Analysis
-
max time kernel
124s -
max time network
130s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:42
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.0.8.1.vir.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
chthonic_2.0.8.1.vir.exe
Resource
win10
General
-
Target
chthonic_2.0.8.1.vir.exe
-
Size
217KB
-
MD5
c4b802049dbdf2bb8a299d68715fac43
-
SHA1
177aeba07cecfbffb1697e051a9d5b920965813a
-
SHA256
cc841ea2d1abc98b1e89294c3a0dbef1b04e58b4c9b6f4b0f9ad33adef1d1309
-
SHA512
3f93115f2fd801a427be5f0abf6880793e85d71c60df14c0e02db14a8548781b9811c689384c0c9fc706d5522e6b3158270e49106acad5fa522f06ccf046747a
Malware Config
Signatures
-
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\PROGRA~3\Microsoft\agentMicrosoft.exe msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
chthonic_2.0.8.1.vir.exedescription pid process target process PID 792 wrote to memory of 3740 792 chthonic_2.0.8.1.vir.exe msiexec.exe PID 792 wrote to memory of 3740 792 chthonic_2.0.8.1.vir.exe msiexec.exe PID 792 wrote to memory of 3740 792 chthonic_2.0.8.1.vir.exe msiexec.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
chthonic_2.0.8.1.vir.exemsiexec.exepid process 792 chthonic_2.0.8.1.vir.exe 792 chthonic_2.0.8.1.vir.exe 792 chthonic_2.0.8.1.vir.exe 792 chthonic_2.0.8.1.vir.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
chthonic_2.0.8.1.vir.exemsiexec.exedescription pid process Token: SeDebugPrivilege 792 chthonic_2.0.8.1.vir.exe Token: SeBackupPrivilege 792 chthonic_2.0.8.1.vir.exe Token: SeRestorePrivilege 792 chthonic_2.0.8.1.vir.exe Token: SeDebugPrivilege 3740 msiexec.exe Token: SeBackupPrivilege 3740 msiexec.exe Token: SeRestorePrivilege 3740 msiexec.exe -
Blacklisted process makes network request 8 IoCs
Processes:
msiexec.exeflow pid process 7 3740 msiexec.exe 8 3740 msiexec.exe 10 3740 msiexec.exe 11 3740 msiexec.exe 13 3740 msiexec.exe 14 3740 msiexec.exe 16 3740 msiexec.exe 17 3740 msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer msiexec.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
msiexec.exepid process 3740 msiexec.exe -
Disables taskbar notifications via registry modification
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
chthonic_2.0.8.1.vir.exemsiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE chthonic_2.0.8.1.vir.exe Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE msiexec.exe -
Suspicious behavior: MapViewOfSection 58 IoCs
Processes:
chthonic_2.0.8.1.vir.exemsiexec.exepid process 792 chthonic_2.0.8.1.vir.exe 792 chthonic_2.0.8.1.vir.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe 3740 msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1189856718 = "C:\\PROGRA~3\\Microsoft\\agentMicrosoft.exe" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.8.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.8.1.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Identifies Wine through registry keys
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe2⤵
- Drops file in Program Files directory
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- System policy modification
- Suspicious behavior: RenamesItself
- Identifies Wine through registry keys
- Suspicious behavior: MapViewOfSection
- Adds policy Run key to start application