Analysis
-
max time kernel
67s -
max time network
110s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:23
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.0.1.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.0.1.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.0.1.0.vir.exe
-
Size
133KB
-
MD5
148563b1ca625bbdbb60673db2edb74a
-
SHA1
8670b4ed16f2d92323f76a403657263b22a1a542
-
SHA256
cbe916ed6f941dc6e106ef625b972727927cf152e7c94498fc4bbb533ffc30cd
-
SHA512
8b26fed52f05e4d6780ba20ed19a5501b36d178fb3747264df07b5318142ca96ec6921e4bc985efd0d16a7fdb5869b9259af24fee24283e1d35acc14c29f4e36
Score
10/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
chthonic_2.0.1.0.vir.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1536 chthonic_2.0.1.0.vir.exe Token: SeBackupPrivilege 1536 chthonic_2.0.1.0.vir.exe Token: SeRestorePrivilege 1536 chthonic_2.0.1.0.vir.exe Token: SeDebugPrivilege 3048 msiexec.exe Token: SeBackupPrivilege 3048 msiexec.exe Token: SeRestorePrivilege 3048 msiexec.exe -
Suspicious behavior: MapViewOfSection 59 IoCs
Processes:
chthonic_2.0.1.0.vir.exemsiexec.exepid process 1536 chthonic_2.0.1.0.vir.exe 1536 chthonic_2.0.1.0.vir.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
msiexec.exepid process 3048 msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Disables taskbar notifications via registry modification
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1721380307 = "C:\\PROGRA~3\\msbwh.exe" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
chthonic_2.0.1.0.vir.exemsiexec.exepid process 1536 chthonic_2.0.1.0.vir.exe 1536 chthonic_2.0.1.0.vir.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe 3048 msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\PROGRA~3\msbwh.exe msiexec.exe -
Blacklisted process makes network request 8 IoCs
Processes:
msiexec.exeflow pid process 3 3048 msiexec.exe 4 3048 msiexec.exe 6 3048 msiexec.exe 7 3048 msiexec.exe 9 3048 msiexec.exe 10 3048 msiexec.exe 12 3048 msiexec.exe 13 3048 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
chthonic_2.0.1.0.vir.exedescription pid process target process PID 1536 wrote to memory of 3048 1536 chthonic_2.0.1.0.vir.exe msiexec.exe PID 1536 wrote to memory of 3048 1536 chthonic_2.0.1.0.vir.exe msiexec.exe PID 1536 wrote to memory of 3048 1536 chthonic_2.0.1.0.vir.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.1.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.1.0.vir.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- System policy modification
- Adds policy Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Blacklisted process makes network request