kronos | 0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6

General

Target

0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe
Size

277KB
MD5

53cda9ef44c8efa08900b21c569f2f99
SHA1

a557562aa8c06cea50176e4f22cfe3c652441873
SHA256

0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6
SHA512

94cfa19730e5341a494dee44bfe313eb8bed6f620a62ae99d54672c4da045632a2778d65a7aa9d4f9c5488a975a903515b049fb8eaac5ab277868745ea721044
SSDEEP

6144:5wHysfSJnooGdv/ho0de97vfH7KSOTDr0cVEobKuahuHJLZ:Cqyokv5m73zOTH0cVEYKuHlZ

Score

10^/10

kronos banker botnet persistence

Malware Config

Signatures

Kronos
banker botnet kronos
Loads dropped DLL 1 IoCs

Processes:

0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe

pid process

4268 0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe

pid	process
4268	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6815cdb9 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{B05E7A4A-3FCB-4173-8D79-33E493364A4D}\\6815cdb9.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6815cdb9 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{B05E7A4A-3FCB-4173-8D79-33E493364A4D}\\6815cdb9.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe

description	pid	process	target process
PID 4268 set thread context of 3424	4268	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exe

pid	process
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe
4152	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe

pid	process
3424	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe
3424	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe
Token: SeDebugPrivilege	4152	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe

description	pid	process	target process
PID 4268 wrote to memory of 3424	4268	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe
PID 4268 wrote to memory of 3424	4268	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe
PID 4268 wrote to memory of 3424	4268	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe
PID 4268 wrote to memory of 3424	4268	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe
PID 4268 wrote to memory of 3424	4268	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe
PID 4268 wrote to memory of 3424	4268	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe
PID 4268 wrote to memory of 3424	4268	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe
PID 4268 wrote to memory of 3424	4268	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe
PID 4268 wrote to memory of 3424	4268	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe
PID 4268 wrote to memory of 3424	4268	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe
PID 3424 wrote to memory of 4152	3424	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe	explorer.exe
PID 3424 wrote to memory of 4152	3424	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe	explorer.exe
PID 3424 wrote to memory of 4152	3424	0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe
"C:\Users\Admin\AppData\Local\Temp\0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Local\Temp\0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe
  "C:\Users\Admin\AppData\Local\Temp\0edabe7722359593c261ce992bcf2c8decb8df7b35e538d328f5d5e15b283cd6.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg1549.tmp\coquille.dll

Filesize
14KB

MD5
8da8ca180453926a6ff3e3008421b8a2

SHA1
3aa994c4a56e67bbb8d6f7c2bb5a4c42156d3870

SHA256
6b34d5c64fb635fe2dc5fbbe61c30eae196d389fa107ca11a9efb0bf377c2c77

SHA512
f29a2ede38df080b831420eecb68a933ba8caa054809d4f8fb698078d107c28f5b95e2e62b341d10b83f9b8d010c0d7622440d1c74b13aca486b8daf5eecdd01

Download Submit
memory/3424-133-0x0000000000000000-mapping.dmp

Download
memory/3424-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3424-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3424-138-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4152-137-0x0000000000000000-mapping.dmp

Download
memory/4152-139-0x0000000000410000-0x0000000000843000-memory.dmp

Filesize
4.2MB

Download
memory/4152-140-0x0000000002D50000-0x0000000002D55000-memory.dmp

Filesize
20KB

Download
memory/4152-141-0x0000000003300000-0x0000000003750000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads