Analysis
-
max time kernel
131s -
max time network
134s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:45
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.0.8.0.vir.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
chthonic_2.0.8.0.vir.exe
Resource
win10
General
-
Target
chthonic_2.0.8.0.vir.exe
-
Size
175KB
-
MD5
ceb583f418c8f2bb06966b9a5458d704
-
SHA1
31bf98fbff22cb03604e2fc758575120f9915b2c
-
SHA256
5f33dc16c573abca537ffb79f9135cc5ad143f410cb38f3d4c9adc94aeaf38df
-
SHA512
41d1c03e8ee85adc9426bb4bf5af59c83cec7619f1b35c9b68011cae99b170646721d97c46eec649717ed3d860a1066b43bcb8485856cad69f776f0ae7f8cb27
Malware Config
Signatures
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
msiexec.exepid process 3224 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
chthonic_2.0.8.0.vir.exemsiexec.exepid process 3852 chthonic_2.0.8.0.vir.exe 3852 chthonic_2.0.8.0.vir.exe 3852 chthonic_2.0.8.0.vir.exe 3852 chthonic_2.0.8.0.vir.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe -
Blacklisted process makes network request 8 IoCs
Processes:
msiexec.exeflow pid process 4 3224 msiexec.exe 5 3224 msiexec.exe 7 3224 msiexec.exe 8 3224 msiexec.exe 10 3224 msiexec.exe 11 3224 msiexec.exe 13 3224 msiexec.exe 14 3224 msiexec.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
chthonic_2.0.8.0.vir.exedescription pid process target process PID 3852 wrote to memory of 3224 3852 chthonic_2.0.8.0.vir.exe msiexec.exe PID 3852 wrote to memory of 3224 3852 chthonic_2.0.8.0.vir.exe msiexec.exe PID 3852 wrote to memory of 3224 3852 chthonic_2.0.8.0.vir.exe msiexec.exe -
Suspicious behavior: MapViewOfSection 59 IoCs
Processes:
chthonic_2.0.8.0.vir.exemsiexec.exepid process 3852 chthonic_2.0.8.0.vir.exe 3852 chthonic_2.0.8.0.vir.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe 3224 msiexec.exe -
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\PROGRA~3\WriteRename.vsw\SyncWriteRename.vsw.exe msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1423277752 = "C:\\PROGRA~3\\WriteRename.vsw\\SyncWriteRename.vsw.exe" msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
chthonic_2.0.8.0.vir.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3852 chthonic_2.0.8.0.vir.exe Token: SeBackupPrivilege 3852 chthonic_2.0.8.0.vir.exe Token: SeRestorePrivilege 3852 chthonic_2.0.8.0.vir.exe Token: SeDebugPrivilege 3224 msiexec.exe Token: SeBackupPrivilege 3224 msiexec.exe Token: SeRestorePrivilege 3224 msiexec.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
chthonic_2.0.8.0.vir.exemsiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE chthonic_2.0.8.0.vir.exe Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE msiexec.exe -
Disables taskbar notifications via registry modification
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.8.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.0.8.0.vir.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe2⤵
- Suspicious behavior: RenamesItself
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- System policy modification
- Suspicious behavior: MapViewOfSection
- Drops file in Program Files directory
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Identifies Wine through registry keys