Analysis
-
max time kernel
148s -
max time network
161s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:28
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.15.11.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.15.11.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.23.15.11.vir.exe
-
Size
324KB
-
MD5
2b2566bbf2212acb156eea90c6dfe7d1
-
SHA1
7e20eaacec6eaf3ca5d6a2a526ff47b9cd0faf21
-
SHA256
9d4746373e81656ca55f49d1b2c93f5d9358bf3c6a31e1a9ae606f26ba273dca
-
SHA512
a16f9341e3dbf8c7ef4d084dc471e16b84abf9b0698695cc250816d6229214409ccea8fc4cb46b87d976be649f4c46f81829bacce193022117a8bd26bd20083b
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
msiexec.exemsiexec.exepid process 1368 msiexec.exe 1368 msiexec.exe 796 msiexec.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1808 cmd.exe 1808 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\software\microsoft\windows\currentversion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\cMSBuild = "C:\\Users\\Admin\\AppData\\Roaming\\cMSBuild\\cMSBuild.exe" msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
chthonic_2.23.15.11.vir.exemsiexec.execMSBuild.exepid process 1360 chthonic_2.23.15.11.vir.exe 1368 msiexec.exe 1740 cMSBuild.exe -
Suspicious use of SendNotifyMessage 62 IoCs
Processes:
chthonic_2.23.15.11.vir.execMSBuild.exepid process 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
chthonic_2.23.15.11.vir.exemsiexec.execmd.execMSBuild.exedescription pid process target process PID 1360 wrote to memory of 1368 1360 chthonic_2.23.15.11.vir.exe msiexec.exe PID 1360 wrote to memory of 1368 1360 chthonic_2.23.15.11.vir.exe msiexec.exe PID 1360 wrote to memory of 1368 1360 chthonic_2.23.15.11.vir.exe msiexec.exe PID 1360 wrote to memory of 1368 1360 chthonic_2.23.15.11.vir.exe msiexec.exe PID 1360 wrote to memory of 1368 1360 chthonic_2.23.15.11.vir.exe msiexec.exe PID 1360 wrote to memory of 1368 1360 chthonic_2.23.15.11.vir.exe msiexec.exe PID 1360 wrote to memory of 1368 1360 chthonic_2.23.15.11.vir.exe msiexec.exe PID 1360 wrote to memory of 1368 1360 chthonic_2.23.15.11.vir.exe msiexec.exe PID 1368 wrote to memory of 1808 1368 msiexec.exe cmd.exe PID 1368 wrote to memory of 1808 1368 msiexec.exe cmd.exe PID 1368 wrote to memory of 1808 1368 msiexec.exe cmd.exe PID 1368 wrote to memory of 1808 1368 msiexec.exe cmd.exe PID 1808 wrote to memory of 1740 1808 cmd.exe cMSBuild.exe PID 1808 wrote to memory of 1740 1808 cmd.exe cMSBuild.exe PID 1808 wrote to memory of 1740 1808 cmd.exe cMSBuild.exe PID 1808 wrote to memory of 1740 1808 cmd.exe cMSBuild.exe PID 1740 wrote to memory of 796 1740 cMSBuild.exe msiexec.exe PID 1740 wrote to memory of 796 1740 cMSBuild.exe msiexec.exe PID 1740 wrote to memory of 796 1740 cMSBuild.exe msiexec.exe PID 1740 wrote to memory of 796 1740 cMSBuild.exe msiexec.exe PID 1740 wrote to memory of 796 1740 cMSBuild.exe msiexec.exe PID 1740 wrote to memory of 796 1740 cMSBuild.exe msiexec.exe PID 1740 wrote to memory of 796 1740 cMSBuild.exe msiexec.exe PID 1740 wrote to memory of 796 1740 cMSBuild.exe msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
cMSBuild.exepid process 1740 cMSBuild.exe -
Blacklisted process makes network request 5 IoCs
Processes:
msiexec.exeflow pid process 3 1368 msiexec.exe 4 1368 msiexec.exe 5 1368 msiexec.exe 6 1368 msiexec.exe 7 1368 msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
Processes:
chthonic_2.23.15.11.vir.execMSBuild.exepid process 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1360 chthonic_2.23.15.11.vir.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe 1740 cMSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.11.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.11.vir.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\cMSBuild\cMSBuild.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\cMSBuild\cMSBuild.exeC:\Users\Admin\AppData\Roaming\cMSBuild\cMSBuild.exe4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe5⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\cMSBuild\cMSBuild.exe
-
C:\Users\Admin\AppData\Roaming\cMSBuild\cMSBuild.exe
-
\Users\Admin\AppData\Roaming\cMSBuild\cMSBuild.exe
-
\Users\Admin\AppData\Roaming\cMSBuild\cMSBuild.exe
-
memory/796-7-0x0000000000000000-mapping.dmp
-
memory/1368-0-0x0000000000000000-mapping.dmp
-
memory/1740-5-0x0000000000000000-mapping.dmp
-
memory/1808-1-0x0000000000000000-mapping.dmp