Analysis
-
max time kernel
137s -
max time network
139s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 17:33
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.12.10.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.12.10.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.23.12.10.vir.exe
-
Size
160KB
-
MD5
bd733b7cb157275ff7a2b2ff287589a0
-
SHA1
31eb1df25b5f1e799a451ea536f0674042bd19c8
-
SHA256
d6324644c2a267bea0322c4f817b7a4029129e68959cdeb25f53f8e1f9ddeaad
-
SHA512
b2341190d6a76e0d1f752f820a8f14f0a3b492e15c5d56a96a82c631e981f8b0e816287e8894ccb2966dc85f8440a6909a0b2f136d61080efcb00b148cf383bd
Score
10/10
Malware Config
Signatures
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
chthonic_2.23.12.10.vir.exepid process 652 chthonic_2.23.12.10.vir.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exepid process 816 msiexec.exe 816 msiexec.exe 816 msiexec.exe 816 msiexec.exe -
Blacklisted process makes network request 20 IoCs
Processes:
msiexec.exeflow pid process 4 816 msiexec.exe 7 816 msiexec.exe 8 816 msiexec.exe 12 816 msiexec.exe 13 816 msiexec.exe 14 816 msiexec.exe 15 816 msiexec.exe 16 816 msiexec.exe 17 816 msiexec.exe 18 816 msiexec.exe 19 816 msiexec.exe 20 816 msiexec.exe 21 816 msiexec.exe 23 816 msiexec.exe 24 816 msiexec.exe 25 816 msiexec.exe 26 816 msiexec.exe 27 816 msiexec.exe 28 816 msiexec.exe 29 816 msiexec.exe -
Disables taskbar notifications via registry modification
-
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
chthonic_2.23.12.10.vir.exedescription pid process target process PID 652 wrote to memory of 816 652 chthonic_2.23.12.10.vir.exe msiexec.exe PID 652 wrote to memory of 816 652 chthonic_2.23.12.10.vir.exe msiexec.exe PID 652 wrote to memory of 816 652 chthonic_2.23.12.10.vir.exe msiexec.exe PID 652 wrote to memory of 816 652 chthonic_2.23.12.10.vir.exe msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsPowerShellU = "C:\\ProgramData\\WindowsPowerShell\\WindowsPowerShellU.exe" msiexec.exe -
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.12.10.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.12.10.vir.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Checks whether UAC is enabled
- Adds policy Run key to start application
- Modifies Internet Explorer settings
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/816-0-0x0000000000000000-mapping.dmp