Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 17:28
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_0.3.29.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_0.3.29.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_0.3.29.0.vir.exe
-
Size
228KB
-
MD5
a9cedbccefb07a18d56a360be2aeb4bb
-
SHA1
ed6043735ef990b3b9fa5fd53df82b3e577fc02a
-
SHA256
51c8e10c77c9f131b207be4bff0e37a09cf4f24b3b941416ae22bc438d1730c4
-
SHA512
610670b89af3014d303e55f6d90dce22edb9f7ac74e4a9f7c73952875884074180500deb5b8d98ff8824f443de848cce22aee972c9bdd6a6faca588b9bd8ef06
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
chthonic_0.3.29.0.vir.exedescription pid process target process PID 748 wrote to memory of 3496 748 chthonic_0.3.29.0.vir.exe xpersAdobe.exe PID 748 wrote to memory of 3496 748 chthonic_0.3.29.0.vir.exe xpersAdobe.exe PID 748 wrote to memory of 3496 748 chthonic_0.3.29.0.vir.exe xpersAdobe.exe PID 748 wrote to memory of 3740 748 chthonic_0.3.29.0.vir.exe cmd.exe PID 748 wrote to memory of 3740 748 chthonic_0.3.29.0.vir.exe cmd.exe PID 748 wrote to memory of 3740 748 chthonic_0.3.29.0.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
xpersAdobe.exepid process 3496 xpersAdobe.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
xpersAdobe.exepid process 3496 xpersAdobe.exe -
Suspicious behavior: EnumeratesProcesses 116 IoCs
Processes:
xpersAdobe.exepid process 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe 3496 xpersAdobe.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
chthonic_0.3.29.0.vir.exexpersAdobe.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE chthonic_0.3.29.0.vir.exe Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE xpersAdobe.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
xpersAdobe.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run xpersAdobe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E6F0D5B4-5514-494D-AE5B-DF7719D55229} = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\xpersAdobe.exe" xpersAdobe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_0.3.29.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_0.3.29.0.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Roaming\Adobe\xpersAdobe.exe"C:\Users\Admin\AppData\Roaming\Adobe\xpersAdobe.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: EnumeratesProcesses
- Identifies Wine through registry keys
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp012d5d7f.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp012d5d7f.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\xpersAdobe.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\xpersAdobe.exe
-
memory/3496-0-0x0000000000000000-mapping.dmp
-
memory/3740-3-0x0000000000000000-mapping.dmp