Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 17:20
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.12.4.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.12.4.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.23.12.4.vir.exe
-
Size
212KB
-
MD5
7b3584c15a1c394b2e77da5cf6888c8a
-
SHA1
a6874460fd44a3140afb6802f60de5df93cb038e
-
SHA256
b5360ecfb9f6acf73785533948430720c2bd3364df73b9e2405c12e9c1433af6
-
SHA512
1a84c7ae03d94fa13179d71cb04d405c42f57c2da4b481c826ea092a50ce79958b71e997693761df49aa3c51bb2e0a14ebb0d2d8bbda2fc3c0a1ab0232d2abdb
Score
10/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msiexec.exepid process 3028 msiexec.exe 3028 msiexec.exe 3028 msiexec.exe 3028 msiexec.exe 3028 msiexec.exe 3028 msiexec.exe 3028 msiexec.exe 3028 msiexec.exe -
Blacklisted process makes network request 21 IoCs
Processes:
msiexec.exeflow pid process 5 3028 msiexec.exe 6 3028 msiexec.exe 7 3028 msiexec.exe 8 3028 msiexec.exe 9 3028 msiexec.exe 10 3028 msiexec.exe 11 3028 msiexec.exe 12 3028 msiexec.exe 13 3028 msiexec.exe 18 3028 msiexec.exe 19 3028 msiexec.exe 20 3028 msiexec.exe 21 3028 msiexec.exe 22 3028 msiexec.exe 24 3028 msiexec.exe 25 3028 msiexec.exe 26 3028 msiexec.exe 29 3028 msiexec.exe 31 3028 msiexec.exe 32 3028 msiexec.exe 33 3028 msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Disables taskbar notifications via registry modification
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
chthonic_2.23.12.4.vir.exedescription pid process target process PID 3588 wrote to memory of 3028 3588 chthonic_2.23.12.4.vir.exe msiexec.exe PID 3588 wrote to memory of 3028 3588 chthonic_2.23.12.4.vir.exe msiexec.exe PID 3588 wrote to memory of 3028 3588 chthonic_2.23.12.4.vir.exe msiexec.exe PID 3588 wrote to memory of 3028 3588 chthonic_2.23.12.4.vir.exe msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
chthonic_2.23.12.4.vir.exepid process 3588 chthonic_2.23.12.4.vir.exe -
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\InternetExplorerB = "C:\\ProgramData\\Internet Explorer\\InternetExplorerB.exe" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.12.4.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.12.4.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- System policy modification
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Adds policy Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3028-0-0x0000000000000000-mapping.dmp