Analysis
-
max time kernel
20s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:44
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.18.1.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.18.1.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
Errors
Reason
Machine shutdown
General
-
Target
chthonic_2.23.18.1.vir.exe
-
Size
276KB
-
MD5
38e16728716a7888da10c07799565a43
-
SHA1
0131b44b9e66d339ff99523d0df9b6dcaf6eac2f
-
SHA256
c63747bc82ad844ffd323ce1038def18ed912a7db1fb7211cdbe1483f8baf819
-
SHA512
ba40740efaf4957ab7a819584bc26623b8daeb3ce541c0d29fa9c04a0cede75fbe83c8bbf10daf8d653c8e54a86993cf75f7b8355d6236b648c39934f2862ad4
Score
10/10
Malware Config
Signatures
-
Suspicious use of UnmapMainImage 2 IoCs
Processes:
chthonic_2.23.18.1.vir.exeEWindowsMail.compid process 1016 chthonic_2.23.18.1.vir.exe 1628 EWindowsMail.com -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
chthonic_2.23.18.1.vir.exemsiexec.execmd.exedescription pid process target process PID 1016 wrote to memory of 480 1016 chthonic_2.23.18.1.vir.exe msiexec.exe PID 1016 wrote to memory of 480 1016 chthonic_2.23.18.1.vir.exe msiexec.exe PID 1016 wrote to memory of 480 1016 chthonic_2.23.18.1.vir.exe msiexec.exe PID 1016 wrote to memory of 480 1016 chthonic_2.23.18.1.vir.exe msiexec.exe PID 1016 wrote to memory of 480 1016 chthonic_2.23.18.1.vir.exe msiexec.exe PID 1016 wrote to memory of 480 1016 chthonic_2.23.18.1.vir.exe msiexec.exe PID 1016 wrote to memory of 480 1016 chthonic_2.23.18.1.vir.exe msiexec.exe PID 1016 wrote to memory of 480 1016 chthonic_2.23.18.1.vir.exe msiexec.exe PID 480 wrote to memory of 1020 480 msiexec.exe cmd.exe PID 480 wrote to memory of 1020 480 msiexec.exe cmd.exe PID 480 wrote to memory of 1020 480 msiexec.exe cmd.exe PID 480 wrote to memory of 1020 480 msiexec.exe cmd.exe PID 1020 wrote to memory of 1628 1020 cmd.exe EWindowsMail.com PID 1020 wrote to memory of 1628 1020 cmd.exe EWindowsMail.com PID 1020 wrote to memory of 1628 1020 cmd.exe EWindowsMail.com PID 1020 wrote to memory of 1628 1020 cmd.exe EWindowsMail.com -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid process 480 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
msiexec.exepid process 480 msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
EWindowsMail.compid process 1628 EWindowsMail.com -
Disables taskbar notifications via registry modification
-
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe -
Modifies service 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\diagnosticshub.standardcollector.service msiexec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\diagnosticshub.standardcollector.service\Start = "4" msiexec.exe -
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\Windows Defender\Real-Time Protection msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\Windows Defender\Scan msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\UX Configuration msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\Windows Defender\UX Configuration msiexec.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "system" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AvastUI.exe = "AvastUI.exe" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\AvastUI.exe = "AvastUI.exe" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\software\microsoft\windows\currentversion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\EWindowsMail = "C:\\Users\\Admin\\AppData\\Roaming\\EWindowsMail\\EWindowsMail.com" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealth = "system" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealth = "system" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "system" msiexec.exe -
Modifies registry class 23 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" msiexec.exe -
Loads dropped DLL 5 IoCs
Processes:
chthonic_2.23.18.1.vir.exemsiexec.execmd.exepid process 1016 chthonic_2.23.18.1.vir.exe 1016 chthonic_2.23.18.1.vir.exe 480 msiexec.exe 1020 cmd.exe 1020 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
msiexec.exedescription pid process Token: SeShutdownPrivilege 480 msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.18.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.18.1.vir.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: EnumeratesProcesses
- Modifies Internet Explorer settings
- Modifies service
- Windows security modification
- Adds Run key to start application
- Modifies registry class
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\EWindowsMail\EWindowsMail.com"3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\EWindowsMail\EWindowsMail.comC:\Users\Admin\AppData\Roaming\EWindowsMail\EWindowsMail.com4⤵
- Suspicious use of UnmapMainImage
- Executes dropped EXE
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\EWindowsMail\EWindowsMail.com
-
C:\Users\Admin\AppData\Roaming\EWindowsMail\EWindowsMail.com
-
\Users\Admin\AppData\Local\Temp\52555FF.tmp
-
\Users\Admin\AppData\Local\Temp\5A44729.tmp
-
\Users\Admin\AppData\Local\Temp\CCC0.tmp
-
\Users\Admin\AppData\Roaming\EWindowsMail\EWindowsMail.com
-
\Users\Admin\AppData\Roaming\EWindowsMail\EWindowsMail.com
-
memory/480-2-0x0000000000000000-mapping.dmp
-
memory/1020-4-0x0000000000000000-mapping.dmp
-
memory/1224-10-0x00000000027B0000-0x00000000027B1000-memory.dmpFilesize
4KB
-
memory/1224-19-0x00000000027B0000-0x00000000027B1000-memory.dmpFilesize
4KB
-
memory/1224-21-0x00000000027B0000-0x00000000027B1000-memory.dmpFilesize
4KB
-
memory/1224-22-0x00000000027B0000-0x00000000027B1000-memory.dmpFilesize
4KB
-
memory/1628-8-0x0000000000000000-mapping.dmp