Overview

overview

10

Static

static

chthonic_2...ir.exe

windows7_x64

10

chthonic_2...ir.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    19-07-2020 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    chthonic_2.3.4.0.vir.exe

  • Size

    128KB

  • MD5

    c4af7ce037b81fb9dfe9bec845cc671e

  • SHA1

    c4aa5e22525a4c05df2dded4ce8b4adf731b4df0

  • SHA256

    5b9a8fa88eb68e5b46666e38e99863c886e4e1c4d2cf6a04e0dd8416375c859c

  • SHA512

    9551df881051cee0980c2a5d1b69523bf60b38f04b77774d8e32bb9784bfcc28cf402aaa84f06878a63525964fe44d1efa2111bc8ec4241e10f6d53328e99eb2

Score
10/10
evasiontrojanpersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Deletes itself 1 IoCs
  • UAC bypass 3 TTPs
    evasiontrojan
  • System policy modification 1 TTPs 5 IoCs
    evasion
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware

Processes

  • C:\Users\Admin\AppData\Local\Temp\chthonic_2.3.4.0.vir.exe
    "C:\Users\Admin\AppData\Local\Temp\chthonic_2.3.4.0.vir.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetThreadContext
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\chthonic_2.3.4.0.vir.exe
      "C:\Users\Admin\AppData\Local\Temp\chthonic_2.3.4.0.vir.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1384
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Adds policy Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Deletes itself
        • System policy modification
        • Checks whether UAC is enabled
        • Modifies Internet Explorer settings
        PID:1436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

4
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1384-2-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1384-3-0x0000000000401B80-mapping.dmp
    Download
  • memory/1436-4-0x0000000000000000-mapping.dmp
    Download