Overview

overview

10

Static

static

1

0edabe7722...d6.exe

windows7-x64

10

0edabe7722...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    203s
  • max time network
    201s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 05:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe

  • Size

    277KB

  • MD5

    53cda9ef44c8efa08900b21c569f2f99

  • SHA1

    a557562aa8c06cea50176e4f22cfe3c652441873

  • SHA256

    0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6

  • SHA512

    94cfa19730e5341a494dee44bfe313eb8bed6f620a62ae99d54672c4da045632a2778d65a7aa9d4f9c5488a975a903515b049fb8eaac5ab277868745ea721044

  • SSDEEP

    6144:5wHysfSJnooGdv/ho0de97vfH7KSOTDr0cVEobKuahuHJLZ:Cqyokv5m73zOTH0cVEYKuHlZ

Score
10/10
kronosbankerbotnetpersistence

Malware Config

Signatures

  • Kronos
    bankerbotnetkronos
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 8 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe
    "C:\Users\Admin\AppData\Local\Temp\0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Local\Temp\0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe
      "C:\Users\Admin\AppData\Local\Temp\0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe"
      2⤵
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:728
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1276

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsoEC73.tmp\coquille.dll
    Filesize

    14KB

    MD5

    8da8ca180453926a6ff3e3008421b8a2

    SHA1

    3aa994c4a56e67bbb8d6f7c2bb5a4c42156d3870

    SHA256

    6b34d5c64fb635fe2dc5fbbe61c30eae196d389fa107ca11a9efb0bf377c2c77

    SHA512

    f29a2ede38df080b831420eecb68a933ba8caa054809d4f8fb698078d107c28f5b95e2e62b341d10b83f9b8d010c0d7622440d1c74b13aca486b8daf5eecdd01

    Download Submit

  • memory/260-78-0x0000000000110000-0x0000000000115000-memory.dmp

    Filesize

    20KB

    Download

  • memory/276-95-0x0000000000A60000-0x0000000000A65000-memory.dmp

    Filesize

    20KB

    Download

  • memory/300-96-0x00000000001D0000-0x00000000001D5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/332-79-0x00000000006A0000-0x00000000006A5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/368-80-0x00000000000D0000-0x00000000000D5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/380-81-0x0000000000620000-0x0000000000625000-memory.dmp

    Filesize

    20KB

    Download

  • memory/416-82-0x0000000000250000-0x0000000000255000-memory.dmp

    Filesize

    20KB

    Download

  • memory/460-83-0x0000000000080000-0x0000000000085000-memory.dmp

    Filesize

    20KB

    Download

  • memory/476-84-0x0000000000140000-0x0000000000145000-memory.dmp

    Filesize

    20KB

    Download

  • memory/484-90-0x0000000000090000-0x0000000000095000-memory.dmp

    Filesize

    20KB

    Download

  • memory/532-99-0x0000000000080000-0x0000000000085000-memory.dmp

    Filesize

    20KB

    Download

  • memory/580-91-0x00000000003D0000-0x00000000003D5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/656-85-0x00000000001B0000-0x00000000001B5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/728-72-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/728-70-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/728-67-0x00000000004156E1-mapping.dmp

    Download

  • memory/728-66-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/728-64-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/728-63-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/728-61-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/728-59-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/728-57-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/728-56-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/740-92-0x0000000000A00000-0x0000000000A05000-memory.dmp

    Filesize

    20KB

    Download

  • memory/792-86-0x0000000000820000-0x0000000000825000-memory.dmp

    Filesize

    20KB

    Download

  • memory/832-93-0x0000000000240000-0x0000000000245000-memory.dmp

    Filesize

    20KB

    Download

  • memory/860-94-0x0000000000830000-0x0000000000835000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1052-87-0x0000000000090000-0x0000000000095000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1120-97-0x0000000000290000-0x0000000000295000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1172-98-0x00000000019C0000-0x00000000019C5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1204-88-0x00000000021F0000-0x00000000021F5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1276-77-0x0000000000710000-0x0000000000715000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1276-71-0x0000000000000000-mapping.dmp

    Download

  • memory/1276-76-0x0000000000FC0000-0x0000000001241000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1276-75-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1276-74-0x0000000075061000-0x0000000075063000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1772-101-0x0000000000100000-0x0000000000105000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1940-89-0x0000000000440000-0x0000000000445000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1988-100-0x0000000000790000-0x0000000000795000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2020-54-0x0000000076531000-0x0000000076533000-memory.dmp

    Filesize

    8KB

    Download