kronos | 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
07/06/2022, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe
Size

372KB
MD5

2d0f0ce93e4b45065dbf412d6c99fd63
SHA1

a586bd6a4a602a7805f61b32170e6dc27d14b5a1
SHA256

1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b
SHA512

7aa837aa7ee32d8bd76c6461db3e1a9a3d7e681fca7bd8146566fbfa6108656034cfd1a7abbd6b2ab4dcc6a41de2b491655bf333a08a241f51c495fb75e6d236

Score

10^/10

kronos banker botnet persistence

Malware Config

Signatures

Kronos
banker botnet kronos

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{765C965F-39F8-4B4B-8BCA-6C0E66504686}\\f5ea51da.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{765C965F-39F8-4B4B-8BCA-6C0E66504686}\\f5ea51da.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx	Process not Found

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1564 set thread context of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	Process not Found

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1352	2008	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe

Suspicious behavior: MapViewOfSection 25 IoCs

pid	Process
904	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe
904	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeShutdownPrivilege	1280	Process not Found
Token: SeAuditPrivilege	884	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
756	Process not Found

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 1564 wrote to memory of 904	1564	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	27
PID 904 wrote to memory of 2008	904	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	28
PID 904 wrote to memory of 2008	904	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	28
PID 904 wrote to memory of 2008	904	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	28
PID 904 wrote to memory of 2008	904	1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe	28
PID 376 wrote to memory of 1352	376	Process not Found	29
PID 376 wrote to memory of 1352	376	Process not Found	29
PID 376 wrote to memory of 1352	376	Process not Found	29
PID 376 wrote to memory of 1352	376	Process not Found	29
PID 2008 wrote to memory of 1352	2008	svchost.exe	29
PID 2008 wrote to memory of 1352	2008	svchost.exe	29
PID 2008 wrote to memory of 1352	2008	svchost.exe	29
PID 2008 wrote to memory of 1352	2008	svchost.exe	29
PID 376 wrote to memory of 1352	376	Process not Found	29
PID 376 wrote to memory of 1352	376	Process not Found	29
PID 376 wrote to memory of 1352	376	Process not Found	29
PID 376 wrote to memory of 1352	376	Process not Found	29

C:\Users\Admin\AppData\Local\Temp\1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe
"C:\Users\Admin\AppData\Local\Temp\1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Local\Temp\1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe
  C:\Users\Admin\AppData\Local\Temp\1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 444
      4⤵
      Program crash
      PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/260-88-0x0000000000110000-0x0000000000115000-memory.dmp

Filesize
20KB

Download
memory/328-103-0x0000000000FC0000-0x0000000000FC5000-memory.dmp

Filesize
20KB

Download
memory/332-89-0x0000000000AC0000-0x0000000000AC5000-memory.dmp

Filesize
20KB

Download
memory/368-90-0x00000000000D0000-0x00000000000D5000-memory.dmp

Filesize
20KB

Download
memory/376-91-0x0000000000490000-0x0000000000495000-memory.dmp

Filesize
20KB

Download
memory/416-92-0x00000000000C0000-0x00000000000C5000-memory.dmp

Filesize
20KB

Download
memory/460-93-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/476-94-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/484-95-0x0000000000180000-0x0000000000185000-memory.dmp

Filesize
20KB

Download
memory/536-102-0x0000000000160000-0x0000000000165000-memory.dmp

Filesize
20KB

Download
memory/596-96-0x00000000001D0000-0x00000000001D5000-memory.dmp

Filesize
20KB

Download
memory/672-97-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/756-98-0x0000000000890000-0x0000000000895000-memory.dmp

Filesize
20KB

Download
memory/800-99-0x0000000000800000-0x0000000000805000-memory.dmp

Filesize
20KB

Download
memory/808-108-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/852-100-0x0000000000280000-0x0000000000285000-memory.dmp

Filesize
20KB

Download
memory/884-101-0x00000000008C0000-0x00000000008C5000-memory.dmp

Filesize
20KB

Download
memory/904-71-0x0000000000400000-0x000000000214C000-memory.dmp

Filesize
29.3MB

Download
memory/904-65-0x0000000000400000-0x000000000214C000-memory.dmp

Filesize
29.3MB

Download
memory/904-55-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/904-56-0x0000000000400000-0x000000000214C000-memory.dmp

Filesize
29.3MB

Download
memory/904-57-0x0000000000400000-0x000000000214C000-memory.dmp

Filesize
29.3MB

Download
memory/904-60-0x0000000000400000-0x000000000214C000-memory.dmp

Filesize
29.3MB

Download
memory/904-81-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/904-80-0x0000000000400000-0x000000000214C000-memory.dmp

Filesize
29.3MB

Download
memory/904-76-0x0000000000400000-0x000000000214C000-memory.dmp

Filesize
29.3MB

Download
memory/904-74-0x0000000000400000-0x000000000214C000-memory.dmp

Filesize
29.3MB

Download
memory/904-73-0x0000000000400000-0x000000000214C000-memory.dmp

Filesize
29.3MB

Download
memory/904-62-0x0000000000400000-0x000000000214C000-memory.dmp

Filesize
29.3MB

Download
memory/904-69-0x0000000000400000-0x000000000214C000-memory.dmp

Filesize
29.3MB

Download
memory/904-67-0x0000000000400000-0x000000000214C000-memory.dmp

Filesize
29.3MB

Download
memory/904-64-0x0000000000400000-0x000000000214C000-memory.dmp

Filesize
29.3MB

Download
memory/1052-104-0x00000000007F0000-0x00000000007F5000-memory.dmp

Filesize
20KB

Download
memory/1132-105-0x0000000001D20000-0x0000000001D25000-memory.dmp

Filesize
20KB

Download
memory/1220-106-0x0000000000120000-0x0000000000125000-memory.dmp

Filesize
20KB

Download
memory/1280-107-0x0000000002A20000-0x0000000002A25000-memory.dmp

Filesize
20KB

Download
memory/1408-110-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1564-59-0x0000000000250000-0x0000000000255000-memory.dmp

Filesize
20KB

Download
memory/1564-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/1736-109-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/2008-85-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2008-87-0x00000000000D0000-0x00000000000D5000-memory.dmp

Filesize
20KB

Download
memory/2008-83-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download