Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:32
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.4.22.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.4.22.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.4.22.0.vir.exe
-
Size
188KB
-
MD5
3e20db8b47324b00afb542603e7ea98f
-
SHA1
3df96a679207e82599fac13d707d98829ebd69a3
-
SHA256
46731281d5af0a524cbc8e459d1a5cd56b64caa9aec824902e53dfb9ccc021df
-
SHA512
8a958c54ae222877ee123271bca85378545510543c729e290d07f70657865ba4f8c78e60d3a2a4f2f45c39e43e9ed6e8f8de71eff4400daef8979eb4721b42f2
Score
10/10
Malware Config
Signatures
-
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
chthonic_2.4.22.0.vir.exepid process 1456 chthonic_2.4.22.0.vir.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
chthonic_2.4.22.0.vir.exechthonic_2.4.22.0.vir.exedescription pid process target process PID 1456 wrote to memory of 1536 1456 chthonic_2.4.22.0.vir.exe chthonic_2.4.22.0.vir.exe PID 1456 wrote to memory of 1536 1456 chthonic_2.4.22.0.vir.exe chthonic_2.4.22.0.vir.exe PID 1456 wrote to memory of 1536 1456 chthonic_2.4.22.0.vir.exe chthonic_2.4.22.0.vir.exe PID 1456 wrote to memory of 1536 1456 chthonic_2.4.22.0.vir.exe chthonic_2.4.22.0.vir.exe PID 1456 wrote to memory of 1536 1456 chthonic_2.4.22.0.vir.exe chthonic_2.4.22.0.vir.exe PID 1456 wrote to memory of 1536 1456 chthonic_2.4.22.0.vir.exe chthonic_2.4.22.0.vir.exe PID 1456 wrote to memory of 1536 1456 chthonic_2.4.22.0.vir.exe chthonic_2.4.22.0.vir.exe PID 1456 wrote to memory of 1536 1456 chthonic_2.4.22.0.vir.exe chthonic_2.4.22.0.vir.exe PID 1456 wrote to memory of 1536 1456 chthonic_2.4.22.0.vir.exe chthonic_2.4.22.0.vir.exe PID 1536 wrote to memory of 788 1536 chthonic_2.4.22.0.vir.exe msiexec.exe PID 1536 wrote to memory of 788 1536 chthonic_2.4.22.0.vir.exe msiexec.exe PID 1536 wrote to memory of 788 1536 chthonic_2.4.22.0.vir.exe msiexec.exe PID 1536 wrote to memory of 788 1536 chthonic_2.4.22.0.vir.exe msiexec.exe PID 1536 wrote to memory of 788 1536 chthonic_2.4.22.0.vir.exe msiexec.exe PID 1536 wrote to memory of 788 1536 chthonic_2.4.22.0.vir.exe msiexec.exe PID 1536 wrote to memory of 788 1536 chthonic_2.4.22.0.vir.exe msiexec.exe PID 1536 wrote to memory of 788 1536 chthonic_2.4.22.0.vir.exe msiexec.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
chthonic_2.4.22.0.vir.exedescription pid process target process PID 1456 set thread context of 1536 1456 chthonic_2.4.22.0.vir.exe chthonic_2.4.22.0.vir.exe PID 1456 set thread context of 1536 1456 chthonic_2.4.22.0.vir.exe chthonic_2.4.22.0.vir.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
msiexec.exepid process 788 msiexec.exe 788 msiexec.exe 788 msiexec.exe 788 msiexec.exe 788 msiexec.exe 788 msiexec.exe 788 msiexec.exe 788 msiexec.exe 788 msiexec.exe 788 msiexec.exe 788 msiexec.exe 788 msiexec.exe 788 msiexec.exe 788 msiexec.exe 788 msiexec.exe 788 msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agentWindowsPortableDevices = "C:\\ProgramData\\Windows Portable Devices\\agentWindowsPortableDevices.exe" msiexec.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
Processes:
msiexec.exepid process 788 msiexec.exe -
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.22.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.22.0.vir.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.22.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.22.0.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- System policy modification
- Suspicious behavior: EnumeratesProcesses
- Adds policy Run key to start application
- Deletes itself
- Modifies Internet Explorer settings
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/788-8-0x0000000000000000-mapping.dmp
-
memory/1536-2-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1536-3-0x0000000000401D47-mapping.dmp
-
memory/1536-4-0x0000000000401D47-mapping.dmp
-
memory/1536-5-0x0000000000401D47-mapping.dmp
-
memory/1536-9-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB