Analysis
-
max time kernel
134s -
max time network
47s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 17:25
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.0.6.0.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
chthonic_2.0.6.0.vir.exe
Resource
win10v200430
General
-
Target
chthonic_2.0.6.0.vir.exe
-
Size
104KB
-
MD5
e2f95e7cb5c8118b3db4515028addb1c
-
SHA1
a1285e8adee08135b3bdd778581e60a9d83af523
-
SHA256
7f12c0d7410edaa780e6b954b5177e9dfec5ad890d58cb64b97d6dca9722fa2d
-
SHA512
0914ec7846c25e0e4bf858ed6f3bf71963f204af6e62dcdf42f1cb2808ad5b7667bf320f3b8a5e6ba38bc530b73b2c8b544adc267e882de920d034ba3a0d59a1
Malware Config
Signatures
-
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\PROGRA~3\Sun\SunAgent.exe msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "0" msiexec.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1193008742 = "C:\\PROGRA~3\\Sun\\SunAgent.exe" msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
chthonic_2.0.6.0.vir.exepid process 896 chthonic_2.0.6.0.vir.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chthonic_2.0.6.0.vir.exedescription pid process target process PID 896 set thread context of 1916 896 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Disables taskbar notifications via registry modification
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
chthonic_2.0.6.0.vir.exemsiexec.exepid process 1916 chthonic_2.0.6.0.vir.exe 1916 chthonic_2.0.6.0.vir.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
msiexec.exepid process 2080 msiexec.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
chthonic_2.0.6.0.vir.exechthonic_2.0.6.0.vir.exedescription pid process target process PID 896 wrote to memory of 1916 896 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe PID 896 wrote to memory of 1916 896 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe PID 896 wrote to memory of 1916 896 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe PID 896 wrote to memory of 1916 896 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe PID 896 wrote to memory of 1916 896 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe PID 896 wrote to memory of 1916 896 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe PID 896 wrote to memory of 1916 896 chthonic_2.0.6.0.vir.exe chthonic_2.0.6.0.vir.exe PID 1916 wrote to memory of 2080 1916 chthonic_2.0.6.0.vir.exe msiexec.exe PID 1916 wrote to memory of 2080 1916 chthonic_2.0.6.0.vir.exe msiexec.exe PID 1916 wrote to memory of 2080 1916 chthonic_2.0.6.0.vir.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
chthonic_2.0.6.0.vir.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1916 chthonic_2.0.6.0.vir.exe Token: SeBackupPrivilege 1916 chthonic_2.0.6.0.vir.exe Token: SeRestorePrivilege 1916 chthonic_2.0.6.0.vir.exe Token: SeDebugPrivilege 2080 msiexec.exe Token: SeBackupPrivilege 2080 msiexec.exe Token: SeRestorePrivilege 2080 msiexec.exe -
Suspicious behavior: MapViewOfSection 60 IoCs
Processes:
chthonic_2.0.6.0.vir.exemsiexec.exepid process 1916 chthonic_2.0.6.0.vir.exe 1916 chthonic_2.0.6.0.vir.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe 2080 msiexec.exe -
Blacklisted process makes network request 8 IoCs
Processes:
msiexec.exeflow pid process 6 2080 msiexec.exe 7 2080 msiexec.exe 9 2080 msiexec.exe 10 2080 msiexec.exe 12 2080 msiexec.exe 13 2080 msiexec.exe 15 2080 msiexec.exe 16 2080 msiexec.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
chthonic_2.0.6.0.vir.exemsiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\WINE chthonic_2.0.6.0.vir.exe Key opened \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\WINE msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.6.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.6.0.vir.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.6.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.6.0.vir.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe3⤵
- Drops file in Program Files directory
- System policy modification
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Blacklisted process makes network request
- Identifies Wine through registry keys
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1916-2-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1916-3-0x000000000040166C-mapping.dmp
-
memory/2080-4-0x0000000000000000-mapping.dmp
-
memory/2080-5-0x00000000002A0000-0x00000000002B2000-memory.dmpFilesize
72KB
-
memory/2080-6-0x00000000002A0000-0x00000000002B2000-memory.dmpFilesize
72KB