Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:24
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.3.4.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.3.4.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.3.4.0.vir.exe
-
Size
128KB
-
MD5
c4af7ce037b81fb9dfe9bec845cc671e
-
SHA1
c4aa5e22525a4c05df2dded4ce8b4adf731b4df0
-
SHA256
5b9a8fa88eb68e5b46666e38e99863c886e4e1c4d2cf6a04e0dd8416375c859c
-
SHA512
9551df881051cee0980c2a5d1b69523bf60b38f04b77774d8e32bb9784bfcc28cf402aaa84f06878a63525964fe44d1efa2111bc8ec4241e10f6d53328e99eb2
Score
10/10
Malware Config
Signatures
-
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
chthonic_2.3.4.0.vir.exepid process 3808 chthonic_2.3.4.0.vir.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
chthonic_2.3.4.0.vir.exechthonic_2.3.4.0.vir.exedescription pid process target process PID 3808 wrote to memory of 744 3808 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 3808 wrote to memory of 744 3808 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 3808 wrote to memory of 744 3808 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 3808 wrote to memory of 744 3808 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 3808 wrote to memory of 744 3808 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 3808 wrote to memory of 744 3808 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 3808 wrote to memory of 744 3808 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 3808 wrote to memory of 744 3808 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe PID 744 wrote to memory of 3648 744 chthonic_2.3.4.0.vir.exe msiexec.exe PID 744 wrote to memory of 3648 744 chthonic_2.3.4.0.vir.exe msiexec.exe PID 744 wrote to memory of 3648 744 chthonic_2.3.4.0.vir.exe msiexec.exe PID 744 wrote to memory of 3648 744 chthonic_2.3.4.0.vir.exe msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chthonic_2.3.4.0.vir.exedescription pid process target process PID 3808 set thread context of 744 3808 chthonic_2.3.4.0.vir.exe chthonic_2.3.4.0.vir.exe -
Deletes itself 1 IoCs
Processes:
msiexec.exepid process 3648 msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
msiexec.exepid process 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe 3648 msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MSBuildStart = "C:\\ProgramData\\MSBuild\\MSBuildStart.exe" msiexec.exe -
Disables taskbar notifications via registry modification
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.3.4.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.3.4.0.vir.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.3.4.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.3.4.0.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Modifies Internet Explorer settings
- System policy modification
- Deletes itself
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Adds policy Run key to start application