Analysis
-
max time kernel
116s -
max time network
141s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:24
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.0.5.0.vir.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
chthonic_2.0.5.0.vir.exe
Resource
win10v200430
General
-
Target
chthonic_2.0.5.0.vir.exe
-
Size
88KB
-
MD5
77b42fb633369de146785c83270bb289
-
SHA1
db21636a6e3784701cd41ffa60398a5f110cec10
-
SHA256
52d821d8e86473f0a69a044741e9f64b68a4f1677a298f292a560aae740f286c
-
SHA512
99be184430c0d1d0d078cf27fbed9936fe533b1e980d320467af6d9d8073ce1ce89c50be8e4f8ee571e910d25596b87cccb839cbcc774e350d6b2a5715da39cf
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 60 IoCs
Processes:
chthonic_2.0.5.0.vir.exemsiexec.exepid process 2456 chthonic_2.0.5.0.vir.exe 2456 chthonic_2.0.5.0.vir.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
chthonic_2.0.5.0.vir.exemsiexec.exepid process 2456 chthonic_2.0.5.0.vir.exe 2456 chthonic_2.0.5.0.vir.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
msiexec.exepid process 2124 msiexec.exe -
Blacklisted process makes network request 8 IoCs
Processes:
msiexec.exeflow pid process 5 2124 msiexec.exe 6 2124 msiexec.exe 8 2124 msiexec.exe 9 2124 msiexec.exe 11 2124 msiexec.exe 12 2124 msiexec.exe 14 2124 msiexec.exe 15 2124 msiexec.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
chthonic_2.0.5.0.vir.exemsiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\WINE chthonic_2.0.5.0.vir.exe Key opened \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\WINE msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1029177954 = "C:\\PROGRA~3\\msmxntal.exe" msiexec.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
chthonic_2.0.5.0.vir.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2456 chthonic_2.0.5.0.vir.exe Token: SeBackupPrivilege 2456 chthonic_2.0.5.0.vir.exe Token: SeRestorePrivilege 2456 chthonic_2.0.5.0.vir.exe Token: SeDebugPrivilege 2124 msiexec.exe Token: SeBackupPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
chthonic_2.0.5.0.vir.exedescription pid process target process PID 2456 wrote to memory of 2124 2456 chthonic_2.0.5.0.vir.exe msiexec.exe PID 2456 wrote to memory of 2124 2456 chthonic_2.0.5.0.vir.exe msiexec.exe PID 2456 wrote to memory of 2124 2456 chthonic_2.0.5.0.vir.exe msiexec.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\PROGRA~3\msmxntal.exe msiexec.exe -
Disables taskbar notifications via registry modification
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.5.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.5.0.vir.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Identifies Wine through registry keys
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe2⤵
- Suspicious behavior: MapViewOfSection
- System policy modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Blacklisted process makes network request
- Identifies Wine through registry keys
- Adds policy Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory