Analysis
-
max time kernel
142s -
max time network
63s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 17:21
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.1.2.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.1.2.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.1.2.0.vir.exe
-
Size
140KB
-
MD5
07d81914c4513c32be7e36ae0b6b4604
-
SHA1
f6856595de408ad73135ab0d1fe58cce73cd4300
-
SHA256
06c893904f277dff0e318a0f775bc13322a11573eecc55237d4b55b968ca51ba
-
SHA512
e245e17150917a9dec8161808453579984db2705f49d662d6b0fecc9fc83de9602213caab84c08dca7585f62c589c9c3815908aee73294d532684298b092a106
Score
10/10
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
chthonic_2.1.2.0.vir.exepid process 240 chthonic_2.1.2.0.vir.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chthonic_2.1.2.0.vir.exedescription pid process target process PID 240 set thread context of 1820 240 chthonic_2.1.2.0.vir.exe chthonic_2.1.2.0.vir.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
chthonic_2.1.2.0.vir.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1820 chthonic_2.1.2.0.vir.exe Token: SeBackupPrivilege 1820 chthonic_2.1.2.0.vir.exe Token: SeRestorePrivilege 1820 chthonic_2.1.2.0.vir.exe Token: SeDebugPrivilege 1856 msiexec.exe Token: SeBackupPrivilege 1856 msiexec.exe Token: SeRestorePrivilege 1856 msiexec.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
msiexec.exepid process 1856 msiexec.exe -
Blacklisted process makes network request 11 IoCs
Processes:
msiexec.exeflow pid process 3 1856 msiexec.exe 4 1856 msiexec.exe 5 1856 msiexec.exe 7 1856 msiexec.exe 8 1856 msiexec.exe 9 1856 msiexec.exe 12 1856 msiexec.exe 13 1856 msiexec.exe 14 1856 msiexec.exe 16 1856 msiexec.exe 17 1856 msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
chthonic_2.1.2.0.vir.exechthonic_2.1.2.0.vir.exedescription pid process target process PID 240 wrote to memory of 1820 240 chthonic_2.1.2.0.vir.exe chthonic_2.1.2.0.vir.exe PID 240 wrote to memory of 1820 240 chthonic_2.1.2.0.vir.exe chthonic_2.1.2.0.vir.exe PID 240 wrote to memory of 1820 240 chthonic_2.1.2.0.vir.exe chthonic_2.1.2.0.vir.exe PID 240 wrote to memory of 1820 240 chthonic_2.1.2.0.vir.exe chthonic_2.1.2.0.vir.exe PID 240 wrote to memory of 1820 240 chthonic_2.1.2.0.vir.exe chthonic_2.1.2.0.vir.exe PID 240 wrote to memory of 1820 240 chthonic_2.1.2.0.vir.exe chthonic_2.1.2.0.vir.exe PID 240 wrote to memory of 1820 240 chthonic_2.1.2.0.vir.exe chthonic_2.1.2.0.vir.exe PID 240 wrote to memory of 1820 240 chthonic_2.1.2.0.vir.exe chthonic_2.1.2.0.vir.exe PID 240 wrote to memory of 1820 240 chthonic_2.1.2.0.vir.exe chthonic_2.1.2.0.vir.exe PID 1820 wrote to memory of 1856 1820 chthonic_2.1.2.0.vir.exe msiexec.exe PID 1820 wrote to memory of 1856 1820 chthonic_2.1.2.0.vir.exe msiexec.exe PID 1820 wrote to memory of 1856 1820 chthonic_2.1.2.0.vir.exe msiexec.exe PID 1820 wrote to memory of 1856 1820 chthonic_2.1.2.0.vir.exe msiexec.exe PID 1820 wrote to memory of 1856 1820 chthonic_2.1.2.0.vir.exe msiexec.exe PID 1820 wrote to memory of 1856 1820 chthonic_2.1.2.0.vir.exe msiexec.exe PID 1820 wrote to memory of 1856 1820 chthonic_2.1.2.0.vir.exe msiexec.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\PROGRA~3\Media Center Programs\useMediaCenterPrograms.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
chthonic_2.1.2.0.vir.exemsiexec.exepid process 1820 chthonic_2.1.2.0.vir.exe 1820 chthonic_2.1.2.0.vir.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe -
Suspicious behavior: MapViewOfSection 23 IoCs
Processes:
chthonic_2.1.2.0.vir.exemsiexec.exepid process 1820 chthonic_2.1.2.0.vir.exe 1820 chthonic_2.1.2.0.vir.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe 1856 msiexec.exe -
Disables taskbar notifications via registry modification
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\3323605354 = "C:\\PROGRA~3\\Media Center Programs\\useMediaCenterPrograms.exe" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.1.2.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.1.2.0.vir.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.1.2.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.1.2.0.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
- Blacklisted process makes network request
- Checks whether UAC is enabled
- System policy modification
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Adds policy Run key to start application