Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    19-07-2020 19:27

General

  • Target

    chthonic_2.4.20.0.vir.exe

  • Size

    108KB

  • MD5

    28a022dc9c6bd2f51e77a7db5b27be21

  • SHA1

    dc1b7c5b86fe4fe84e03d7087b7e1e9c05d855ef

  • SHA256

    a2e7dd2a1d4dfada76d1cb58d0736805e8372789de39e317a8edb34a313a039c

  • SHA512

    db86cb837d2751d46588b25078139237e7a0c6d42dcc41e7c9142a87a8b511fa8f0ec4d76a62595ac4212550b652a826231759da197cd17e6598f9a0d2a71df3

Malware Config

Signatures

  • Disables taskbar notifications via registry modification
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • System policy modification 1 TTPs 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Deletes itself 1 IoCs
  • UAC bypass 3 TTPs

Processes

  • C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.20.0.vir.exe
    "C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.20.0.vir.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.20.0.vir.exe
      "C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.20.0.vir.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Modifies Internet Explorer settings
        • System policy modification
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        • Adds policy Run key to start application
        • Deletes itself
        PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

4
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2480-2-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

  • memory/2480-3-0x0000000000401B6A-mapping.dmp
  • memory/2480-4-0x0000000000401B6A-mapping.dmp
  • memory/2480-5-0x0000000000401B6A-mapping.dmp
  • memory/2480-10-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

  • memory/2672-9-0x0000000000000000-mapping.dmp