9d4746373e81656ca55f49d1b2c93f5d9358bf3c6a31e1a9ae606f26ba273dca

General

Target

chthonic_2.23.15.11.vir.exe
Size

324KB
MD5

2b2566bbf2212acb156eea90c6dfe7d1
SHA1

7e20eaacec6eaf3ca5d6a2a526ff47b9cd0faf21
SHA256

9d4746373e81656ca55f49d1b2c93f5d9358bf3c6a31e1a9ae606f26ba273dca
SHA512

a16f9341e3dbf8c7ef4d084dc471e16b84abf9b0698695cc250816d6229214409ccea8fc4cb46b87d976be649f4c46f81829bacce193022117a8bd26bd20083b

Score

8^/10

persistence evasion trojan

Malware Config

Signatures

Suspicious use of FindShellTrayWindow 62 IoCs

Processes:

chthonic_2.23.15.11.vir.execWindowsPortableDevices.exe

pid	process
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

chthonic_2.23.15.11.vir.exemsiexec.execmd.execWindowsPortableDevices.exe

description	pid	process	target process
PID 2460 wrote to memory of 3300	2460	chthonic_2.23.15.11.vir.exe	msiexec.exe
PID 2460 wrote to memory of 3300	2460	chthonic_2.23.15.11.vir.exe	msiexec.exe
PID 2460 wrote to memory of 3300	2460	chthonic_2.23.15.11.vir.exe	msiexec.exe
PID 2460 wrote to memory of 3300	2460	chthonic_2.23.15.11.vir.exe	msiexec.exe
PID 3300 wrote to memory of 3912	3300	msiexec.exe	cmd.exe
PID 3300 wrote to memory of 3912	3300	msiexec.exe	cmd.exe
PID 3300 wrote to memory of 3912	3300	msiexec.exe	cmd.exe
PID 3912 wrote to memory of 3500	3912	cmd.exe	cWindowsPortableDevices.exe
PID 3912 wrote to memory of 3500	3912	cmd.exe	cWindowsPortableDevices.exe
PID 3912 wrote to memory of 3500	3912	cmd.exe	cWindowsPortableDevices.exe
PID 3500 wrote to memory of 484	3500	cWindowsPortableDevices.exe	msiexec.exe
PID 3500 wrote to memory of 484	3500	cWindowsPortableDevices.exe	msiexec.exe
PID 3500 wrote to memory of 484	3500	cWindowsPortableDevices.exe	msiexec.exe
PID 3500 wrote to memory of 484	3500	cWindowsPortableDevices.exe	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

cWindowsPortableDevices.exe

pid process

3500 cWindowsPortableDevices.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

msiexec.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe

pid	process
3500	cWindowsPortableDevices.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msiexec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\software\microsoft\windows\currentversion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\cWindowsPortableDevices = "C:\\Users\\Admin\\AppData\\Roaming\\cWindowsPortableDevices\\cWindowsPortableDevices.exe"	msiexec.exe

Suspicious use of SendNotifyMessage 62 IoCs

Processes:

chthonic_2.23.15.11.vir.execWindowsPortableDevices.exe

pid	process
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
2460	chthonic_2.23.15.11.vir.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe
3500	cWindowsPortableDevices.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

chthonic_2.23.15.11.vir.exemsiexec.execWindowsPortableDevices.exe

pid process

2460 chthonic_2.23.15.11.vir.exe
3300 msiexec.exe
3500 cWindowsPortableDevices.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msiexec.exemsiexec.exe

pid process

3300 msiexec.exe
3300 msiexec.exe
3300 msiexec.exe
3300 msiexec.exe
484 msiexec.exe
484 msiexec.exe

pid	process
3300	msiexec.exe
3300	msiexec.exe
3300	msiexec.exe
3300	msiexec.exe
484	msiexec.exe
484	msiexec.exe

Blacklisted process makes network request 12 IoCs

Processes:

msiexec.exe

flow	pid	process
11	3300	msiexec.exe
12	3300	msiexec.exe
13	3300	msiexec.exe
14	3300	msiexec.exe
15	3300	msiexec.exe
16	3300	msiexec.exe
18	3300	msiexec.exe
19	3300	msiexec.exe
20	3300	msiexec.exe
21	3300	msiexec.exe
22	3300	msiexec.exe
23	3300	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.11.vir.exe
"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.11.vir.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Suspicious behavior: GetForegroundWindowSpam
PID:2460

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
2⤵
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:3300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\cWindowsPortableDevices\cWindowsPortableDevices.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3912

C:\Users\Admin\AppData\Roaming\cWindowsPortableDevices\cWindowsPortableDevices.exe
C:\Users\Admin\AppData\Roaming\cWindowsPortableDevices\cWindowsPortableDevices.exe
4⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
- Suspicious behavior: GetForegroundWindowSpam
PID:3500

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cWindowsPortableDevices\cWindowsPortableDevices.exe

Download Submit
C:\Users\Admin\AppData\Roaming\cWindowsPortableDevices\cWindowsPortableDevices.exe

Download Submit
memory/484-5-0x0000000000000000-mapping.dmp

Download
memory/3300-0-0x0000000000000000-mapping.dmp

Download
memory/3500-2-0x0000000000000000-mapping.dmp

Download
memory/3912-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads