vir.exe msiexec.exe PID 1120 wrote to memory of 1544 1120 chthonic_2.4.20.0.vir.exe msiexec.exe PID 1120 wrote to memory of 1544 1120 chthonic_2.4.20.0.vir.exe msiexec.exe PID 1120 wrote to memory of 1544 1120 chthonic_2.4.20.0.vir.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
msiexec.exepid process 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe -
Deletes itself 1 IoCs
Processes:
msiexec.exepid process 1544 msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Trayinst = "C:\\ProgramData\\Uninstall Information\\Trayinst.exe" msiexec.exe -
Disables taskbar notifications via registry modification
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
chthonic_2.4.20.0.vir.exedescription pid process target process PID 1612 set thread context of 1120 1612 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 1612 set thread context of 1120 1612 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe -
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.20.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.20.0.vir.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.20.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.20.0.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- System policy modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Deletes itself
- Adds policy Run key to start application
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1120-2-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1120-3-0x0000000000401B6A-mapping.dmp
-
memory/1120-4-0x0000000000401B6A-mapping.dmp
-
memory/1120-5-0x0000000000401B6A-mapping.dmp
-
memory/1120-10-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1544-9-0x0000000000000000-mapping.dmp