Analysis
-
max time kernel
3s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:25
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.15.2.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.15.2.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
Errors
Reason
Machine shutdown
General
-
Target
chthonic_2.23.15.2.vir.exe
-
Size
376KB
-
MD5
d991dc65d24d866e37a41006c15756aa
-
SHA1
ed46844d9a51d083f8b149c4f252bad34bbc7b1e
-
SHA256
b11f073b3d938fec77b84fd0cac1ed861451a33f5e1030b1f63574ea491032b3
-
SHA512
67d29c92c7127967663702f16d5e88c59dffbe0b0b7b9b143635b456b2155c18b63449b3cf003ac3194f2802b6f0dc0c7d3f33b5be215a1075920d10cf2dcbef
Score
10/10
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
W8FOr23description ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\awqehdrx.exe W8FOr23 File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\awqehdrx.exe W8FOr23 -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
W8FOr23description ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Users\\Admin\\AppData\\Local\\rqyrwdik\\awqehdrx.exe" W8FOr23 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\rqyrwdik\\awqehdrx.exe" W8FOr23 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
W8FOr23description pid process Token: SeSecurityPrivilege 596 W8FOr23 Token: SeRestorePrivilege 596 W8FOr23 Token: SeBackupPrivilege 596 W8FOr23 Token: SeShutdownPrivilege 596 W8FOr23 -
Processes:
W8FOr23msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" W8FOr23 Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe -
Modifies security service 2 TTPs 4 IoCs
Processes:
W8FOr23description ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" W8FOr23 Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" W8FOr23 Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" W8FOr23 Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" W8FOr23 -
Processes:
W8FOr23description ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" W8FOr23 Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" W8FOr23 Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" W8FOr23 Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" W8FOr23 Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" W8FOr23 Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" W8FOr23 -
Executes dropped EXE 1 IoCs
Processes:
W8FOr23pid process 596 W8FOr23 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
W8FOr23msiexec.exepid process 596 W8FOr23 596 W8FOr23 1064 msiexec.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
W8FOr23description ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" W8FOr23 Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" W8FOr23 Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" W8FOr23 -
Loads dropped DLL 2 IoCs
Processes:
chthonic_2.23.15.2.vir.exepid process 896 chthonic_2.23.15.2.vir.exe 896 chthonic_2.23.15.2.vir.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
chthonic_2.23.15.2.vir.exedescription pid process target process PID 896 wrote to memory of 596 896 chthonic_2.23.15.2.vir.exe W8FOr23 PID 896 wrote to memory of 596 896 chthonic_2.23.15.2.vir.exe W8FOr23 PID 896 wrote to memory of 596 896 chthonic_2.23.15.2.vir.exe W8FOr23 PID 896 wrote to memory of 596 896 chthonic_2.23.15.2.vir.exe W8FOr23 PID 896 wrote to memory of 1064 896 chthonic_2.23.15.2.vir.exe msiexec.exe PID 896 wrote to memory of 1064 896 chthonic_2.23.15.2.vir.exe msiexec.exe PID 896 wrote to memory of 1064 896 chthonic_2.23.15.2.vir.exe msiexec.exe PID 896 wrote to memory of 1064 896 chthonic_2.23.15.2.vir.exe msiexec.exe PID 896 wrote to memory of 1064 896 chthonic_2.23.15.2.vir.exe msiexec.exe PID 896 wrote to memory of 1064 896 chthonic_2.23.15.2.vir.exe msiexec.exe PID 896 wrote to memory of 1064 896 chthonic_2.23.15.2.vir.exe msiexec.exe PID 896 wrote to memory of 1064 896 chthonic_2.23.15.2.vir.exe msiexec.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
W8FOr23msiexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\AwqEhdrx = "C:\\Users\\Admin\\AppData\\Local\\rqyrwdik\\awqehdrx.exe" W8FOr23 Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\TMozillaMaintenanceService = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla Maintenance Service\\TMozillaMaintenanceService.exe" msiexec.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
W8FOr23description ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" W8FOr23
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.2.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.15.2.vir.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\W8FOr23"W8FOr23"2⤵
- Drops startup file
- Modifies WinLogon for persistence
- Suspicious use of AdjustPrivilegeToken
- Checks whether UAC is enabled
- Modifies security service
- Windows security modification
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Modifies firewall policy service
- Adds Run key to start application
- System policy modification
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\W8FOr23
-
C:\Users\Admin\AppData\Local\Temp\W8FOr23
-
\Users\Admin\AppData\Local\Temp\W8FOr23
-
\Users\Admin\AppData\Local\Temp\W8FOr23
-
memory/596-2-0x0000000000000000-mapping.dmp
-
memory/1064-5-0x0000000000000000-mapping.dmp