cc841ea2d1abc98b1e89294c3a0dbef1b04e58b4c9b6f4b0f9ad33adef1d1309

General

Target

chthonic_2.0.8.1.vir.exe
Size

217KB
MD5

c4b802049dbdf2bb8a299d68715fac43
SHA1

177aeba07cecfbffb1697e051a9d5b920965813a
SHA256

cc841ea2d1abc98b1e89294c3a0dbef1b04e58b4c9b6f4b0f9ad33adef1d1309
SHA512

3f93115f2fd801a427be5f0abf6880793e85d71c60df14c0e02db14a8548781b9811c689384c0c9fc706d5522e6b3158270e49106acad5fa522f06ccf046747a

Score

10^/10

evasion trojan persistence

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File opened for modification C:\PROGRA~3\Microsoft\agentMicrosoft.exe msiexec.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\Microsoft\agentMicrosoft.exe	msiexec.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

chthonic_2.0.8.1.vir.exe

description	pid	process	target process
PID 792 wrote to memory of 3740	792	chthonic_2.0.8.1.vir.exe	msiexec.exe
PID 792 wrote to memory of 3740	792	chthonic_2.0.8.1.vir.exe	msiexec.exe
PID 792 wrote to memory of 3740	792	chthonic_2.0.8.1.vir.exe	msiexec.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

chthonic_2.0.8.1.vir.exemsiexec.exe

pid	process
792	chthonic_2.0.8.1.vir.exe
792	chthonic_2.0.8.1.vir.exe
792	chthonic_2.0.8.1.vir.exe
792	chthonic_2.0.8.1.vir.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

chthonic_2.0.8.1.vir.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	792	chthonic_2.0.8.1.vir.exe
Token: SeBackupPrivilege	792	chthonic_2.0.8.1.vir.exe
Token: SeRestorePrivilege	792	chthonic_2.0.8.1.vir.exe
Token: SeDebugPrivilege	3740	msiexec.exe
Token: SeBackupPrivilege	3740	msiexec.exe
Token: SeRestorePrivilege	3740	msiexec.exe

Blacklisted process makes network request 8 IoCs

Processes:

msiexec.exe

flow pid process

7 3740 msiexec.exe
8 3740 msiexec.exe
10 3740 msiexec.exe
11 3740 msiexec.exe
13 3740 msiexec.exe
14 3740 msiexec.exe
16 3740 msiexec.exe
17 3740 msiexec.exe

flow	pid	process
7	3740	msiexec.exe
8	3740	msiexec.exe
10	3740	msiexec.exe
11	3740	msiexec.exe
13	3740	msiexec.exe
14	3740	msiexec.exe
16	3740	msiexec.exe
17	3740	msiexec.exe

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	msiexec.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

msiexec.exe

pid process

3740 msiexec.exe
Disables taskbar notifications via registry modification
evasion

pid	process
3740	msiexec.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

chthonic_2.0.8.1.vir.exemsiexec.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE	chthonic_2.0.8.1.vir.exe
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE	msiexec.exe

Suspicious behavior: MapViewOfSection 58 IoCs

Processes:

chthonic_2.0.8.1.vir.exemsiexec.exe

pid	process
792	chthonic_2.0.8.1.vir.exe
792	chthonic_2.0.8.1.vir.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe
3740	msiexec.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1189856718 = "C:\\PROGRA~3\\Microsoft\\agentMicrosoft.exe"	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.8.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.8.1.vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Identifies Wine through registry keys
- Suspicious behavior: MapViewOfSection
PID:792

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe
2⤵
- Drops file in Program Files directory
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- System policy modification
- Suspicious behavior: RenamesItself
- Identifies Wine through registry keys
- Suspicious behavior: MapViewOfSection
- Adds policy Run key to start application
PID:3740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

4

T1112

Hidden Files and Directories

1

T1158

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3740-0-0x0000000000000000-mapping.dmp

Download
memory/3740-1-0x00000000010F0000-0x0000000001102000-memory.dmp

Filesize
72KB

Download
memory/3740-2-0x00000000010F0000-0x0000000001102000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads