Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
08-11-2021 05:55
Behavioral task
behavioral1
Sample
9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe
Resource
win10-en-20211014
General
-
Target
9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe
-
Size
32KB
-
MD5
01285e4a7c3a833728dd600fa8f33d93
-
SHA1
4636ab9028287ddfe799dc6465d7b2666f6d6f47
-
SHA256
9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d
-
SHA512
e86e740378282fc577c7f9a50c7ba70647924f42471f5a016a16cb3395c1777b3f6be04f99995c5ab16dff808dc52f46005869497b98be8e6f3dc85dd15dae0b
Malware Config
Extracted
njrat
좀비
6506cdba2a23ee6c81479f21c5d918fd
-
reg_key
6506cdba2a23ee6c81479f21c5d918fd
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CRONOS.exepid process 1472 CRONOS.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
CRONOS.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6506cdba2a23ee6c81479f21c5d918fd.exe CRONOS.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6506cdba2a23ee6c81479f21c5d918fd.exe CRONOS.exe -
Loads dropped DLL 1 IoCs
Processes:
9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exepid process 1168 9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
CRONOS.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\6506cdba2a23ee6c81479f21c5d918fd = "\"C:\\Users\\Admin\\AppData\\Roaming\\CRONOS.exe\" .." CRONOS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6506cdba2a23ee6c81479f21c5d918fd = "\"C:\\Users\\Admin\\AppData\\Roaming\\CRONOS.exe\" .." CRONOS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
CRONOS.exedescription pid process Token: SeDebugPrivilege 1472 CRONOS.exe Token: 33 1472 CRONOS.exe Token: SeIncBasePriorityPrivilege 1472 CRONOS.exe Token: 33 1472 CRONOS.exe Token: SeIncBasePriorityPrivilege 1472 CRONOS.exe Token: 33 1472 CRONOS.exe Token: SeIncBasePriorityPrivilege 1472 CRONOS.exe Token: 33 1472 CRONOS.exe Token: SeIncBasePriorityPrivilege 1472 CRONOS.exe Token: 33 1472 CRONOS.exe Token: SeIncBasePriorityPrivilege 1472 CRONOS.exe Token: 33 1472 CRONOS.exe Token: SeIncBasePriorityPrivilege 1472 CRONOS.exe Token: 33 1472 CRONOS.exe Token: SeIncBasePriorityPrivilege 1472 CRONOS.exe Token: 33 1472 CRONOS.exe Token: SeIncBasePriorityPrivilege 1472 CRONOS.exe Token: 33 1472 CRONOS.exe Token: SeIncBasePriorityPrivilege 1472 CRONOS.exe Token: 33 1472 CRONOS.exe Token: SeIncBasePriorityPrivilege 1472 CRONOS.exe Token: 33 1472 CRONOS.exe Token: SeIncBasePriorityPrivilege 1472 CRONOS.exe Token: 33 1472 CRONOS.exe Token: SeIncBasePriorityPrivilege 1472 CRONOS.exe Token: 33 1472 CRONOS.exe Token: SeIncBasePriorityPrivilege 1472 CRONOS.exe Token: 33 1472 CRONOS.exe Token: SeIncBasePriorityPrivilege 1472 CRONOS.exe Token: 33 1472 CRONOS.exe Token: SeIncBasePriorityPrivilege 1472 CRONOS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exeCRONOS.exedescription pid process target process PID 1168 wrote to memory of 1472 1168 9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe CRONOS.exe PID 1168 wrote to memory of 1472 1168 9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe CRONOS.exe PID 1168 wrote to memory of 1472 1168 9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe CRONOS.exe PID 1168 wrote to memory of 1472 1168 9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe CRONOS.exe PID 1472 wrote to memory of 608 1472 CRONOS.exe netsh.exe PID 1472 wrote to memory of 608 1472 CRONOS.exe netsh.exe PID 1472 wrote to memory of 608 1472 CRONOS.exe netsh.exe PID 1472 wrote to memory of 608 1472 CRONOS.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe"C:\Users\Admin\AppData\Local\Temp\9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Roaming\CRONOS.exe"C:\Users\Admin\AppData\Roaming\CRONOS.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\CRONOS.exe" "CRONOS.exe" ENABLE3⤵PID:608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\CRONOS.exeMD5
01285e4a7c3a833728dd600fa8f33d93
SHA14636ab9028287ddfe799dc6465d7b2666f6d6f47
SHA2569697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d
SHA512e86e740378282fc577c7f9a50c7ba70647924f42471f5a016a16cb3395c1777b3f6be04f99995c5ab16dff808dc52f46005869497b98be8e6f3dc85dd15dae0b
-
C:\Users\Admin\AppData\Roaming\CRONOS.exeMD5
01285e4a7c3a833728dd600fa8f33d93
SHA14636ab9028287ddfe799dc6465d7b2666f6d6f47
SHA2569697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d
SHA512e86e740378282fc577c7f9a50c7ba70647924f42471f5a016a16cb3395c1777b3f6be04f99995c5ab16dff808dc52f46005869497b98be8e6f3dc85dd15dae0b
-
\Users\Admin\AppData\Roaming\CRONOS.exeMD5
01285e4a7c3a833728dd600fa8f33d93
SHA14636ab9028287ddfe799dc6465d7b2666f6d6f47
SHA2569697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d
SHA512e86e740378282fc577c7f9a50c7ba70647924f42471f5a016a16cb3395c1777b3f6be04f99995c5ab16dff808dc52f46005869497b98be8e6f3dc85dd15dae0b
-
memory/608-63-0x0000000000000000-mapping.dmp
-
memory/1168-55-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB
-
memory/1168-56-0x0000000001D00000-0x0000000001D01000-memory.dmpFilesize
4KB
-
memory/1472-58-0x0000000000000000-mapping.dmp
-
memory/1472-62-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB