Analysis
-
max time kernel
8s -
max time network
10s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:26
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.17.1.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
chthonic_2.23.17.1.vir.exe
Resource
win10
Errors
General
-
Target
chthonic_2.23.17.1.vir.exe
-
Size
151KB
-
MD5
aba6f9b372254cf34879ddc5283927c9
-
SHA1
f5724a63620621be8930972897da28c088547706
-
SHA256
3ba80718b5c68cf563db5bcda51606472b0b1e7bd52f9698383068cb935aad99
-
SHA512
a27be560684162fa3b315c6f7e90435c2e76a35a16e4e004d304d8569c4f22e56fa8711e12ea170e99592ba5f8715a2e26455bf7bc800d85e4aa7e96c87b9ede
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
chthonic_2.23.17.1.vir.exemsiexec.execmd.exe2MozillaMaintenanceService.exedescription pid process target process PID 380 wrote to memory of 2312 380 chthonic_2.23.17.1.vir.exe msiexec.exe PID 380 wrote to memory of 2312 380 chthonic_2.23.17.1.vir.exe msiexec.exe PID 380 wrote to memory of 2312 380 chthonic_2.23.17.1.vir.exe msiexec.exe PID 380 wrote to memory of 2312 380 chthonic_2.23.17.1.vir.exe msiexec.exe PID 2312 wrote to memory of 4036 2312 msiexec.exe cmd.exe PID 2312 wrote to memory of 4036 2312 msiexec.exe cmd.exe PID 2312 wrote to memory of 4036 2312 msiexec.exe cmd.exe PID 4036 wrote to memory of 3832 4036 cmd.exe 2MozillaMaintenanceService.exe PID 4036 wrote to memory of 3832 4036 cmd.exe 2MozillaMaintenanceService.exe PID 4036 wrote to memory of 3832 4036 cmd.exe 2MozillaMaintenanceService.exe PID 3832 wrote to memory of 3868 3832 2MozillaMaintenanceService.exe msiexec.exe PID 3832 wrote to memory of 3868 3832 2MozillaMaintenanceService.exe msiexec.exe PID 3832 wrote to memory of 3868 3832 2MozillaMaintenanceService.exe msiexec.exe PID 3832 wrote to memory of 3868 3832 2MozillaMaintenanceService.exe msiexec.exe -
Deletes itself 1 IoCs
Processes:
msiexec.exepid process 2312 msiexec.exe -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\antivirservice msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe -
Disables taskbar notifications via registry modification
-
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe -
Modifies registry class 23 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter msiexec.exe -
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Modifies service 2 TTPs 8 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\diagnosticshub.standardcollector.service\Start = "4" msiexec.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WerSvc msiexec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WerSvc\Start = "4" msiexec.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PcaSvc msiexec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PcaSvc\Start = "4" msiexec.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PolicyAgent msiexec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PolicyAgent\Start = "4" msiexec.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\diagnosticshub.standardcollector.service msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
chthonic_2.23.17.1.vir.exemsiexec.exe2MozillaMaintenanceService.exepid process 380 chthonic_2.23.17.1.vir.exe 2312 msiexec.exe 3832 2MozillaMaintenanceService.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 2312 msiexec.exe 2312 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
msiexec.exedescription pid process Token: SeShutdownPrivilege 2312 msiexec.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealth = "system" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "system" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AvastUI.exe = "AvastUI.exe" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\software\microsoft\windows\currentversion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\2MozillaMaintenanceService = "C:\\Users\\Admin\\AppData\\Roaming\\2MozillaMaintenanceService\\2MozillaMaintenanceService.exe" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "system" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\AvastUI.exe = "AvastUI.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealth = "system" msiexec.exe -
Loads dropped DLL 4 IoCs
Processes:
chthonic_2.23.17.1.vir.exemsiexec.exe2MozillaMaintenanceService.exemsiexec.exepid process 380 chthonic_2.23.17.1.vir.exe 2312 msiexec.exe 3832 2MozillaMaintenanceService.exe 3868 msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
2MozillaMaintenanceService.exepid process 3832 2MozillaMaintenanceService.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 3912 LogonUI.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.17.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.17.1.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: GetForegroundWindowSpam
- Loads dropped DLL
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe2⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies service
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
- Loads dropped DLL
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\2MozillaMaintenanceService\2MozillaMaintenanceService.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\2MozillaMaintenanceService\2MozillaMaintenanceService.exeC:\Users\Admin\AppData\Roaming\2MozillaMaintenanceService\2MozillaMaintenanceService.exe4⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: GetForegroundWindowSpam
- Loads dropped DLL
- Executes dropped EXE
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe5⤵
- Loads dropped DLL
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ac7055 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Suspicious use of SetWindowsHookEx
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\2MozillaMaintenanceService\2MozillaMaintenanceService.exe
-
C:\Users\Admin\AppData\Roaming\2MozillaMaintenanceService\2MozillaMaintenanceService.exe
-
\Users\Admin\AppData\Local\Temp\9A0.tmp
-
\Users\Admin\AppData\Local\Temp\E62.tmp
-
\Users\Admin\AppData\Local\Temp\F646.tmp
-
\Users\Admin\AppData\Local\Temp\FCDE.tmp
-
memory/2312-1-0x0000000000000000-mapping.dmp
-
memory/3832-4-0x0000000000000000-mapping.dmp
-
memory/3868-8-0x0000000000000000-mapping.dmp
-
memory/4036-3-0x0000000000000000-mapping.dmp