Analysis
-
max time kernel
20s -
max time network
25s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 17:29
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.17.5.vir.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
chthonic_2.23.17.5.vir.exe
Resource
win10
Errors
General
-
Target
chthonic_2.23.17.5.vir.exe
-
Size
120KB
-
MD5
20634b0d4225cd3d911daf828cb6aa39
-
SHA1
d396236df73c7d15cf910d6ce3ff4bb75d7e1ebe
-
SHA256
35396cd9c37aef5c360393e391bbb2acb4956c948e2d061705728002edc068c1
-
SHA512
5485eea7b0b1f97c3384607c84e71a6a795653f5d802c8269c134a8f4596f5971334893282ade9e8e5f4765b8919793f74147155595ef27b24b7d7d371898668
Malware Config
Signatures
-
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe -
Modifies service 2 TTPs 8 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WerSvc msiexec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WerSvc\Start = "4" msiexec.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PolicyAgent msiexec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PolicyAgent\Start = "4" msiexec.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\diagnosticshub.standardcollector.service msiexec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\diagnosticshub.standardcollector.service\Start = "4" msiexec.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PcaSvc msiexec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PcaSvc\Start = "4" msiexec.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe -
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
Processes:
chthonic_2.23.17.5.vir.exemsiexec.exeliteB.exemsiexec.exepid process 3100 chthonic_2.23.17.5.vir.exe 3892 msiexec.exe 1812 liteB.exe 3592 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
chthonic_2.23.17.5.vir.exemsiexec.execmd.exeliteB.exedescription pid process target process PID 3100 wrote to memory of 3892 3100 chthonic_2.23.17.5.vir.exe msiexec.exe PID 3100 wrote to memory of 3892 3100 chthonic_2.23.17.5.vir.exe msiexec.exe PID 3100 wrote to memory of 3892 3100 chthonic_2.23.17.5.vir.exe msiexec.exe PID 3100 wrote to memory of 3892 3100 chthonic_2.23.17.5.vir.exe msiexec.exe PID 3892 wrote to memory of 3240 3892 msiexec.exe cmd.exe PID 3892 wrote to memory of 3240 3892 msiexec.exe cmd.exe PID 3892 wrote to memory of 3240 3892 msiexec.exe cmd.exe PID 3240 wrote to memory of 1812 3240 cmd.exe liteB.exe PID 3240 wrote to memory of 1812 3240 cmd.exe liteB.exe PID 3240 wrote to memory of 1812 3240 cmd.exe liteB.exe PID 1812 wrote to memory of 3592 1812 liteB.exe msiexec.exe PID 1812 wrote to memory of 3592 1812 liteB.exe msiexec.exe PID 1812 wrote to memory of 3592 1812 liteB.exe msiexec.exe PID 1812 wrote to memory of 3592 1812 liteB.exe msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
liteB.exepid process 1812 liteB.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
msiexec.exedescription pid process Token: SeShutdownPrivilege 3892 msiexec.exe -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\antivirservice msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy msiexec.exe -
Modifies registry class 23 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter msiexec.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe -
Deletes itself 1 IoCs
Processes:
msiexec.exepid process 3892 msiexec.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "system" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\AvastUI.exe = "AvastUI.exe" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\software\microsoft\windows\currentversion\Run msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealth = "system" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealth = "system" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "system" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AvastUI.exe = "AvastUI.exe" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\liteB = "C:\\Users\\Admin\\AppData\\Roaming\\liteB\\liteB.exe" msiexec.exe -
Loads dropped DLL 4 IoCs
Processes:
chthonic_2.23.17.5.vir.exemsiexec.exeliteB.exemsiexec.exepid process 3100 chthonic_2.23.17.5.vir.exe 3892 msiexec.exe 1812 liteB.exe 3592 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 3892 msiexec.exe 3892 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 2596 LogonUI.exe -
Disables taskbar notifications via registry modification
-
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.17.5.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.17.5.vir.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe2⤵
- Checks whether UAC is enabled
- Modifies service
- System policy modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Checks for any installed AV software in registry
- Modifies registry class
- Deletes itself
- Adds Run key to start application
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\liteB\liteB.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\liteB\liteB.exeC:\Users\Admin\AppData\Roaming\liteB\liteB.exe4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe5⤵
- Suspicious behavior: GetForegroundWindowSpam
- Loads dropped DLL
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ac8855 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\liteB\liteB.exe
-
C:\Users\Admin\AppData\Roaming\liteB\liteB.exe
-
\Users\Admin\AppData\Local\Temp\24D.tmp
-
\Users\Admin\AppData\Local\Temp\2A85.tmp
-
\Users\Admin\AppData\Local\Temp\E3A9.tmp
-
\Users\Admin\AppData\Local\Temp\F7C.tmp
-
memory/1812-4-0x0000000000000000-mapping.dmp
-
memory/3240-3-0x0000000000000000-mapping.dmp
-
memory/3592-8-0x0000000000000000-mapping.dmp
-
memory/3892-1-0x0000000000000000-mapping.dmp