Analysis
-
max time kernel
63s -
max time network
63s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 17:25
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.0.6.0.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
chthonic_2.0.6.0.vir.exe
Resource
win10v200430
General
-
Target
chthonic_2.0.6.0.vir.exe
-
Size
104KB
-
MD5
e2f95e7cb5c8118b3db4515028addb1c
-
SHA1
a1285e8adee08135b3bdd778581e60a9d83af523
-
SHA256
7f12c0d7410edaa780e6b954b5177e9dfec5ad890d58cb64b97d6dca9722fa2d
-
SHA512
0914ec7846c25e0e4bf858ed6f3bf71963f204af6e62dcdf42f1cb2808ad5b7667bf320f3b8a5e6ba38bc530b73b2c8b544adc267e882de920d034ba3a0d59a1
Malware Config
Signatures
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
msiexec.exepid process 1300 msiexec.exe -
Blacklisted process makes network request 12 IoCs
Processes:
msiexec.exeflow pid process 1 1300 msiexec.exe 2 1300 msiexec.exe 3 1300 msiexec.exe 5 1300 msiexec.exe 6 1300 msiexec.exe 7 1300 msiexec.exe 9 1300 msiexec.exe 10 1300 msiexec.exe 11 1300 msiexec.exe 13 1300 msiexec.exe 14 1300 msiexec.exe 15 1300 msiexec.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
chthonic_2.0.6.0.vir.exemsiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE chthonic_2.0.6.0.vir.exe Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE msiexec.exe -
Disables taskbar notifications via registry modification
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
chthonic_2.0.6.0.vir.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1072 chthonic_2.0.6.0.vir.exe Token: SeBackupPrivilege 1072 chthonic_2.0.6.0.vir.exe Token: SeRestorePrivilege 1072 chthonic_2.0.6.0.vir.exe Token: SeDebugPrivilege 1300 msiexec.exe Token: SeBackupPrivilege 1300 msiexec.exe Token: SeRestorePrivilege 1300 msiexec.exe -
Suspicious behavior: MapViewOfSection 21 IoCs
Processes:
chthonic_2.0.6.0.vir.exemsiexec.exepid process 1072 chthonic_2.0.6.0.vir.exe 1072 chthonic_2.0.6.0.vir.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe 1300 msiexec.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\3617766103 = "C:\\PROGRA~3\\Adobe\\AdobeXpers.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe -
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\PROGRA~3\Adobe\AdobeXpers.exe msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
chthonic_2.0.6.0.vir.exechthonic_2.0.6.0.vir.exedescription pid process target process PID 1124 wrote to memory of 1072 1124 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe PID 1124 wrote to memory of 1072 1124 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe PID 1124 wrote to memory of 1072 1124 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe PID 1124 wrote to memory of 1072 1124 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe PID 1124 wrote to memory of 1072 1124 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe PID 1124 wrote to memory of 1072 1124 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe PID 1124 wrote to memory of 1072 1124 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe PID 1124 wrote to memory of 1072 1124 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe PID 1072 wrote to memory of 1300 1072 chthonic_2.0.6.0.vir.exe msiexec.exe PID 1072 wrote to memory of 1300 1072 chthonic_2.0.6.0.vir.exe msiexec.exe PID 1072 wrote to memory of 1300 1072 chthonic_2.0.6.0.vir.exe msiexec.exe PID 1072 wrote to memory of 1300 1072 chthonic_2.0.6.0.vir.exe msiexec.exe PID 1072 wrote to memory of 1300 1072 chthonic_2.0.6.0.vir.exe msiexec.exe PID 1072 wrote to memory of 1300 1072 chthonic_2.0.6.0.vir.exe msiexec.exe PID 1072 wrote to memory of 1300 1072 chthonic_2.0.6.0.vir.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
chthonic_2.0.6.0.vir.exemsiexec.exepid process 1072 chthonic_2.0.6.0.vir.exe 1300 msiexec.exe 1300 msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "0" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chthonic_2.0.6.0.vir.exedescription pid process target process PID 1124 set thread context of 1072 1124 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
chthonic_2.0.6.0.vir.exepid process 1124 chthonic_2.0.6.0.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.6.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.6.0.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.6.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.6.0.vir.exe"2⤵
- Identifies Wine through registry keys
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe3⤵
- Suspicious behavior: RenamesItself
- Blacklisted process makes network request
- Identifies Wine through registry keys
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Adds policy Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
- Checks whether UAC is enabled