Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 16:47
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.4.16.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.4.16.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.4.16.0.vir.exe
-
Size
173KB
-
MD5
4162cd6ddf3eb2678b7a35b5f8b2597e
-
SHA1
57bffa67e38a02a6b06575a9f1bf467bcdbca3fe
-
SHA256
ac8006c65da9bfedca11b142c2b4cd176c1559e55aef528155136f513abc4494
-
SHA512
1b74b8bd6f46bed59b7db3557a202d37cc28818ff297c1e18f493c61abcb236c27769f9196fbe6ff18b324692c1ba3e00b1a8dce63127e8413409326797b5618
Score
10/10
Malware Config
Signatures
-
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
chthonic_2.4.16.0.vir.exedescription pid process target process PID 3588 wrote to memory of 4068 3588 chthonic_2.4.16.0.vir.exe msiexec.exe PID 3588 wrote to memory of 4068 3588 chthonic_2.4.16.0.vir.exe msiexec.exe PID 3588 wrote to memory of 4068 3588 chthonic_2.4.16.0.vir.exe msiexec.exe PID 3588 wrote to memory of 4068 3588 chthonic_2.4.16.0.vir.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
msiexec.exepid process 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe 4068 msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\syncWindowsMediaPlayer = "C:\\ProgramData\\Windows Media Player\\syncWindowsMediaPlayer.exe" msiexec.exe -
Disables taskbar notifications via registry modification
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.16.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.16.0.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Modifies Internet Explorer settings
- System policy modification
- Suspicious behavior: EnumeratesProcesses
- Checks whether UAC is enabled
- Adds policy Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4068-0-0x0000000000000000-mapping.dmp