Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 16:35
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.14.4.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.14.4.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.23.14.4.vir.exe
-
Size
308KB
-
MD5
a163c669174cd18fda083d8819d10e6a
-
SHA1
4aaaafbee73e9a98231cd74815cac9d70c9d1eaf
-
SHA256
3dc6116deb18fa9aec4e567b26ca77b9f7681cbdb2b6f29ce1665fcfd8b8f5ce
-
SHA512
676e485950e96f0a436a60ff7ec1b5bdc60ad90fb2fb8e920e10c9929ff362656d10c020f6b9ed8c095e7923a706462eb8fe17fb426fc02b7d77cf96cf9ae8d9
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
chthonic_2.23.14.4.vir.exedescription pid process target process PID 3920 wrote to memory of 3908 3920 chthonic_2.23.14.4.vir.exe msiexec.exe PID 3920 wrote to memory of 3908 3920 chthonic_2.23.14.4.vir.exe msiexec.exe PID 3920 wrote to memory of 3908 3920 chthonic_2.23.14.4.vir.exe msiexec.exe PID 3920 wrote to memory of 3908 3920 chthonic_2.23.14.4.vir.exe msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yWindowsNT = "C:\\ProgramData\\Windows NT\\yWindowsNT.exe" msiexec.exe -
Disables taskbar notifications via registry modification
-
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe -
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exepid process 3908 msiexec.exe 3908 msiexec.exe 3908 msiexec.exe 3908 msiexec.exe -
Blacklisted process makes network request 17 IoCs
Processes:
msiexec.exeflow pid process 3 3908 msiexec.exe 4 3908 msiexec.exe 5 3908 msiexec.exe 6 3908 msiexec.exe 7 3908 msiexec.exe 8 3908 msiexec.exe 9 3908 msiexec.exe 12 3908 msiexec.exe 22 3908 msiexec.exe 24 3908 msiexec.exe 25 3908 msiexec.exe 26 3908 msiexec.exe 27 3908 msiexec.exe 28 3908 msiexec.exe 29 3908 msiexec.exe 30 3908 msiexec.exe 31 3908 msiexec.exe -
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.14.4.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.14.4.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Adds policy Run key to start application
- System policy modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3908-0-0x0000000000000000-mapping.dmp