Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:32
Static task
static1
Behavioral task
behavioral1
Sample
chthonic_2.23.0.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
chthonic_2.23.0.0.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
chthonic_2.23.0.0.vir.exe
-
Size
134KB
-
MD5
74c2e99266737e7321f9572f93263a17
-
SHA1
4bcde2c2213a52394714316281ed8631af1c8cbc
-
SHA256
1cd004a6d75bc1ebf7d92ddd6af583caad44dd750906e4797460e7e615e777a7
-
SHA512
2336129b6c722e1f781930b4b1adabe44f1c58269f3ecaa27b0536d166f8488ed5223d2d8fe30eecbe8903a13a7870ade2dc61e521474d06ebfb5770e0836d23
Score
10/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
chthonic_2.23.0.0.vir.exedescription pid process target process PID 1636 set thread context of 3712 1636 chthonic_2.23.0.0.vir.exe chthonic_2.23.0.0.vir.exe -
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
chthonic_2.23.0.0.vir.exepid process 1636 chthonic_2.23.0.0.vir.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
chthonic_2.23.0.0.vir.exechthonic_2.23.0.0.vir.exedescription pid process target process PID 1636 wrote to memory of 3712 1636 chthonic_2.23.0.0.vir.exe chthonic_2.23.0.0.vir.exe PID 1636 wrote to memory of 3712 1636 chthonic_2.23.0.0.vir.exe chthonic_2.23.0.0.vir.exe PID 1636 wrote to memory of 3712 1636 chthonic_2.23.0.0.vir.exe chthonic_2.23.0.0.vir.exe PID 1636 wrote to memory of 3712 1636 chthonic_2.23.0.0.vir.exe chthonic_2.23.0.0.vir.exe PID 1636 wrote to memory of 3712 1636 chthonic_2.23.0.0.vir.exe chthonic_2.23.0.0.vir.exe PID 1636 wrote to memory of 3712 1636 chthonic_2.23.0.0.vir.exe chthonic_2.23.0.0.vir.exe PID 1636 wrote to memory of 3712 1636 chthonic_2.23.0.0.vir.exe chthonic_2.23.0.0.vir.exe PID 3712 wrote to memory of 1788 3712 chthonic_2.23.0.0.vir.exe msiexec.exe PID 3712 wrote to memory of 1788 3712 chthonic_2.23.0.0.vir.exe msiexec.exe PID 3712 wrote to memory of 1788 3712 chthonic_2.23.0.0.vir.exe msiexec.exe PID 3712 wrote to memory of 1788 3712 chthonic_2.23.0.0.vir.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
msiexec.exepid process 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe 1788 msiexec.exe -
Disables taskbar notifications via registry modification
-
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe -
System policy modification 1 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" msiexec.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ReferenceAssembliesc = "C:\\ProgramData\\Reference Assemblies\\ReferenceAssembliesc.exe" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.0.0.vir.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.0.0.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Modifies Internet Explorer settings
- System policy modification
- Adds policy Run key to start application