742a1d6f3569a67d95732295d491afc5025548240a7671ea4741936f0106f4bc

Reason

Machine shutdown

General

Target

chthonic_2.23.18.23.vir.exe
Size

1.0MB
MD5

1d4f512ea3240231b59dcd026d61b789
SHA1

1f53488f5638b61345fa65304f3090125d1866c6
SHA256

742a1d6f3569a67d95732295d491afc5025548240a7671ea4741936f0106f4bc
SHA512

9e474fb0305c7ca88736e094409ecfd5ef8efa00f5159e6923a7c780ead7794392b35f341631f2c47105f8e239d129ace03e79ca2504e04878932144b127af13

Score

7^/10

persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

chthonic_2.23.18.23.vir.exe

pid process

1376 chthonic_2.23.18.23.vir.exe

Loads dropped DLL 6 IoCs

Processes:

chthonic_2.23.18.23.vir.exe

pid	process
1376	chthonic_2.23.18.23.vir.exe
1376	chthonic_2.23.18.23.vir.exe
1376	chthonic_2.23.18.23.vir.exe
1376	chthonic_2.23.18.23.vir.exe
1376	chthonic_2.23.18.23.vir.exe
1376	chthonic_2.23.18.23.vir.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

chthonic_2.23.18.23.vir.exe

pid process

1376 chthonic_2.23.18.23.vir.exe

Suspicious use of AdjustPrivilegeToken 3023 IoCs

Processes:

chthonic_2.23.18.23.vir.exe

description	pid	process
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeBackupPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeRestorePrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe
Token: SeShutdownPrivilege	1376	chthonic_2.23.18.23.vir.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chthonic_2.23.18.23.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\RunOnce	chthonic_2.23.18.23.vir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WindowsNTe = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsNTe\\WindowsNTe.exe"	chthonic_2.23.18.23.vir.exe

C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.18.23.vir.exe
"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.18.23.vir.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
PID:1376

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:792

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\37304261.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\38703557.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\68496A58.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\685A4546.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\6F356670.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\6F544E39.tmp

Download Submit
memory/1696-8-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/1696-17-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/1696-19-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/1696-20-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads