Overview

overview

10

Static

static

chthonic_2...ir.exe

windows7_x64

chthonic_2...ir.exe

windows10_x64

10

Analysis

  • max time kernel
    3s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    19-07-2020 19:25

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    chthonic_2.23.15.2.vir.exe

  • Size

    376KB

  • MD5

    d991dc65d24d866e37a41006c15756aa

  • SHA1

    ed46844d9a51d083f8b149c4f252bad34bbc7b1e

  • SHA256

    b11f073b3d938fec77b84fd0cac1ed861451a33f5e1030b1f63574ea491032b3

  • SHA512

    67d29c92c7127967663702f16d5e88c59dffbe0b0b7b9b143635b456b2155c18b63449b3cf003ac3194f2802b6f0dc0c7d3f33b5be215a1075920d10cf2dcbef

Score
10/10
persistenceevasiontrojan

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • UAC bypass 3 TTPs
    evasiontrojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Modifies security service 2 TTPs 4 IoCs
    evasion
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Loads dropped DLL 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Windows security bypass 2 TTPs
    evasiontrojan
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.2.vir.exe
    "C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.2.vir.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Users\Admin\AppData\Local\Temp\W8FOr23
      "W8FOr23"
      2⤵
      • Drops startup file
      • Modifies WinLogon for persistence
      • Suspicious use of AdjustPrivilegeToken
      • Checks whether UAC is enabled
      • Modifies security service
      • Windows security modification
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Modifies firewall policy service
      • Adds Run key to start application
      • System policy modification
      PID:596
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe
      2⤵
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Adds Run key to start application
      PID:1064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

8
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads