Analysis
-
max time kernel
9s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:26
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.17.1.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.17.1.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
Errors
Reason
Machine shutdown
General
-
Target
chthonic_2.23.17.1.vir.exe
-
Size
151KB
-
MD5
aba6f9b372254cf34879ddc5283927c9
-
SHA1
f5724a63620621be8930972897da28c088547706
-
SHA256
3ba80718b5c68cf563db5bcda51606472b0b1e7bd52f9698383068cb935aad99
-
SHA512
a27be560684162fa3b315c6f7e90435c2e76a35a16e4e004d304d8569c4f22e56fa8711e12ea170e99592ba5f8715a2e26455bf7bc800d85e4aa7e96c87b9ede
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
chthonic_2.23.17.1.vir.exemsiexec.execmd.exeEWindowsMediaPlayer.exedescription pid process target process PID 1100 wrote to memory of 840 1100 chthonic_2.23.17.1.vir.exe msiexec.exe PID 1100 wrote to memory of 840 1100 chthonic_2.23.17.1.vir.exe msiexec.exe PID 1100 wrote to memory of 840 1100 chthonic_2.23.17.1.vir.exe msiexec.exe PID 1100 wrote to memory of 840 1100 chthonic_2.23.17.1.vir.exe msiexec.exe PID 1100 wrote to memory of 840 1100 chthonic_2.23.17.1.vir.exe msiexec.exe PID 1100 wrote to memory of 840 1100 chthonic_2.23.17.1.vir.exe msiexec.exe PID 1100 wrote to memory of 840 1100 chthonic_2.23.17.1.vir.exe msiexec.exe PID 1100 wrote to memory of 840 1100 chthonic_2.23.17.1.vir.exe msiexec.exe PID 840 wrote to memory of 1448 840 msiexec.exe cmd.exe PID 840 wrote to memory of 1448 840 msiexec.exe cmd.exe PID 840 wrote to memory of 1448 840 msiexec.exe cmd.exe PID 840 wrote to memory of 1448 840 msiexec.exe cmd.exe PID 1448 wrote to memory of 272 1448 cmd.exe EWindowsMediaPlayer.exe PID 1448 wrote to memory of 272 1448 cmd.exe EWindowsMediaPlayer.exe PID 1448 wrote to memory of 272 1448 cmd.exe EWindowsMediaPlayer.exe PID 1448 wrote to memory of 272 1448 cmd.exe EWindowsMediaPlayer.exe PID 272 wrote to memory of 284 272 EWindowsMediaPlayer.exe msiexec.exe PID 272 wrote to memory of 284 272 EWindowsMediaPlayer.exe msiexec.exe PID 272 wrote to memory of 284 272 EWindowsMediaPlayer.exe msiexec.exe PID 272 wrote to memory of 284 272 EWindowsMediaPlayer.exe msiexec.exe PID 272 wrote to memory of 284 272 EWindowsMediaPlayer.exe msiexec.exe PID 272 wrote to memory of 284 272 EWindowsMediaPlayer.exe msiexec.exe PID 272 wrote to memory of 284 272 EWindowsMediaPlayer.exe msiexec.exe PID 272 wrote to memory of 284 272 EWindowsMediaPlayer.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
msiexec.exepid process 840 msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
EWindowsMediaPlayer.exepid process 272 EWindowsMediaPlayer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
msiexec.exedescription pid process Token: SeShutdownPrivilege 840 msiexec.exe -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\antivirservice msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe -
Deletes itself 1 IoCs
Processes:
msiexec.exepid process 840 msiexec.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe -
Modifies registry class 23 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe msiexec.exe -
Modifies service 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\diagnosticshub.standardcollector.service msiexec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\diagnosticshub.standardcollector.service\Start = "4" msiexec.exe -
Disables taskbar notifications via registry modification
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
chthonic_2.23.17.1.vir.exemsiexec.exeEWindowsMediaPlayer.exepid process 1100 chthonic_2.23.17.1.vir.exe 840 msiexec.exe 272 EWindowsMediaPlayer.exe -
Loads dropped DLL 6 IoCs
Processes:
chthonic_2.23.17.1.vir.exemsiexec.execmd.exeEWindowsMediaPlayer.exemsiexec.exepid process 1100 chthonic_2.23.17.1.vir.exe 840 msiexec.exe 1448 cmd.exe 1448 cmd.exe 272 EWindowsMediaPlayer.exe 284 msiexec.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\EWindowsMediaPlayer = "C:\\Users\\Admin\\AppData\\Roaming\\EWindowsMediaPlayer\\EWindowsMediaPlayer.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealth = "system" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "system" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "system" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AvastUI.exe = "AvastUI.exe" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\AvastUI.exe = "AvastUI.exe" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealth = "system" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msiexec.exe -
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.17.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.17.1.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: GetForegroundWindowSpam
- Loads dropped DLL
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Deletes itself
- System policy modification
- Modifies registry class
- Modifies service
- Suspicious behavior: GetForegroundWindowSpam
- Loads dropped DLL
- Adds Run key to start application
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\EWindowsMediaPlayer\EWindowsMediaPlayer.exe"3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\EWindowsMediaPlayer\EWindowsMediaPlayer.exeC:\Users\Admin\AppData\Roaming\EWindowsMediaPlayer\EWindowsMediaPlayer.exe4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Loads dropped DLL
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe5⤵
- Loads dropped DLL
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\EWindowsMediaPlayer\EWindowsMediaPlayer.exe
-
C:\Users\Admin\AppData\Roaming\EWindowsMediaPlayer\EWindowsMediaPlayer.exe
-
\Users\Admin\AppData\Local\Temp\2432.tmp
-
\Users\Admin\AppData\Local\Temp\29AE.tmp
-
\Users\Admin\AppData\Local\Temp\361C.tmp
-
\Users\Admin\AppData\Local\Temp\3A9F.tmp
-
\Users\Admin\AppData\Roaming\EWindowsMediaPlayer\EWindowsMediaPlayer.exe
-
\Users\Admin\AppData\Roaming\EWindowsMediaPlayer\EWindowsMediaPlayer.exe
-
memory/272-7-0x0000000000000000-mapping.dmp
-
memory/284-10-0x0000000000000000-mapping.dmp
-
memory/840-1-0x0000000000000000-mapping.dmp
-
memory/1448-3-0x0000000000000000-mapping.dmp
-
memory/1836-12-0x00000000027D0000-0x00000000027D1000-memory.dmpFilesize
4KB
-
memory/1836-13-0x00000000027D0000-0x00000000027D1000-memory.dmpFilesize
4KB