Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 17:13
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.12.1.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.12.1.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.23.12.1.vir.exe
-
Size
188KB
-
MD5
fef16df968936d5d5a0c9972aba5ff23
-
SHA1
52caaf61150ce8ea9a2fd7a20bd0e233936a0563
-
SHA256
4480bcbacb98c86980a5d9bd9f62ccc286e2e0e3bf5696991b37720648dcb186
-
SHA512
f51b9e2405398c6d3f20dfac542b4b3f9679f31f028339fb59fae64a20b2ae17f9024c8d764dec7e0bc83e5bfbfdce90a5d8ce75775eb8f7e7bac1640f74941e
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
chthonic_2.23.12.1.vir.exedescription pid process target process PID 748 wrote to memory of 588 748 chthonic_2.23.12.1.vir.exe msiexec.exe PID 748 wrote to memory of 588 748 chthonic_2.23.12.1.vir.exe msiexec.exe PID 748 wrote to memory of 588 748 chthonic_2.23.12.1.vir.exe msiexec.exe PID 748 wrote to memory of 588 748 chthonic_2.23.12.1.vir.exe msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rWindowsPhotoViewer = "C:\\ProgramData\\Windows Photo Viewer\\rWindowsPhotoViewer.exe" msiexec.exe -
Disables taskbar notifications via registry modification
-
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msiexec.exepid process 588 msiexec.exe 588 msiexec.exe 588 msiexec.exe 588 msiexec.exe 588 msiexec.exe 588 msiexec.exe 588 msiexec.exe 588 msiexec.exe -
Blacklisted process makes network request 21 IoCs
Processes:
msiexec.exeflow pid process 4 588 msiexec.exe 5 588 msiexec.exe 6 588 msiexec.exe 7 588 msiexec.exe 8 588 msiexec.exe 9 588 msiexec.exe 10 588 msiexec.exe 12 588 msiexec.exe 13 588 msiexec.exe 18 588 msiexec.exe 19 588 msiexec.exe 20 588 msiexec.exe 21 588 msiexec.exe 22 588 msiexec.exe 23 588 msiexec.exe 24 588 msiexec.exe 25 588 msiexec.exe 26 588 msiexec.exe 27 588 msiexec.exe 28 588 msiexec.exe 29 588 msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.12.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.12.1.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Adds policy Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- System policy modification
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/588-0-0x0000000000000000-mapping.dmp