9d4746373e81656ca55f49d1b2c93f5d9358bf3c6a31e1a9ae606f26ba273dca

General

Target

chthonic_2.23.15.11.vir.exe
Size

324KB
MD5

2b2566bbf2212acb156eea90c6dfe7d1
SHA1

7e20eaacec6eaf3ca5d6a2a526ff47b9cd0faf21
SHA256

9d4746373e81656ca55f49d1b2c93f5d9358bf3c6a31e1a9ae606f26ba273dca
SHA512

a16f9341e3dbf8c7ef4d084dc471e16b84abf9b0698695cc250816d6229214409ccea8fc4cb46b87d976be649f4c46f81829bacce193022117a8bd26bd20083b

Score

8^/10

evasion trojan persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

msiexec.exemsiexec.exe

pid process

1368 msiexec.exe
1368 msiexec.exe
796 msiexec.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1808 cmd.exe
1808 cmd.exe

pid	process
1368	msiexec.exe
1368	msiexec.exe
796	msiexec.exe

pid	process
1808	cmd.exe
1808	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\software\microsoft\windows\currentversion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\cMSBuild = "C:\\Users\\Admin\\AppData\\Roaming\\cMSBuild\\cMSBuild.exe"	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

chthonic_2.23.15.11.vir.exemsiexec.execMSBuild.exe

pid process

1360 chthonic_2.23.15.11.vir.exe
1368 msiexec.exe
1740 cMSBuild.exe

Suspicious use of SendNotifyMessage 62 IoCs

Processes:

chthonic_2.23.15.11.vir.execMSBuild.exe

pid	process
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

chthonic_2.23.15.11.vir.exemsiexec.execmd.execMSBuild.exe

description	pid	process	target process
PID 1360 wrote to memory of 1368	1360	chthonic_2.23.15.11.vir.exe	msiexec.exe
PID 1360 wrote to memory of 1368	1360	chthonic_2.23.15.11.vir.exe	msiexec.exe
PID 1360 wrote to memory of 1368	1360	chthonic_2.23.15.11.vir.exe	msiexec.exe
PID 1360 wrote to memory of 1368	1360	chthonic_2.23.15.11.vir.exe	msiexec.exe
PID 1360 wrote to memory of 1368	1360	chthonic_2.23.15.11.vir.exe	msiexec.exe
PID 1360 wrote to memory of 1368	1360	chthonic_2.23.15.11.vir.exe	msiexec.exe
PID 1360 wrote to memory of 1368	1360	chthonic_2.23.15.11.vir.exe	msiexec.exe
PID 1360 wrote to memory of 1368	1360	chthonic_2.23.15.11.vir.exe	msiexec.exe
PID 1368 wrote to memory of 1808	1368	msiexec.exe	cmd.exe
PID 1368 wrote to memory of 1808	1368	msiexec.exe	cmd.exe
PID 1368 wrote to memory of 1808	1368	msiexec.exe	cmd.exe
PID 1368 wrote to memory of 1808	1368	msiexec.exe	cmd.exe
PID 1808 wrote to memory of 1740	1808	cmd.exe	cMSBuild.exe
PID 1808 wrote to memory of 1740	1808	cmd.exe	cMSBuild.exe
PID 1808 wrote to memory of 1740	1808	cmd.exe	cMSBuild.exe
PID 1808 wrote to memory of 1740	1808	cmd.exe	cMSBuild.exe
PID 1740 wrote to memory of 796	1740	cMSBuild.exe	msiexec.exe
PID 1740 wrote to memory of 796	1740	cMSBuild.exe	msiexec.exe
PID 1740 wrote to memory of 796	1740	cMSBuild.exe	msiexec.exe
PID 1740 wrote to memory of 796	1740	cMSBuild.exe	msiexec.exe
PID 1740 wrote to memory of 796	1740	cMSBuild.exe	msiexec.exe
PID 1740 wrote to memory of 796	1740	cMSBuild.exe	msiexec.exe
PID 1740 wrote to memory of 796	1740	cMSBuild.exe	msiexec.exe
PID 1740 wrote to memory of 796	1740	cMSBuild.exe	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

cMSBuild.exe

pid process

1740 cMSBuild.exe
Blacklisted process makes network request 5 IoCs

Processes:

msiexec.exe

flow pid process

3 1368 msiexec.exe
4 1368 msiexec.exe
5 1368 msiexec.exe
6 1368 msiexec.exe
7 1368 msiexec.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

msiexec.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe

pid	process
1740	cMSBuild.exe

flow	pid	process
3	1368	msiexec.exe
4	1368	msiexec.exe
5	1368	msiexec.exe
6	1368	msiexec.exe
7	1368	msiexec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msiexec.exe

Suspicious use of FindShellTrayWindow 62 IoCs

Processes:

chthonic_2.23.15.11.vir.execMSBuild.exe

pid	process
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1360	chthonic_2.23.15.11.vir.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe
1740	cMSBuild.exe

C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.11.vir.exe
"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.11.vir.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
PID:1360

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Checks whether UAC is enabled
PID:1368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\cMSBuild\cMSBuild.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Roaming\cMSBuild\cMSBuild.exe
C:\Users\Admin\AppData\Roaming\cMSBuild\cMSBuild.exe
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1740

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cMSBuild\cMSBuild.exe

Download Submit
C:\Users\Admin\AppData\Roaming\cMSBuild\cMSBuild.exe

Download Submit
\Users\Admin\AppData\Roaming\cMSBuild\cMSBuild.exe

Download Submit
\Users\Admin\AppData\Roaming\cMSBuild\cMSBuild.exe

Download Submit
memory/796-7-0x0000000000000000-mapping.dmp

Download
memory/1368-0-0x0000000000000000-mapping.dmp

Download
memory/1740-5-0x0000000000000000-mapping.dmp

Download
memory/1808-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads