Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:24
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.3.4.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.3.4.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.3.4.0.vir.exe
-
Size
128KB
-
MD5
c4af7ce037b81fb9dfe9bec845cc671e
-
SHA1
c4aa5e22525a4c05df2dded4ce8b4adf731b4df0
-
SHA256
5b9a8fa88eb68e5b46666e38e99863c886e4e1c4d2cf6a04e0dd8416375c859c
-
SHA512
9551df881051cee0980c2a5d1b69523bf60b38f04b77774d8e32bb9784bfcc28cf402aaa84f06878a63525964fe44d1efa2111bc8ec4241e10f6d53328e99eb2
Score
10/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mgrWindowsPowerShell = "C:\\ProgramData\\WindowsPowerShell\\mgrWindowsPowerShell.exe" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe -
Disables taskbar notifications via registry modification
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
chthonic_2.3.4.0.vir.exepid process 1304 chthonic_2.3.4.0.vir.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
chthonic_2.3.4.0.vir.exechthonic_2.3.4.0.vir.exedescription pid process target process PID 1304 wrote to memory of 1384 1304 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 1304 wrote to memory of 1384 1304 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 1304 wrote to memory of 1384 1304 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 1304 wrote to memory of 1384 1304 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 1304 wrote to memory of 1384 1304 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 1304 wrote to memory of 1384 1304 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 1304 wrote to memory of 1384 1304 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 1304 wrote to memory of 1384 1304 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 1304 wrote to memory of 1384 1304 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 1384 wrote to memory of 1436 1384 chthonic_2.3.4.0.vir.exe msiexec.exe PID 1384 wrote to memory of 1436 1384 chthonic_2.3.4.0.vir.exe msiexec.exe PID 1384 wrote to memory of 1436 1384 chthonic_2.3.4.0.vir.exe msiexec.exe PID 1384 wrote to memory of 1436 1384 chthonic_2.3.4.0.vir.exe msiexec.exe PID 1384 wrote to memory of 1436 1384 chthonic_2.3.4.0.vir.exe msiexec.exe PID 1384 wrote to memory of 1436 1384 chthonic_2.3.4.0.vir.exe msiexec.exe PID 1384 wrote to memory of 1436 1384 chthonic_2.3.4.0.vir.exe msiexec.exe PID 1384 wrote to memory of 1436 1384 chthonic_2.3.4.0.vir.exe msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chthonic_2.3.4.0.vir.exedescription pid process target process PID 1304 set thread context of 1384 1304 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
msiexec.exepid process 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe -
Deletes itself 1 IoCs
Processes:
msiexec.exepid process 1436 msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.3.4.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.3.4.0.vir.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.3.4.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.3.4.0.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds policy Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Deletes itself
- System policy modification
- Checks whether UAC is enabled
- Modifies Internet Explorer settings