Analysis
-
max time kernel
151s -
max time network
73s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 17:28
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_0.3.29.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_0.3.29.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_0.3.29.0.vir.exe
-
Size
228KB
-
MD5
a9cedbccefb07a18d56a360be2aeb4bb
-
SHA1
ed6043735ef990b3b9fa5fd53df82b3e577fc02a
-
SHA256
51c8e10c77c9f131b207be4bff0e37a09cf4f24b3b941416ae22bc438d1730c4
-
SHA512
610670b89af3014d303e55f6d90dce22edb9f7ac74e4a9f7c73952875884074180500deb5b8d98ff8824f443de848cce22aee972c9bdd6a6faca588b9bd8ef06
Score
8/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
trayMacromedia.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run trayMacromedia.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{32AF2F58-E87B-C0CB-85F3-B770212B00F4} = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\trayMacromedia.exe" trayMacromedia.exe -
Loads dropped DLL 2 IoCs
Processes:
chthonic_0.3.29.0.vir.exepid process 1544 chthonic_0.3.29.0.vir.exe 1544 chthonic_0.3.29.0.vir.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
chthonic_0.3.29.0.vir.exedescription pid process target process PID 1544 wrote to memory of 280 1544 chthonic_0.3.29.0.vir.exe trayMacromedia.exe PID 1544 wrote to memory of 280 1544 chthonic_0.3.29.0.vir.exe trayMacromedia.exe PID 1544 wrote to memory of 280 1544 chthonic_0.3.29.0.vir.exe trayMacromedia.exe PID 1544 wrote to memory of 280 1544 chthonic_0.3.29.0.vir.exe trayMacromedia.exe PID 1544 wrote to memory of 1052 1544 chthonic_0.3.29.0.vir.exe cmd.exe PID 1544 wrote to memory of 1052 1544 chthonic_0.3.29.0.vir.exe cmd.exe PID 1544 wrote to memory of 1052 1544 chthonic_0.3.29.0.vir.exe cmd.exe PID 1544 wrote to memory of 1052 1544 chthonic_0.3.29.0.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
trayMacromedia.exepid process 280 trayMacromedia.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
trayMacromedia.exepid process 280 trayMacromedia.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1052 cmd.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
trayMacromedia.exepid process 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe 280 trayMacromedia.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
chthonic_0.3.29.0.vir.exetrayMacromedia.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE chthonic_0.3.29.0.vir.exe Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE trayMacromedia.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_0.3.29.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_0.3.29.0.vir.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Roaming\Macromedia\trayMacromedia.exe"C:\Users\Admin\AppData\Roaming\Macromedia\trayMacromedia.exe"2⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: EnumeratesProcesses
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5598c5d2.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5598c5d2.bat
-
C:\Users\Admin\AppData\Roaming\Macromedia\trayMacromedia.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\trayMacromedia.exe
-
\Users\Admin\AppData\Roaming\Macromedia\trayMacromedia.exe
-
\Users\Admin\AppData\Roaming\Macromedia\trayMacromedia.exe
-
memory/280-2-0x0000000000000000-mapping.dmp
-
memory/1052-5-0x0000000000000000-mapping.dmp