Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:28
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.15.11.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.15.11.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.23.15.11.vir.exe
-
Size
324KB
-
MD5
2b2566bbf2212acb156eea90c6dfe7d1
-
SHA1
7e20eaacec6eaf3ca5d6a2a526ff47b9cd0faf21
-
SHA256
9d4746373e81656ca55f49d1b2c93f5d9358bf3c6a31e1a9ae606f26ba273dca
-
SHA512
a16f9341e3dbf8c7ef4d084dc471e16b84abf9b0698695cc250816d6229214409ccea8fc4cb46b87d976be649f4c46f81829bacce193022117a8bd26bd20083b
Score
8/10
Malware Config
Signatures
-
Suspicious use of FindShellTrayWindow 62 IoCs
Processes:
chthonic_2.23.15.11.vir.execWindowsPortableDevices.exepid process 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
chthonic_2.23.15.11.vir.exemsiexec.execmd.execWindowsPortableDevices.exedescription pid process target process PID 2460 wrote to memory of 3300 2460 chthonic_2.23.15.11.vir.exe msiexec.exe PID 2460 wrote to memory of 3300 2460 chthonic_2.23.15.11.vir.exe msiexec.exe PID 2460 wrote to memory of 3300 2460 chthonic_2.23.15.11.vir.exe msiexec.exe PID 2460 wrote to memory of 3300 2460 chthonic_2.23.15.11.vir.exe msiexec.exe PID 3300 wrote to memory of 3912 3300 msiexec.exe cmd.exe PID 3300 wrote to memory of 3912 3300 msiexec.exe cmd.exe PID 3300 wrote to memory of 3912 3300 msiexec.exe cmd.exe PID 3912 wrote to memory of 3500 3912 cmd.exe cWindowsPortableDevices.exe PID 3912 wrote to memory of 3500 3912 cmd.exe cWindowsPortableDevices.exe PID 3912 wrote to memory of 3500 3912 cmd.exe cWindowsPortableDevices.exe PID 3500 wrote to memory of 484 3500 cWindowsPortableDevices.exe msiexec.exe PID 3500 wrote to memory of 484 3500 cWindowsPortableDevices.exe msiexec.exe PID 3500 wrote to memory of 484 3500 cWindowsPortableDevices.exe msiexec.exe PID 3500 wrote to memory of 484 3500 cWindowsPortableDevices.exe msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
cWindowsPortableDevices.exepid process 3500 cWindowsPortableDevices.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\software\microsoft\windows\currentversion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\cWindowsPortableDevices = "C:\\Users\\Admin\\AppData\\Roaming\\cWindowsPortableDevices\\cWindowsPortableDevices.exe" msiexec.exe -
Suspicious use of SendNotifyMessage 62 IoCs
Processes:
chthonic_2.23.15.11.vir.execWindowsPortableDevices.exepid process 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 2460 chthonic_2.23.15.11.vir.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe 3500 cWindowsPortableDevices.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
chthonic_2.23.15.11.vir.exemsiexec.execWindowsPortableDevices.exepid process 2460 chthonic_2.23.15.11.vir.exe 3300 msiexec.exe 3500 cWindowsPortableDevices.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msiexec.exemsiexec.exepid process 3300 msiexec.exe 3300 msiexec.exe 3300 msiexec.exe 3300 msiexec.exe 484 msiexec.exe 484 msiexec.exe -
Blacklisted process makes network request 12 IoCs
Processes:
msiexec.exeflow pid process 11 3300 msiexec.exe 12 3300 msiexec.exe 13 3300 msiexec.exe 14 3300 msiexec.exe 15 3300 msiexec.exe 16 3300 msiexec.exe 18 3300 msiexec.exe 19 3300 msiexec.exe 20 3300 msiexec.exe 21 3300 msiexec.exe 22 3300 msiexec.exe 23 3300 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.11.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.11.vir.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\cWindowsPortableDevices\cWindowsPortableDevices.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\cWindowsPortableDevices\cWindowsPortableDevices.exeC:\Users\Admin\AppData\Roaming\cWindowsPortableDevices\cWindowsPortableDevices.exe4⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe5⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\cWindowsPortableDevices\cWindowsPortableDevices.exe
-
C:\Users\Admin\AppData\Roaming\cWindowsPortableDevices\cWindowsPortableDevices.exe
-
memory/484-5-0x0000000000000000-mapping.dmp
-
memory/3300-0-0x0000000000000000-mapping.dmp
-
memory/3500-2-0x0000000000000000-mapping.dmp
-
memory/3912-1-0x0000000000000000-mapping.dmp