kronos | 120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba

General

Target

120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe
Size

360KB
MD5

e558c68f684dff0930fa3167a3d85385
SHA1

94cf171669401068b8047c04f0679bbd2f3c24df
SHA256

120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba
SHA512

e3d9c7c003c697775682444782a6b4068132b314c06248c12aecc53fc04135ce920437e06f329c873605370cbb0eb645d381c6c7851eae1da3fd4b313a8db482

Score

10^/10

kronos banker botnet persistence spyware stealer

Malware Config

Signatures

Kronos
banker botnet kronos

Loads dropped DLL 2 IoCs

Processes:

120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe

pid	process
3892	120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe
3892	120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6815cdb9 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{AA545162-188B-4FB4-8D8E-DA1894722E9E}\\6815cdb9.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6815cdb9 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{AA545162-188B-4FB4-8D8E-DA1894722E9E}\\6815cdb9.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe

pid	process
3892	120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe
3892	120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe

description	pid	process	target process
PID 3892 wrote to memory of 4628	3892	120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe	svchost.exe
PID 3892 wrote to memory of 4628	3892	120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe	svchost.exe
PID 3892 wrote to memory of 4628	3892	120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe
"C:\Users\Admin\AppData\Local\Temp\120cd3dc895723f8e5ef3e5b391527b375e7e2d9f80839a2301f0861d3c852ba.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsnCE14.tmp\System.dll
Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnCE14.tmp\System.dll
Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
memory/3892-132-0x0000000003030000-0x000000000306F000-memory.dmp

Filesize
252KB

Download
memory/3892-133-0x0000000003150000-0x000000000319D000-memory.dmp

Filesize
308KB

Download
memory/3892-139-0x0000000003030000-0x000000000306F000-memory.dmp

Filesize
252KB

Download
memory/4628-138-0x0000000000000000-mapping.dmp

Download
memory/4628-140-0x0000000000AA0000-0x0000000000AAE000-memory.dmp

Filesize
56KB

Download
memory/4628-141-0x00000000031D0000-0x00000000031D5000-memory.dmp

Filesize
20KB

Download
memory/4628-142-0x0000000003A00000-0x0000000003E50000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads