5f33dc16c573abca537ffb79f9135cc5ad143f410cb38f3d4c9adc94aeaf38df

General

Target

chthonic_2.0.8.0.vir.exe
Size

175KB
MD5

ceb583f418c8f2bb06966b9a5458d704
SHA1

31bf98fbff22cb03604e2fc758575120f9915b2c
SHA256

5f33dc16c573abca537ffb79f9135cc5ad143f410cb38f3d4c9adc94aeaf38df
SHA512

41d1c03e8ee85adc9426bb4bf5af59c83cec7619f1b35c9b68011cae99b170646721d97c46eec649717ed3d860a1066b43bcb8485856cad69f776f0ae7f8cb27

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Suspicious behavior: RenamesItself 1 IoCs

Processes:

msiexec.exe

pid process

3224 msiexec.exe

pid	process
3224	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

chthonic_2.0.8.0.vir.exemsiexec.exe

pid	process
3852	chthonic_2.0.8.0.vir.exe
3852	chthonic_2.0.8.0.vir.exe
3852	chthonic_2.0.8.0.vir.exe
3852	chthonic_2.0.8.0.vir.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe

Blacklisted process makes network request 8 IoCs

Processes:

msiexec.exe

flow pid process

4 3224 msiexec.exe
5 3224 msiexec.exe
7 3224 msiexec.exe
8 3224 msiexec.exe
10 3224 msiexec.exe
11 3224 msiexec.exe
13 3224 msiexec.exe
14 3224 msiexec.exe
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

flow	pid	process
4	3224	msiexec.exe
5	3224	msiexec.exe
7	3224	msiexec.exe
8	3224	msiexec.exe
10	3224	msiexec.exe
11	3224	msiexec.exe
13	3224	msiexec.exe
14	3224	msiexec.exe

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

chthonic_2.0.8.0.vir.exe

description	pid	process	target process
PID 3852 wrote to memory of 3224	3852	chthonic_2.0.8.0.vir.exe	msiexec.exe
PID 3852 wrote to memory of 3224	3852	chthonic_2.0.8.0.vir.exe	msiexec.exe
PID 3852 wrote to memory of 3224	3852	chthonic_2.0.8.0.vir.exe	msiexec.exe

Suspicious behavior: MapViewOfSection 59 IoCs

Processes:

chthonic_2.0.8.0.vir.exemsiexec.exe

pid	process
3852	chthonic_2.0.8.0.vir.exe
3852	chthonic_2.0.8.0.vir.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File opened for modification C:\PROGRA~3\WriteRename.vsw\SyncWriteRename.vsw.exe msiexec.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\WriteRename.vsw\SyncWriteRename.vsw.exe	msiexec.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1423277752 = "C:\\PROGRA~3\\WriteRename.vsw\\SyncWriteRename.vsw.exe"	msiexec.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

chthonic_2.0.8.0.vir.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3852	chthonic_2.0.8.0.vir.exe
Token: SeBackupPrivilege	3852	chthonic_2.0.8.0.vir.exe
Token: SeRestorePrivilege	3852	chthonic_2.0.8.0.vir.exe
Token: SeDebugPrivilege	3224	msiexec.exe
Token: SeBackupPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

chthonic_2.0.8.0.vir.exemsiexec.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE	chthonic_2.0.8.0.vir.exe
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE	msiexec.exe

Disables taskbar notifications via registry modification
evasion

C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.8.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.8.0.vir.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Identifies Wine through registry keys
PID:3852

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe
2⤵
- Suspicious behavior: RenamesItself
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- System policy modification
- Suspicious behavior: MapViewOfSection
- Drops file in Program Files directory
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Identifies Wine through registry keys
PID:3224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

4

T1112

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3224-0-0x0000000000000000-mapping.dmp

Download
memory/3224-1-0x0000000000F20000-0x0000000000F32000-memory.dmp

Filesize
72KB

Download
memory/3224-2-0x0000000000F20000-0x0000000000F32000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads