Analysis
-
max time kernel
111s -
max time network
117s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 16:34
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.1.4.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.1.4.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.1.4.0.vir.exe
-
Size
188KB
-
MD5
42104ac17c4438f016128b643c67e164
-
SHA1
679699cd53fa56cd89d2f98806a42d78efb3748a
-
SHA256
0e3418c1fe660e17a43e8f7568f72d0e21fbed0a52f0e69e4c93b62e3cac3f1a
-
SHA512
70e3d23fe1888e4a438f174c4720eb517cfde01c3b3116f1eb8ebd13e5413cfeca53e0a2da83ce63971620e22a0d986b53b86afa2adbc51598bee832bf13cf33
Score
10/10
Malware Config
Signatures
-
Blacklisted process makes network request 11 IoCs
Processes:
msiexec.exeflow pid process 3 316 msiexec.exe 4 316 msiexec.exe 5 316 msiexec.exe 7 316 msiexec.exe 8 316 msiexec.exe 9 316 msiexec.exe 11 316 msiexec.exe 12 316 msiexec.exe 13 316 msiexec.exe 15 316 msiexec.exe 16 316 msiexec.exe -
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\PROGRA~3\Adobe\Adobeagent.exe msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chthonic_2.1.4.0.vir.exedescription pid process target process PID 900 set thread context of 1288 900 chthonic_2.1.4.0.vir.exe chthonic_2.1.4.0.vir.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
chthonic_2.1.4.0.vir.exemsiexec.exepid process 1288 chthonic_2.1.4.0.vir.exe 1288 chthonic_2.1.4.0.vir.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
chthonic_2.1.4.0.vir.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1288 chthonic_2.1.4.0.vir.exe Token: SeBackupPrivilege 1288 chthonic_2.1.4.0.vir.exe Token: SeRestorePrivilege 1288 chthonic_2.1.4.0.vir.exe Token: SeDebugPrivilege 316 msiexec.exe Token: SeBackupPrivilege 316 msiexec.exe Token: SeRestorePrivilege 316 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
chthonic_2.1.4.0.vir.exepid process 900 chthonic_2.1.4.0.vir.exe -
Suspicious behavior: MapViewOfSection 21 IoCs
Processes:
chthonic_2.1.4.0.vir.exemsiexec.exepid process 1288 chthonic_2.1.4.0.vir.exe 1288 chthonic_2.1.4.0.vir.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe 316 msiexec.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
msiexec.exepid process 316 msiexec.exe -
Disables taskbar notifications via registry modification
-
System policy modification 1 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\2693382735 = "C:\\PROGRA~3\\Adobe\\Adobeagent.exe" msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
chthonic_2.1.4.0.vir.exechthonic_2.1.4.0.vir.exedescription pid process target process PID 900 wrote to memory of 1288 900 chthonic_2.1.4.0.vir.exe chthonic_2.1.4.0.vir.exe PID 900 wrote to memory of 1288 900 chthonic_2.1.4.0.vir.exe chthonic_2.1.4.0.vir.exe PID 900 wrote to memory of 1288 900 chthonic_2.1.4.0.vir.exe chthonic_2.1.4.0.vir.exe PID 900 wrote to memory of 1288 900 chthonic_2.1.4.0.vir.exe chthonic_2.1.4.0.vir.exe PID 900 wrote to memory of 1288 900 chthonic_2.1.4.0.vir.exe chthonic_2.1.4.0.vir.exe PID 900 wrote to memory of 1288 900 chthonic_2.1.4.0.vir.exe chthonic_2.1.4.0.vir.exe PID 900 wrote to memory of 1288 900 chthonic_2.1.4.0.vir.exe chthonic_2.1.4.0.vir.exe PID 900 wrote to memory of 1288 900 chthonic_2.1.4.0.vir.exe chthonic_2.1.4.0.vir.exe PID 900 wrote to memory of 1288 900 chthonic_2.1.4.0.vir.exe chthonic_2.1.4.0.vir.exe PID 1288 wrote to memory of 316 1288 chthonic_2.1.4.0.vir.exe msiexec.exe PID 1288 wrote to memory of 316 1288 chthonic_2.1.4.0.vir.exe msiexec.exe PID 1288 wrote to memory of 316 1288 chthonic_2.1.4.0.vir.exe msiexec.exe PID 1288 wrote to memory of 316 1288 chthonic_2.1.4.0.vir.exe msiexec.exe PID 1288 wrote to memory of 316 1288 chthonic_2.1.4.0.vir.exe msiexec.exe PID 1288 wrote to memory of 316 1288 chthonic_2.1.4.0.vir.exe msiexec.exe PID 1288 wrote to memory of 316 1288 chthonic_2.1.4.0.vir.exe msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.1.4.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.1.4.0.vir.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.1.4.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.1.4.0.vir.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- System policy modification
- Adds policy Run key to start application
- Checks whether UAC is enabled