Overview

overview

10

Static

static

1

128a842ee4...5f.exe

windows7_x64

10

128a842ee4...5f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    03-06-2022 15:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe

  • Size

    459KB

  • MD5

    b2ef28ee87bc3d936e128faa4fd89bb8

  • SHA1

    0f27b77ac9caac0dbfbb88acd02025766c72c64e

  • SHA256

    128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f

  • SHA512

    5604591119b1a07d1bcfa2c2f365e3fa35c02871f1ebaa8c71b9a5b4ec75d9d73fc2b1073c3ecf282b575bbf8e9cd1d6a7ff050cdcceba5394a2cdfbad386bd2

Score
10/10
kronososirisbankerbotnetpersistencespywarestealer

Malware Config

Signatures

  • Kronos
    bankerbotnetkronos
  • Osiris
    bankerbotnetosiris
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe
    "C:\Users\Admin\AppData\Local\Temp\128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\Admin\AppData\Local\Temp\128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe
      "C:\Users\Admin\AppData\Local\Temp\128a842ee4908af0586a6854ecd568f31d146957c67f9fc8e071fe3fac2f1c5f.exe"
      2⤵
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2412

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nse8727.tmp\System.dll
    Filesize

    11KB

    MD5

    375e8a08471dc6f85f3828488b1147b3

    SHA1

    1941484ac710fc301a7d31d6f1345e32a21546af

    SHA256

    4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

    SHA512

    5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\omicrons.dll
    Filesize

    92KB

    MD5

    c588b63e86ee2299c60f4aebfe4a7462

    SHA1

    f81b17fc7d97718833cd6e1ad7266aaab812a5cf

    SHA256

    39ebac8550b02b3ee0629bb99e86ccc3bfe031474387eb7173c42a24d9a72b98

    SHA512

    d20be9d9d7881f30fd2000b223f478a51872a5e9af95462eead16f5c6a54f20096d6aefb0fe3c0ffe80c791bad918e929003574fc668389c2013775ca6ed2a26

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\omicrons.dll
    Filesize

    92KB

    MD5

    c588b63e86ee2299c60f4aebfe4a7462

    SHA1

    f81b17fc7d97718833cd6e1ad7266aaab812a5cf

    SHA256

    39ebac8550b02b3ee0629bb99e86ccc3bfe031474387eb7173c42a24d9a72b98

    SHA512

    d20be9d9d7881f30fd2000b223f478a51872a5e9af95462eead16f5c6a54f20096d6aefb0fe3c0ffe80c791bad918e929003574fc668389c2013775ca6ed2a26

    Download Submit

  • memory/2412-138-0x0000000000000000-mapping.dmp

    Download

  • memory/2412-141-0x0000000000F70000-0x0000000000F75000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2412-140-0x0000000000F90000-0x0000000000F9E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3000-133-0x00000000022D0000-0x00000000022E7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4372-134-0x0000000000000000-mapping.dmp

    Download

  • memory/4372-135-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/4372-137-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/4372-139-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download