Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:27
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.4.20.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.4.20.0.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.4.20.0.vir.exe
-
Size
108KB
-
MD5
28a022dc9c6bd2f51e77a7db5b27be21
-
SHA1
dc1b7c5b86fe4fe84e03d7087b7e1e9c05d855ef
-
SHA256
a2e7dd2a1d4dfada76d1cb58d0736805e8372789de39e317a8edb34a313a039c
-
SHA512
db86cb837d2751d46588b25078139237e7a0c6d42dcc41e7c9142a87a8b511fa8f0ec4d76a62595ac4212550b652a826231759da197cd17e6598f9a0d2a71df3
Score
10/10
Malware Config
Signatures
-
Disables taskbar notifications via registry modification
-
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
chthonic_2.4.20.0.vir.exepid process 2416 chthonic_2.4.20.0.vir.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chthonic_2.4.20.0.vir.exedescription pid process target process PID 2416 set thread context of 2480 2416 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
msiexec.exepid process 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe 2672 msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UseReferenceAssemblies = "C:\\ProgramData\\Reference Assemblies\\UseReferenceAssemblies.exe" msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
chthonic_2.4.20.0.vir.exechthonic_2.4.20.0.vir.exedescription pid process target process PID 2416 wrote to memory of 2480 2416 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 2416 wrote to memory of 2480 2416 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 2416 wrote to memory of 2480 2416 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 2416 wrote to memory of 2480 2416 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 2416 wrote to memory of 2480 2416 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 2416 wrote to memory of 2480 2416 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 2416 wrote to memory of 2480 2416 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 2416 wrote to memory of 2480 2416 chthonic_2.4.20.0.vir.exe chthonic_2.4.20.0.vir.exe PID 2480 wrote to memory of 2672 2480 chthonic_2.4.20.0.vir.exe msiexec.exe PID 2480 wrote to memory of 2672 2480 chthonic_2.4.20.0.vir.exe msiexec.exe PID 2480 wrote to memory of 2672 2480 chthonic_2.4.20.0.vir.exe msiexec.exe PID 2480 wrote to memory of 2672 2480 chthonic_2.4.20.0.vir.exe msiexec.exe -
Deletes itself 1 IoCs
Processes:
msiexec.exepid process 2672 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.20.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.20.0.vir.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.20.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.20.0.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Modifies Internet Explorer settings
- System policy modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Adds policy Run key to start application
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2480-2-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2480-3-0x0000000000401B6A-mapping.dmp
-
memory/2480-4-0x0000000000401B6A-mapping.dmp
-
memory/2480-5-0x0000000000401B6A-mapping.dmp
-
memory/2480-10-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2672-9-0x0000000000000000-mapping.dmp