Analysis
-
max time kernel
145s -
max time network
127s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:28
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.4.3.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.4.3.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.4.3.0.vir.exe
-
Size
220KB
-
MD5
334a321d1771607ef73d2a1eb2216a77
-
SHA1
93efa0670ef341c0e51a9b146410f69a9199e69d
-
SHA256
910bd288e7777b7d3df9b81e3e7527b73a3c5383c5d2aa5789e8a1ca90cc287e
-
SHA512
1adc52334915b2b246d6d309216080d82175a24ef624b134f5e779f71b9344815d7805f177a35d42de76128539f8f77bfc2bc6deb33d50439cf073decb8e8093
Score
10/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\StartWindowsPowerShell = "C:\\ProgramData\\WindowsPowerShell\\StartWindowsPowerShell.exe" msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
chthonic_2.4.3.0.vir.exesetap.exepid process 240 chthonic_2.4.3.0.vir.exe 1036 setap.exe -
Executes dropped EXE 2 IoCs
Processes:
setap.exesetap.exepid process 1036 setap.exe 1800 setap.exe -
Disables taskbar notifications via registry modification
-
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe -
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
chthonic_2.4.3.0.vir.exechthonic_2.4.3.0.vir.exesetap.exesetap.exedescription pid process target process PID 240 wrote to memory of 540 240 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 240 wrote to memory of 540 240 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 240 wrote to memory of 540 240 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 240 wrote to memory of 540 240 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 240 wrote to memory of 540 240 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 240 wrote to memory of 540 240 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 240 wrote to memory of 540 240 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 240 wrote to memory of 540 240 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 240 wrote to memory of 540 240 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 240 wrote to memory of 540 240 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 240 wrote to memory of 540 240 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 240 wrote to memory of 540 240 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 540 wrote to memory of 1036 540 chthonic_2.4.3.0.vir.exe setap.exe PID 540 wrote to memory of 1036 540 chthonic_2.4.3.0.vir.exe setap.exe PID 540 wrote to memory of 1036 540 chthonic_2.4.3.0.vir.exe setap.exe PID 540 wrote to memory of 1036 540 chthonic_2.4.3.0.vir.exe setap.exe PID 1036 wrote to memory of 1800 1036 setap.exe setap.exe PID 1036 wrote to memory of 1800 1036 setap.exe setap.exe PID 1036 wrote to memory of 1800 1036 setap.exe setap.exe PID 1036 wrote to memory of 1800 1036 setap.exe setap.exe PID 1036 wrote to memory of 1800 1036 setap.exe setap.exe PID 1036 wrote to memory of 1800 1036 setap.exe setap.exe PID 1036 wrote to memory of 1800 1036 setap.exe setap.exe PID 1036 wrote to memory of 1800 1036 setap.exe setap.exe PID 1036 wrote to memory of 1800 1036 setap.exe setap.exe PID 1800 wrote to memory of 1216 1800 setap.exe msiexec.exe PID 1800 wrote to memory of 1216 1800 setap.exe msiexec.exe PID 1800 wrote to memory of 1216 1800 setap.exe msiexec.exe PID 1800 wrote to memory of 1216 1800 setap.exe msiexec.exe PID 1800 wrote to memory of 1216 1800 setap.exe msiexec.exe PID 1800 wrote to memory of 1216 1800 setap.exe msiexec.exe PID 1800 wrote to memory of 1216 1800 setap.exe msiexec.exe PID 1800 wrote to memory of 1216 1800 setap.exe msiexec.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
chthonic_2.4.3.0.vir.exesetap.exedescription pid process target process PID 240 set thread context of 540 240 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 1036 set thread context of 1800 1036 setap.exe setap.exe -
Loads dropped DLL 2 IoCs
Processes:
chthonic_2.4.3.0.vir.exesetap.exepid process 540 chthonic_2.4.3.0.vir.exe 1036 setap.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
msiexec.exepid process 1216 msiexec.exe 1216 msiexec.exe 1216 msiexec.exe 1216 msiexec.exe 1216 msiexec.exe 1216 msiexec.exe 1216 msiexec.exe 1216 msiexec.exe 1216 msiexec.exe 1216 msiexec.exe 1216 msiexec.exe 1216 msiexec.exe 1216 msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.3.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.3.0.vir.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.3.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.3.0.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setap.exeC:\Users\Admin\AppData\Local\Temp\setap.exe3⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setap.exeC:\Users\Admin\AppData\Local\Temp\setap.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe5⤵
- Adds policy Run key to start application
- Modifies Internet Explorer settings
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\setap.exe
-
C:\Users\Admin\AppData\Local\Temp\setap.exe
-
C:\Users\Admin\AppData\Local\Temp\setap.exe
-
\Users\Admin\AppData\Local\Temp\setap.exe
-
\Users\Admin\AppData\Local\Temp\setap.exe
-
memory/540-4-0x0000000000402F6D-mapping.dmp
-
memory/540-2-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/540-5-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/540-3-0x0000000000402F6D-mapping.dmp
-
memory/1036-7-0x0000000000000000-mapping.dmp
-
memory/1216-17-0x0000000000000000-mapping.dmp
-
memory/1800-13-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1800-14-0x0000000000401D8E-mapping.dmp
-
memory/1800-15-0x0000000000401D8E-mapping.dmp