Analysis
-
max time kernel
135s -
max time network
135s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:50
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.11.11.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.11.11.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.23.11.11.vir.exe
-
Size
176KB
-
MD5
bfc9f69fd742ae8c9a0b98496db341d7
-
SHA1
aa2c6cf2c1bb1a1f34dae8ff7bb27c7127f76fbf
-
SHA256
acb75f310d2f3e27e6abefec316c9f9c432bab3cf8ed7a8fecc59333e2df5657
-
SHA512
6b60bcd86f23b5ed26e89517c6627b54bfb7afcefb3a154150cb9e16f6cc8070295baa3c814f3c2708b2ad7e4bdfeb95422f63e44c237f421e67593709656aa5
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
chthonic_2.23.11.11.vir.exedescription pid process target process PID 1516 wrote to memory of 4056 1516 chthonic_2.23.11.11.vir.exe msiexec.exe PID 1516 wrote to memory of 4056 1516 chthonic_2.23.11.11.vir.exe msiexec.exe PID 1516 wrote to memory of 4056 1516 chthonic_2.23.11.11.vir.exe msiexec.exe PID 1516 wrote to memory of 4056 1516 chthonic_2.23.11.11.vir.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
msiexec.exepid process 4056 msiexec.exe 4056 msiexec.exe 4056 msiexec.exe 4056 msiexec.exe 4056 msiexec.exe 4056 msiexec.exe 4056 msiexec.exe 4056 msiexec.exe 4056 msiexec.exe 4056 msiexec.exe 4056 msiexec.exe 4056 msiexec.exe 4056 msiexec.exe 4056 msiexec.exe 4056 msiexec.exe 4056 msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\InternetExplorerT = "C:\\ProgramData\\Internet Explorer\\InternetExplorerT.exe" msiexec.exe -
Disables taskbar notifications via registry modification
-
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.11.11.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.11.11.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Checks whether UAC is enabled
- Adds policy Run key to start application
- Modifies Internet Explorer settings
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4056-0-0x0000000000000000-mapping.dmp