Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 17:21
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.14.2.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.14.2.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.23.14.2.vir.exe
-
Size
200KB
-
MD5
43307a5a45b5a74e9270b5b3d4c67137
-
SHA1
2fb58a0dc16c9bdc697bf1078f63c657e600faf2
-
SHA256
3b1309d5b6b22786209cd378d53cccc323b33ae5e75dac3e07e53b32c46e67d3
-
SHA512
1b41a796be7c237c49400db8abadd86e0fc56bfb87e8a7966ad43e2b10292aaf69dbcd2ffbb52ebed66ea1464251da05202729e5922dbb4fd69f9a94d7e89694
Score
10/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\AdobeB = "C:\\ProgramData\\Adobe\\AdobeB.exe" msiexec.exe -
Disables taskbar notifications via registry modification
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
chthonic_2.23.14.2.vir.exedescription pid process target process PID 3812 wrote to memory of 4088 3812 chthonic_2.23.14.2.vir.exe msiexec.exe PID 3812 wrote to memory of 4088 3812 chthonic_2.23.14.2.vir.exe msiexec.exe PID 3812 wrote to memory of 4088 3812 chthonic_2.23.14.2.vir.exe msiexec.exe PID 3812 wrote to memory of 4088 3812 chthonic_2.23.14.2.vir.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exepid process 4088 msiexec.exe 4088 msiexec.exe 4088 msiexec.exe 4088 msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Blacklisted process makes network request 18 IoCs
Processes:
msiexec.exeflow pid process 1 4088 msiexec.exe 5 4088 msiexec.exe 8 4088 msiexec.exe 10 4088 msiexec.exe 11 4088 msiexec.exe 14 4088 msiexec.exe 15 4088 msiexec.exe 16 4088 msiexec.exe 17 4088 msiexec.exe 18 4088 msiexec.exe 19 4088 msiexec.exe 20 4088 msiexec.exe 21 4088 msiexec.exe 22 4088 msiexec.exe 23 4088 msiexec.exe 24 4088 msiexec.exe 25 4088 msiexec.exe 26 4088 msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.14.2.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.14.2.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Adds policy Run key to start application
- Suspicious behavior: EnumeratesProcesses
- System policy modification
- Blacklisted process makes network request
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4088-0-0x0000000000000000-mapping.dmp