kronos | 128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f

Analysis

max time kernel
153s
max time network
105s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-06-2022 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe
Size

459KB
MD5

b2ef28ee87bc3d936e128faa4fd89bb8
SHA1

0f27b77ac9caac0dbfbb88acd02025766c72c64e
SHA256

128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f
SHA512

5604591119b1a07d1bcfa2c2f365e3fa35c02871f1ebaa8c71b9a5b4ec75d9d73fc2b1073c3ecf282b575bbf8e9cd1d6a7ff050cdcceba5394a2cdfbad386bd2

Score

10^/10

kronos osiris banker botnet persistence spyware stealer

Malware Config

Signatures

Kronos
banker botnet kronos
Osiris
banker botnet osiris

Loads dropped DLL 2 IoCs

Processes:

128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe

pid	Process
1920	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe
1920	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{73063640-D64F-46CF-9DFF-B644BF81AF32}\\f5ea51da.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{73063640-D64F-46CF-9DFF-B644BF81AF32}\\f5ea51da.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

Suspicious use of SetThreadContext 2 IoCs

Processes:

128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe

description	pid	Process	procid_target
PID 1920 set thread context of 1220	1920	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe	27
PID 608 set thread context of 1380	608		29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	Process
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe

Suspicious behavior: MapViewOfSection 25 IoCs

Processes:

128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exesvchost.exe

pid	Process
1220	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe
1220	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
596	svchost.exe
608

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe

description	pid	Process
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	880
Token: SeIncreaseQuotaPrivilege	880
Token: SeSecurityPrivilege	880
Token: SeTakeOwnershipPrivilege	880
Token: SeLoadDriverPrivilege	880
Token: SeRestorePrivilege	880
Token: SeSystemEnvironmentPrivilege	880
Token: SeAssignPrimaryTokenPrivilege	880
Token: SeIncreaseQuotaPrivilege	880
Token: SeSecurityPrivilege	880
Token: SeTakeOwnershipPrivilege	880
Token: SeLoadDriverPrivilege	880
Token: SeSystemtimePrivilege	880
Token: SeBackupPrivilege	880
Token: SeRestorePrivilege	880
Token: SeShutdownPrivilege	880
Token: SeSystemEnvironmentPrivilege	880
Token: SeUndockPrivilege	880
Token: SeManageVolumePrivilege	880
Token: SeAssignPrimaryTokenPrivilege	880
Token: SeIncreaseQuotaPrivilege	880
Token: SeSecurityPrivilege	880
Token: SeTakeOwnershipPrivilege	880
Token: SeLoadDriverPrivilege	880
Token: SeRestorePrivilege	880
Token: SeSystemEnvironmentPrivilege	880
Token: SeAssignPrimaryTokenPrivilege	880
Token: SeIncreaseQuotaPrivilege	880
Token: SeSecurityPrivilege	880
Token: SeTakeOwnershipPrivilege	880
Token: SeLoadDriverPrivilege	880
Token: SeRestorePrivilege	880
Token: SeSystemEnvironmentPrivilege	880
Token: SeAssignPrimaryTokenPrivilege	880
Token: SeIncreaseQuotaPrivilege	880
Token: SeSecurityPrivilege	880
Token: SeTakeOwnershipPrivilege	880
Token: SeLoadDriverPrivilege	880
Token: SeRestorePrivilege	880

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe

pid	Process
1220	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid	Process
596	svchost.exe

Suspicious use of UnmapMainImage 3 IoCs

Processes:

pid	Process
608
816
816

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe

description	pid	Process	procid_target
PID 1920 wrote to memory of 1220	1920	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe	27
PID 1920 wrote to memory of 1220	1920	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe	27
PID 1920 wrote to memory of 1220	1920	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe	27
PID 1920 wrote to memory of 1220	1920	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe	27
PID 1920 wrote to memory of 1220	1920	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe	27
PID 1920 wrote to memory of 1220	1920	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe	27
PID 1920 wrote to memory of 1220	1920	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe	27
PID 1920 wrote to memory of 1220	1920	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe	27
PID 1920 wrote to memory of 1220	1920	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe	27
PID 1920 wrote to memory of 1220	1920	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe	27
PID 1220 wrote to memory of 596	1220	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe	28
PID 1220 wrote to memory of 596	1220	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe	28
PID 1220 wrote to memory of 596	1220	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe	28
PID 1220 wrote to memory of 596	1220	128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe	28
PID 388 wrote to memory of 1276	388		14
PID 336 wrote to memory of 1380	336		29
PID 608 wrote to memory of 1380	608		29
PID 608 wrote to memory of 1380	608		29
PID 608 wrote to memory of 1380	608		29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe
  "C:\Users\Admin\AppData\Local\Temp\128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe
    "C:\Users\Admin\AppData\Local\Temp\128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe"
    3⤵
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Connection Proxy

T1090

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Connection Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst2020.tmp\System.dll

Filesize
11KB

MD5
375e8a08471dc6f85f3828488b1147b3

SHA1
1941484ac710fc301a7d31d6f1345e32a21546af

SHA256
4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

SHA512
5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

Download Submit
\Users\Admin\AppData\Local\Temp\omicrons.dll

Filesize
92KB

MD5
c588b63e86ee2299c60f4aebfe4a7462

SHA1
f81b17fc7d97718833cd6e1ad7266aaab812a5cf

SHA256
39ebac8550b02b3ee0629bb99e86ccc3bfe031474387eb7173c42a24d9a72b98

SHA512
d20be9d9d7881f30fd2000b223f478a51872a5e9af95462eead16f5c6a54f20096d6aefb0fe3c0ffe80c791bad918e929003574fc668389c2013775ca6ed2a26

Download Submit
memory/108-98-0x0000000001B60000-0x0000000001B65000-memory.dmp

Filesize
20KB

Download
memory/260-82-0x0000000000110000-0x0000000000115000-memory.dmp

Filesize
20KB

Download
memory/284-97-0x00000000002B0000-0x00000000002B5000-memory.dmp

Filesize
20KB

Download
memory/336-83-0x0000000000940000-0x0000000000945000-memory.dmp

Filesize
20KB

Download
memory/340-102-0x0000000000200000-0x0000000000205000-memory.dmp

Filesize
20KB

Download
memory/372-84-0x00000000001D0000-0x00000000001D5000-memory.dmp

Filesize
20KB

Download
memory/388-85-0x0000000000770000-0x0000000000775000-memory.dmp

Filesize
20KB

Download
memory/424-86-0x00000000000C0000-0x00000000000C5000-memory.dmp

Filesize
20KB

Download
memory/468-87-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/484-89-0x0000000000130000-0x0000000000135000-memory.dmp

Filesize
20KB

Download
memory/492-88-0x0000000000280000-0x0000000000285000-memory.dmp

Filesize
20KB

Download
memory/596-80-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/596-74-0x0000000000000000-mapping.dmp

Download
memory/596-77-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/596-78-0x0000000000160000-0x000000000017D000-memory.dmp

Filesize
116KB

Download
memory/596-81-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/608-90-0x00000000001E0000-0x00000000001E5000-memory.dmp

Filesize
20KB

Download
memory/684-92-0x00000000003C0000-0x00000000003C5000-memory.dmp

Filesize
20KB

Download
memory/768-93-0x00000000004A0000-0x00000000004A5000-memory.dmp

Filesize
20KB

Download
memory/816-94-0x0000000000430000-0x0000000000435000-memory.dmp

Filesize
20KB

Download
memory/856-95-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/880-96-0x00000000007E0000-0x00000000007E5000-memory.dmp

Filesize
20KB

Download
memory/1060-99-0x0000000000180000-0x0000000000185000-memory.dmp

Filesize
20KB

Download
memory/1144-100-0x0000000000410000-0x0000000000415000-memory.dmp

Filesize
20KB

Download
memory/1220-67-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1220-65-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1220-75-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1220-73-0x0000000074AF1000-0x0000000074AF3000-memory.dmp

Filesize
8KB

Download
memory/1220-58-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1220-72-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1220-71-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1220-59-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1220-68-0x0000000000413A2E-mapping.dmp

Download
memory/1220-61-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1220-63-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1244-101-0x00000000001A0000-0x00000000001A5000-memory.dmp

Filesize
20KB

Download
memory/1380-79-0x0000000000050000-mapping.dmp

Download
memory/1380-103-0x0000000000050000-0x0000000000055000-memory.dmp

Filesize
20KB

Download
memory/1860-91-0x0000000000310000-0x0000000000315000-memory.dmp

Filesize
20KB

Download
memory/1920-54-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download
memory/1920-57-0x0000000000520000-0x0000000000537000-memory.dmp

Filesize
92KB

Download