kronos | a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926

General

Target

a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
Size

336KB
MD5

ec4d618512c10e518cbbcc425e54e612
SHA1

a841f69420290e7f1b4813f4cd141e9a59a73a53
SHA256

a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926
SHA512

526a529445e18e8b9c3d8a55c49c88867249a127a2ebaf75af543f4aaa9ede23888b89bc89adbc5c7160208c66c9bec0b8922f181a750c2691e59e88d9db8f92
SSDEEP

6144:pp5aU24gcouSCLo/4A9497IkCxxFrFDRymDLOWve1cCAuT/:ppt24gc+CZA94NIJFxDhLve1Am

Score

10^/10

kronos banker botnet persistence

Malware Config

Signatures

Kronos
banker botnet kronos

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{97AFBD4E-67F9-4158-9645-026EEBABD842}\\f5ea51da.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{97AFBD4E-67F9-4158-9645-026EEBABD842}\\f5ea51da.exe"	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe

description	pid	process	target process
PID 1972 set thread context of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exe

pid	process
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe

Suspicious behavior: MapViewOfSection 26 IoCs

Processes:

a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exeexplorer.exe

pid	process
1904	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
1904	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	872
Token: SeIncreaseQuotaPrivilege	872
Token: SeSecurityPrivilege	872
Token: SeTakeOwnershipPrivilege	872
Token: SeLoadDriverPrivilege	872
Token: SeRestorePrivilege	872
Token: SeSystemEnvironmentPrivilege	872
Token: SeAssignPrimaryTokenPrivilege	872
Token: SeIncreaseQuotaPrivilege	872
Token: SeSecurityPrivilege	872
Token: SeTakeOwnershipPrivilege	872
Token: SeLoadDriverPrivilege	872
Token: SeSystemtimePrivilege	872
Token: SeBackupPrivilege	872
Token: SeRestorePrivilege	872
Token: SeShutdownPrivilege	872
Token: SeSystemEnvironmentPrivilege	872
Token: SeUndockPrivilege	872
Token: SeManageVolumePrivilege	872
Token: SeAssignPrimaryTokenPrivilege	872
Token: SeIncreaseQuotaPrivilege	872
Token: SeSecurityPrivilege	872
Token: SeTakeOwnershipPrivilege	872
Token: SeLoadDriverPrivilege	872
Token: SeRestorePrivilege	872
Token: SeSystemEnvironmentPrivilege	872
Token: SeAssignPrimaryTokenPrivilege	872
Token: SeIncreaseQuotaPrivilege	872
Token: SeSecurityPrivilege	872
Token: SeTakeOwnershipPrivilege	872
Token: SeLoadDriverPrivilege	872
Token: SeRestorePrivilege	872
Token: SeSystemEnvironmentPrivilege	872
Token: SeAssignPrimaryTokenPrivilege	872
Token: SeIncreaseQuotaPrivilege	872
Token: SeSecurityPrivilege	872
Token: SeTakeOwnershipPrivilege	872

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1224
1224
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1224
1224
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe

pid process

1972 a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
Suspicious use of UnmapMainImage 6 IoCs

Processes:

pid process

792
792
792
792
792
792

pid	process
1224
1224

pid	process
1224
1224

pid	process
1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe

pid	process
792
792
792
792
792
792

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exea0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe

C:\Users\Admin\AppData\Local\Temp\a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
"C:\Users\Admin\AppData\Local\Temp\a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
  "C:\Users\Admin\AppData\Local\Temp\a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/260-68-0x0000000000110000-0x0000000000115000-memory.dmp

Filesize
20KB

Download
memory/300-82-0x0000000000940000-0x0000000000945000-memory.dmp

Filesize
20KB

Download
memory/332-69-0x00000000007F0000-0x00000000007F5000-memory.dmp

Filesize
20KB

Download
memory/372-70-0x0000000000150000-0x0000000000155000-memory.dmp

Filesize
20KB

Download
memory/384-71-0x00000000006A0000-0x00000000006A5000-memory.dmp

Filesize
20KB

Download
memory/420-72-0x00000000001C0000-0x00000000001C5000-memory.dmp

Filesize
20KB

Download
memory/464-73-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/480-74-0x0000000000050000-0x0000000000055000-memory.dmp

Filesize
20KB

Download
memory/488-75-0x0000000000280000-0x0000000000285000-memory.dmp

Filesize
20KB

Download
memory/584-76-0x00000000002D0000-0x00000000002D5000-memory.dmp

Filesize
20KB

Download
memory/660-77-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/740-78-0x00000000007F0000-0x00000000007F5000-memory.dmp

Filesize
20KB

Download
memory/792-79-0x00000000002F0000-0x00000000002F5000-memory.dmp

Filesize
20KB

Download
memory/824-80-0x0000000000180000-0x0000000000185000-memory.dmp

Filesize
20KB

Download
memory/836-89-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/872-81-0x00000000008B0000-0x00000000008B5000-memory.dmp

Filesize
20KB

Download
memory/936-83-0x0000000001AE0000-0x0000000001AE5000-memory.dmp

Filesize
20KB

Download
memory/1128-84-0x0000000000450000-0x0000000000455000-memory.dmp

Filesize
20KB

Download
memory/1192-85-0x0000000000120000-0x0000000000125000-memory.dmp

Filesize
20KB

Download
memory/1224-86-0x0000000002A00000-0x0000000002A05000-memory.dmp

Filesize
20KB

Download
memory/1628-64-0x0000000074D01000-0x0000000074D03000-memory.dmp

Filesize
8KB

Download
memory/1628-67-0x0000000000210000-0x0000000000215000-memory.dmp

Filesize
20KB

Download
memory/1628-61-0x0000000000000000-mapping.dmp

Download
memory/1628-66-0x0000000000250000-0x00000000004D1000-memory.dmp

Filesize
2.5MB

Download
memory/1628-65-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1644-87-0x0000000000080000-0x0000000000085000-memory.dmp

Filesize
20KB

Download
memory/1904-62-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1904-60-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1904-59-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1904-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1904-57-0x0000000000415921-mapping.dmp

Download
memory/1908-90-0x0000000000460000-0x0000000000465000-memory.dmp

Filesize
20KB

Download
memory/1936-88-0x0000000000340000-0x0000000000345000-memory.dmp

Filesize
20KB

Download

description	pid	process	target process
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
PID 1904 wrote to memory of 1628	1904	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	explorer.exe
PID 1904 wrote to memory of 1628	1904	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	explorer.exe
PID 1904 wrote to memory of 1628	1904	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	explorer.exe
PID 1904 wrote to memory of 1628	1904	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	explorer.exe
PID 384 wrote to memory of 1628	384		explorer.exe
PID 384 wrote to memory of 1628	384		explorer.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads