Analysis
-
max time kernel
20s -
max time network
25s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 17:29
Errors
Reason
Machine shutdown
General
-
Target
chthonic_2.23.17.5.vir.exe
-
Size
120KB
-
MD5
20634b0d4225cd3d911daf828cb6aa39
-
SHA1
d396236df73c7d15cf910d6ce3ff4bb75d7e1ebe
-
SHA256
35396cd9c37aef5c360393e391bbb2acb4956c948e2d061705728002edc068c1
-
SHA512
5485eea7b0b1f97c3384607c84e71a6a795653f5d802c8269c134a8f4596f5971334893282ade9e8e5f4765b8919793f74147155595ef27b24b7d7d371898668
Score
8/10
Malware Config
Signatures
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Modifies service 2 TTPs 8 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Executes dropped EXE 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Checks for any installed AV software in registry 1 TTPs 4 IoCs
-
Modifies registry class 23 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Loads dropped DLL 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Disables taskbar notifications via registry modification
-
Modifies Internet Explorer settings 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.17.5.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.17.5.vir.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe2⤵
- Checks whether UAC is enabled
- Modifies service
- System policy modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Checks for any installed AV software in registry
- Modifies registry class
- Deletes itself
- Adds Run key to start application
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\liteB\liteB.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\liteB\liteB.exeC:\Users\Admin\AppData\Roaming\liteB\liteB.exe4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe5⤵
- Suspicious behavior: GetForegroundWindowSpam
- Loads dropped DLL
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ac8855 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\liteB\liteB.exe
-
C:\Users\Admin\AppData\Roaming\liteB\liteB.exe
-
\Users\Admin\AppData\Local\Temp\24D.tmp
-
\Users\Admin\AppData\Local\Temp\2A85.tmp
-
\Users\Admin\AppData\Local\Temp\E3A9.tmp
-
\Users\Admin\AppData\Local\Temp\F7C.tmp
-
memory/1812-4-0x0000000000000000-mapping.dmp
-
memory/3240-3-0x0000000000000000-mapping.dmp
-
memory/3592-8-0x0000000000000000-mapping.dmp
-
memory/3892-1-0x0000000000000000-mapping.dmp