Analysis Overview
SHA256
b8f765e5e9932ebe8820755b8d75eb00eb6b097316d98cd38bf9224fbf7fb82d
Threat Level: Known bad
The file SecuriteInfo.com.Trojan.Kronos.21.31435.19434 was found to be: Known bad.
Malicious Activity Summary
Osiris
Nirsoft
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
Uses Tor communications
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-03-17 09:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-03-17 09:32
Reported
2021-03-17 09:34
Platform
win7v20201028
Max time kernel
151s
Max time network
105s
Command Line
Signatures
Osiris
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\1084477194.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\155514377.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
C:\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\1084477194.exe
"1084477194.exe"
C:\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\155514377.exe
C:\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\155514377.exe /sjson C:\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\book.json
Network
| Country | Destination | Domain | Proto |
| N/A | 204.13.164.118:80 | 204.13.164.118 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.140.41:443 | api.ipify.org | tcp |
| N/A | 185.77.129.35:80 | tcp | |
| N/A | 130.193.15.186:80 | 130.193.15.186 | tcp |
| N/A | 46.4.233.104:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 109.70.100.25:80 | 109.70.100.25 | tcp |
| N/A | 94.155.49.47:80 | 94.155.49.47 | tcp |
| N/A | 185.125.206.186:80 | 185.125.206.186 | tcp |
| N/A | 193.111.26.37:80 | 193.111.26.37 | tcp |
| N/A | 80.127.152.4:80 | 80.127.152.4 | tcp |
| N/A | 51.15.190.231:80 | 51.15.190.231 | tcp |
| N/A | 185.220.102.8:443 | tcp | |
| N/A | 124.109.1.207:80 | 124.109.1.207 | tcp |
| N/A | 173.82.90.89:443 | tcp | |
| N/A | 46.22.212.230:80 | 46.22.212.230 | tcp |
| N/A | 205.185.127.35:80 | 205.185.127.35 | tcp |
| N/A | 88.214.35.40:80 | 88.214.35.40 | tcp |
| N/A | 212.47.244.38:443 | tcp | |
| N/A | 37.187.2.76:80 | 37.187.2.76 | tcp |
| N/A | 89.187.143.31:80 | 89.187.143.31 | tcp |
| N/A | 23.129.64.207:80 | 23.129.64.207 | tcp |
| N/A | 176.10.99.203:443 | tcp | |
| N/A | 208.68.4.129:80 | 208.68.4.129 | tcp |
| N/A | 45.79.177.21:443 | tcp | |
| N/A | 178.63.172.14:80 | 178.63.172.14 | tcp |
| N/A | 82.94.251.227:80 | 82.94.251.227 | tcp |
Files
memory/1044-2-0x00000000760A1000-0x00000000760A3000-memory.dmp
memory/1044-3-0x0000000000310000-0x00000000003AF000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/1116-5-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 8e02df4b54e4444e9812ead4fabe7a28 |
| SHA1 | a7715b3098c2fa02adaced93a613963c39bb1d5d |
| SHA256 | d52167b633008ec6311264c9e0c0bc93c91640e503d37b695db4177e4e1bcd2b |
| SHA512 | 2b4c0d7f3e3457ec90a3e1a87e3e6747f9b26692875b587485f012d411d5865b10d4a4265d5285e46bf38bc1a236b7a0fc73fe1273982e864022c8b4840b2fe6 |
memory/1008-8-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp
\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\1084477194.exe
| MD5 | 9f385a9a69a4d9e18055743f0694976b |
| SHA1 | 2c2385ea964a33f803e96e364d4a05771c733921 |
| SHA256 | 45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216 |
| SHA512 | e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c |
memory/912-11-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\1084477194.exe
| MD5 | 9f385a9a69a4d9e18055743f0694976b |
| SHA1 | 2c2385ea964a33f803e96e364d4a05771c733921 |
| SHA256 | 45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216 |
| SHA512 | e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c |
\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\155514377.exe
| MD5 | b94350c5a57401721ce013c1a76c2727 |
| SHA1 | f0e946cf41e3c11d7f84736a365ec3d0b173fef4 |
| SHA256 | e6f88219fde1d526253de53f06fdb95ad08704c4dedbcdcf062d09db69754a58 |
| SHA512 | 0b3622a799f46bf3023a7ff0afde855261f2cc1a42b19c625f17333b480bd90eddb20f61a436724065c9b5372c4beee66366bfd6f3dd5aacfb5bbaa73a022193 |
\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\155514377.exe
| MD5 | b94350c5a57401721ce013c1a76c2727 |
| SHA1 | f0e946cf41e3c11d7f84736a365ec3d0b173fef4 |
| SHA256 | e6f88219fde1d526253de53f06fdb95ad08704c4dedbcdcf062d09db69754a58 |
| SHA512 | 0b3622a799f46bf3023a7ff0afde855261f2cc1a42b19c625f17333b480bd90eddb20f61a436724065c9b5372c4beee66366bfd6f3dd5aacfb5bbaa73a022193 |
memory/940-17-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\155514377.exe
| MD5 | b94350c5a57401721ce013c1a76c2727 |
| SHA1 | f0e946cf41e3c11d7f84736a365ec3d0b173fef4 |
| SHA256 | e6f88219fde1d526253de53f06fdb95ad08704c4dedbcdcf062d09db69754a58 |
| SHA512 | 0b3622a799f46bf3023a7ff0afde855261f2cc1a42b19c625f17333b480bd90eddb20f61a436724065c9b5372c4beee66366bfd6f3dd5aacfb5bbaa73a022193 |
memory/940-20-0x00000000723F1000-0x00000000723F3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-03-17 09:32
Reported
2021-03-17 09:34
Platform
win10v20201028
Max time kernel
150s
Max time network
101s
Command Line
Signatures
Osiris
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1054361754.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1977912674.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1054361754.exe
"1054361754.exe"
C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1977912674.exe
C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1977912674.exe /sjson C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\book.json
Network
| Country | Destination | Domain | Proto |
| N/A | 194.109.206.212:80 | 194.109.206.212 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.214.197:443 | api.ipify.org | tcp |
| N/A | 155.98.5.5:80 | 155.98.5.5 | tcp |
| N/A | 89.163.225.162:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 137.74.169.241:80 | 137.74.169.241 | tcp |
| N/A | 147.135.115.212:80 | 147.135.115.212 | tcp |
| N/A | 145.239.7.169:80 | 145.239.7.169 | tcp |
| N/A | 80.90.39.25:443 | tcp | |
| N/A | 199.184.246.250:80 | 199.184.246.250 | tcp |
| N/A | 192.42.116.17:80 | 192.42.116.17 | tcp |
| N/A | 51.158.173.137:80 | 51.158.173.137 | tcp |
| N/A | 91.219.239.92:80 | 91.219.239.92 | tcp |
| N/A | 135.148.33.116:80 | 135.148.33.116 | tcp |
| N/A | 135.181.207.235:443 | tcp | |
| N/A | 86.115.15.248:80 | 86.115.15.248 | tcp |
| N/A | 85.235.250.88:80 | 85.235.250.88 | tcp |
| N/A | 173.249.57.253:80 | 173.249.57.253 | tcp |
| N/A | 45.154.255.77:443 | tcp | |
| N/A | 135.181.106.230:80 | 135.181.106.230 | tcp |
| N/A | 91.213.8.130:80 | 91.213.8.130 | tcp |
| N/A | 104.244.79.196:80 | 104.244.79.196 | tcp |
| N/A | 172.105.173.198:443 | tcp | |
| N/A | 71.19.154.84:80 | 71.19.154.84 | tcp |
| N/A | 135.148.32.174:80 | 135.148.32.174 | tcp |
Files
memory/1192-2-0x0000000000340000-0x00000000003DF000-memory.dmp
memory/3640-3-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 789146fcf8b2e069217aa9b249b53afe |
| SHA1 | 5ac0c230e70009b4a1e7ba2d512e7803c1bb9ec4 |
| SHA256 | c3c372660e6eee7b6aed9f56417f6ab8ef7f170a0435f87e35fd28175af81a4b |
| SHA512 | c33ea0b3521781a55f2be5ae2237dd105ea56a2e9f6e187de779a7495a5f481bef424125554eb5b0be036e7b922cad0317eca3fd6e725d7321ea1430ed3c45cd |
memory/772-7-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1054361754.exe
| MD5 | 9f385a9a69a4d9e18055743f0694976b |
| SHA1 | 2c2385ea964a33f803e96e364d4a05771c733921 |
| SHA256 | 45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216 |
| SHA512 | e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c |
C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1054361754.exe
| MD5 | 9f385a9a69a4d9e18055743f0694976b |
| SHA1 | 2c2385ea964a33f803e96e364d4a05771c733921 |
| SHA256 | 45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216 |
| SHA512 | e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c |
C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1977912674.exe
| MD5 | b94350c5a57401721ce013c1a76c2727 |
| SHA1 | f0e946cf41e3c11d7f84736a365ec3d0b173fef4 |
| SHA256 | e6f88219fde1d526253de53f06fdb95ad08704c4dedbcdcf062d09db69754a58 |
| SHA512 | 0b3622a799f46bf3023a7ff0afde855261f2cc1a42b19c625f17333b480bd90eddb20f61a436724065c9b5372c4beee66366bfd6f3dd5aacfb5bbaa73a022193 |
memory/408-10-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1977912674.exe
| MD5 | b94350c5a57401721ce013c1a76c2727 |
| SHA1 | f0e946cf41e3c11d7f84736a365ec3d0b173fef4 |
| SHA256 | e6f88219fde1d526253de53f06fdb95ad08704c4dedbcdcf062d09db69754a58 |
| SHA512 | 0b3622a799f46bf3023a7ff0afde855261f2cc1a42b19c625f17333b480bd90eddb20f61a436724065c9b5372c4beee66366bfd6f3dd5aacfb5bbaa73a022193 |