Analysis
-
max time kernel
129s -
max time network
127s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 17:25
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.12.5.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.12.5.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.23.12.5.vir.exe
-
Size
176KB
-
MD5
acc02f42f2a109e71906d07f4d6f59c8
-
SHA1
555d9c19b2a56ff085582b6a08131de0bd0a010b
-
SHA256
45167945141c95c5a012feeb0fcfc6667fc43e781cd9e43ab0be4bcc1b9ed6b2
-
SHA512
597e521f80ed1f402db1181b8ec34cef2664183de594992463d57ea97e4f7df998947c9d498c6e528a5bc7e6c28a693f579137f6896201fad082b3d16330f52f
Score
10/10
Malware Config
Signatures
-
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
chthonic_2.23.12.5.vir.exedescription pid process target process PID 2532 wrote to memory of 1988 2532 chthonic_2.23.12.5.vir.exe msiexec.exe PID 2532 wrote to memory of 1988 2532 chthonic_2.23.12.5.vir.exe msiexec.exe PID 2532 wrote to memory of 1988 2532 chthonic_2.23.12.5.vir.exe msiexec.exe PID 2532 wrote to memory of 1988 2532 chthonic_2.23.12.5.vir.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exepid process 1988 msiexec.exe 1988 msiexec.exe 1988 msiexec.exe 1988 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid process 1988 msiexec.exe -
Blacklisted process makes network request 20 IoCs
Processes:
msiexec.exeflow pid process 3 1988 msiexec.exe 4 1988 msiexec.exe 5 1988 msiexec.exe 6 1988 msiexec.exe 7 1988 msiexec.exe 8 1988 msiexec.exe 9 1988 msiexec.exe 20 1988 msiexec.exe 21 1988 msiexec.exe 22 1988 msiexec.exe 23 1988 msiexec.exe 24 1988 msiexec.exe 25 1988 msiexec.exe 26 1988 msiexec.exe 27 1988 msiexec.exe 28 1988 msiexec.exe 29 1988 msiexec.exe 30 1988 msiexec.exe 31 1988 msiexec.exe 32 1988 msiexec.exe -
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UWindowsNT = "C:\\ProgramData\\Windows NT\\UWindowsNT.exe" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe -
Disables taskbar notifications via registry modification
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.12.5.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.12.5.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- System policy modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Blacklisted process makes network request
- Modifies Internet Explorer settings
- Adds policy Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1988-0-0x0000000000000000-mapping.dmp