Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:28
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.4.3.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.4.3.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.4.3.0.vir.exe
-
Size
220KB
-
MD5
334a321d1771607ef73d2a1eb2216a77
-
SHA1
93efa0670ef341c0e51a9b146410f69a9199e69d
-
SHA256
910bd288e7777b7d3df9b81e3e7527b73a3c5383c5d2aa5789e8a1ca90cc287e
-
SHA512
1adc52334915b2b246d6d309216080d82175a24ef624b134f5e779f71b9344815d7805f177a35d42de76128539f8f77bfc2bc6deb33d50439cf073decb8e8093
Score
10/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
setap.exesetap.exepid process 3792 setap.exe 3912 setap.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
msiexec.exepid process 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe 1908 msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\AgentWindowsPhotoViewer = "C:\\ProgramData\\Windows Photo Viewer\\AgentWindowsPhotoViewer.exe" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe -
Disables taskbar notifications via registry modification
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
chthonic_2.4.3.0.vir.exesetap.exepid process 3588 chthonic_2.4.3.0.vir.exe 3792 setap.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
chthonic_2.4.3.0.vir.exechthonic_2.4.3.0.vir.exesetap.exesetap.exedescription pid process target process PID 3588 wrote to memory of 4068 3588 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 3588 wrote to memory of 4068 3588 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 3588 wrote to memory of 4068 3588 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 3588 wrote to memory of 4068 3588 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 3588 wrote to memory of 4068 3588 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 3588 wrote to memory of 4068 3588 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 3588 wrote to memory of 4068 3588 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 3588 wrote to memory of 4068 3588 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 3588 wrote to memory of 4068 3588 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 3588 wrote to memory of 4068 3588 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 3588 wrote to memory of 4068 3588 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 4068 wrote to memory of 3792 4068 chthonic_2.4.3.0.vir.exe setap.exe PID 4068 wrote to memory of 3792 4068 chthonic_2.4.3.0.vir.exe setap.exe PID 4068 wrote to memory of 3792 4068 chthonic_2.4.3.0.vir.exe setap.exe PID 3792 wrote to memory of 3912 3792 setap.exe setap.exe PID 3792 wrote to memory of 3912 3792 setap.exe setap.exe PID 3792 wrote to memory of 3912 3792 setap.exe setap.exe PID 3792 wrote to memory of 3912 3792 setap.exe setap.exe PID 3792 wrote to memory of 3912 3792 setap.exe setap.exe PID 3792 wrote to memory of 3912 3792 setap.exe setap.exe PID 3792 wrote to memory of 3912 3792 setap.exe setap.exe PID 3792 wrote to memory of 3912 3792 setap.exe setap.exe PID 3912 wrote to memory of 1908 3912 setap.exe msiexec.exe PID 3912 wrote to memory of 1908 3912 setap.exe msiexec.exe PID 3912 wrote to memory of 1908 3912 setap.exe msiexec.exe PID 3912 wrote to memory of 1908 3912 setap.exe msiexec.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
chthonic_2.4.3.0.vir.exesetap.exedescription pid process target process PID 3588 set thread context of 4068 3588 chthonic_2.4.3.0.vir.exe chthonic_2.4.3.0.vir.exe PID 3792 set thread context of 3912 3792 setap.exe setap.exe -
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.3.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.3.0.vir.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.3.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.4.3.0.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setap.exeC:\Users\Admin\AppData\Local\Temp\setap.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\setap.exeC:\Users\Admin\AppData\Local\Temp\setap.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Adds policy Run key to start application
- Modifies Internet Explorer settings
- System policy modification
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\setap.exe
-
C:\Users\Admin\AppData\Local\Temp\setap.exe
-
C:\Users\Admin\AppData\Local\Temp\setap.exe
-
memory/1908-15-0x0000000000000000-mapping.dmp
-
memory/3792-6-0x0000000000000000-mapping.dmp
-
memory/3912-11-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3912-12-0x0000000000401D8E-mapping.dmp
-
memory/3912-13-0x0000000000401D8E-mapping.dmp
-
memory/4068-2-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4068-3-0x0000000000402F6D-mapping.dmp
-
memory/4068-4-0x0000000000402F6D-mapping.dmp
-
memory/4068-5-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB