kronos | 120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba

General

Target

120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe
Size

360KB
MD5

e558c68f684dff0930fa3167a3d85385
SHA1

94cf171669401068b8047c04f0679bbd2f3c24df
SHA256

120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba
SHA512

e3d9c7c003c697775682444782a6b4068132b314c06248c12aecc53fc04135ce920437e06f329c873605370cbb0eb645d381c6c7851eae1da3fd4b313a8db482

Score

10^/10

kronos banker botnet persistence spyware stealer

Malware Config

Signatures

Kronos
banker botnet kronos

Loads dropped DLL 2 IoCs

Processes:

120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe

pid	process
1972	120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe
1972	120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{488C8DDA-7F58-4936-B7FF-877749D02A9E}\\f5ea51da.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{488C8DDA-7F58-4936-B7FF-877749D02A9E}\\f5ea51da.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

description pid process target process

PID 600 set thread context of 472 600 DllHost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 600 set thread context of 472	600		DllHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe

Suspicious behavior: MapViewOfSection 25 IoCs

Processes:

120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exesvchost.exe

pid	process
1972	120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe
1972	120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
1240	svchost.exe
600

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeDebugPrivilege	1240	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	880
Token: SeIncreaseQuotaPrivilege	880
Token: SeSecurityPrivilege	880
Token: SeTakeOwnershipPrivilege	880
Token: SeLoadDriverPrivilege	880
Token: SeRestorePrivilege	880
Token: SeSystemEnvironmentPrivilege	880
Token: SeAssignPrimaryTokenPrivilege	880
Token: SeIncreaseQuotaPrivilege	880
Token: SeSecurityPrivilege	880
Token: SeTakeOwnershipPrivilege	880
Token: SeLoadDriverPrivilege	880
Token: SeSystemtimePrivilege	880
Token: SeBackupPrivilege	880
Token: SeRestorePrivilege	880
Token: SeShutdownPrivilege	880
Token: SeSystemEnvironmentPrivilege	880
Token: SeUndockPrivilege	880
Token: SeManageVolumePrivilege	880
Token: SeAssignPrimaryTokenPrivilege	880
Token: SeIncreaseQuotaPrivilege	880
Token: SeSecurityPrivilege	880
Token: SeTakeOwnershipPrivilege	880
Token: SeLoadDriverPrivilege	880
Token: SeRestorePrivilege	880
Token: SeSystemEnvironmentPrivilege	880
Token: SeAssignPrimaryTokenPrivilege	880
Token: SeIncreaseQuotaPrivilege	880
Token: SeSecurityPrivilege	880
Token: SeTakeOwnershipPrivilege	880
Token: SeLoadDriverPrivilege	880
Token: SeRestorePrivilege	880
Token: SeSystemEnvironmentPrivilege	880
Token: SeAssignPrimaryTokenPrivilege	880
Token: SeIncreaseQuotaPrivilege	880
Token: SeSecurityPrivilege	880
Token: SeTakeOwnershipPrivilege	880
Token: SeLoadDriverPrivilege	880
Token: SeRestorePrivilege	880

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe

pid process

1972 120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe
Suspicious use of UnmapMainImage 7 IoCs

Processes:

pid process

600
816
816
816
816
816
816

pid	process
600
816
816
816
816
816
816

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe

description	pid	process	target process
PID 1972 wrote to memory of 1240	1972	120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe	svchost.exe
PID 1972 wrote to memory of 1240	1972	120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe	svchost.exe
PID 1972 wrote to memory of 1240	1972	120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe	svchost.exe
PID 1972 wrote to memory of 1240	1972	120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe	svchost.exe
PID 332 wrote to memory of 472	332		DllHost.exe
PID 600 wrote to memory of 472	600		DllHost.exe
PID 600 wrote to memory of 472	600		DllHost.exe
PID 600 wrote to memory of 472	600		DllHost.exe
PID 384 wrote to memory of 1416	384		Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1416
- C:\Users\Admin\AppData\Local\Temp\120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe
  "C:\Users\Admin\AppData\Local\Temp\120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1240

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsi6E5.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6E5.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
memory/260-71-0x0000000000110000-0x0000000000115000-memory.dmp

Filesize
20KB

Download
memory/284-89-0x00000000002D0000-0x00000000002D5000-memory.dmp

Filesize
20KB

Download
memory/328-88-0x0000000001540000-0x0000000001545000-memory.dmp

Filesize
20KB

Download
memory/332-72-0x0000000000830000-0x0000000000835000-memory.dmp

Filesize
20KB

Download
memory/368-73-0x0000000000150000-0x0000000000155000-memory.dmp

Filesize
20KB

Download
memory/384-74-0x00000000004D0000-0x00000000004D5000-memory.dmp

Filesize
20KB

Download
memory/420-75-0x00000000000C0000-0x00000000000C5000-memory.dmp

Filesize
20KB

Download
memory/464-76-0x00000000001F0000-0x00000000001F5000-memory.dmp

Filesize
20KB

Download
memory/472-68-0x0000000000050000-mapping.dmp

Download
memory/472-94-0x0000000000050000-0x0000000000055000-memory.dmp

Filesize
20KB

Download
memory/480-77-0x0000000000370000-0x0000000000375000-memory.dmp

Filesize
20KB

Download
memory/488-82-0x0000000000180000-0x0000000000185000-memory.dmp

Filesize
20KB

Download
memory/600-78-0x0000000000160000-0x0000000000165000-memory.dmp

Filesize
20KB

Download
memory/676-83-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/764-84-0x0000000000880000-0x0000000000885000-memory.dmp

Filesize
20KB

Download
memory/816-85-0x00000000007F0000-0x00000000007F5000-memory.dmp

Filesize
20KB

Download
memory/852-86-0x00000000003D0000-0x00000000003D5000-memory.dmp

Filesize
20KB

Download
memory/880-87-0x00000000007D0000-0x00000000007D5000-memory.dmp

Filesize
20KB

Download
memory/1032-79-0x0000000000280000-0x0000000000285000-memory.dmp

Filesize
20KB

Download
memory/1084-92-0x0000000000170000-0x0000000000175000-memory.dmp

Filesize
20KB

Download
memory/1208-80-0x0000000000180000-0x0000000000185000-memory.dmp

Filesize
20KB

Download
memory/1240-66-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1240-81-0x0000000002060000-0x0000000002224000-memory.dmp

Filesize
1.8MB

Download
memory/1240-69-0x0000000000A90000-0x0000000000A98000-memory.dmp

Filesize
32KB

Download
memory/1240-70-0x00000000000D0000-0x00000000000D5000-memory.dmp

Filesize
20KB

Download
memory/1240-64-0x0000000000000000-mapping.dmp

Download
memory/1240-67-0x00000000001F0000-0x000000000020C000-memory.dmp

Filesize
112KB

Download
memory/1296-90-0x0000000001B40000-0x0000000001B45000-memory.dmp

Filesize
20KB

Download
memory/1372-91-0x00000000001A0000-0x00000000001A5000-memory.dmp

Filesize
20KB

Download
memory/1972-63-0x0000000074B91000-0x0000000074B93000-memory.dmp

Filesize
8KB

Download
memory/1972-62-0x00000000024A0000-0x00000000030EA000-memory.dmp

Filesize
12.3MB

Download
memory/1972-57-0x0000000002E00000-0x0000000002E4D000-memory.dmp

Filesize
308KB

Download
memory/1972-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1988-93-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads