kronos | a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
Size

336KB
MD5

ec4d618512c10e518cbbcc425e54e612
SHA1

a841f69420290e7f1b4813f4cd141e9a59a73a53
SHA256

a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926
SHA512

526a529445e18e8b9c3d8a55c49c88867249a127a2ebaf75af543f4aaa9ede23888b89bc89adbc5c7160208c66c9bec0b8922f181a750c2691e59e88d9db8f92
SSDEEP

6144:pp5aU24gcouSCLo/4A9497IkCxxFrFDRymDLOWve1cCAuT/:ppt24gc+CZA94NIJFxDhLve1Am

Score

10^/10

kronos banker botnet persistence

Malware Config

Signatures

Kronos
banker botnet kronos

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{97AFBD4E-67F9-4158-9645-026EEBABD842}\\f5ea51da.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{97AFBD4E-67F9-4158-9645-026EEBABD842}\\f5ea51da.exe"	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	28

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe

Suspicious behavior: MapViewOfSection 26 IoCs

pid	Process
1904	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
1904	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	872	Process not Found
Token: SeIncreaseQuotaPrivilege	872	Process not Found
Token: SeSecurityPrivilege	872	Process not Found
Token: SeTakeOwnershipPrivilege	872	Process not Found
Token: SeLoadDriverPrivilege	872	Process not Found
Token: SeRestorePrivilege	872	Process not Found
Token: SeSystemEnvironmentPrivilege	872	Process not Found
Token: SeAssignPrimaryTokenPrivilege	872	Process not Found
Token: SeIncreaseQuotaPrivilege	872	Process not Found
Token: SeSecurityPrivilege	872	Process not Found
Token: SeTakeOwnershipPrivilege	872	Process not Found
Token: SeLoadDriverPrivilege	872	Process not Found
Token: SeSystemtimePrivilege	872	Process not Found
Token: SeBackupPrivilege	872	Process not Found
Token: SeRestorePrivilege	872	Process not Found
Token: SeShutdownPrivilege	872	Process not Found
Token: SeSystemEnvironmentPrivilege	872	Process not Found
Token: SeUndockPrivilege	872	Process not Found
Token: SeManageVolumePrivilege	872	Process not Found
Token: SeAssignPrimaryTokenPrivilege	872	Process not Found
Token: SeIncreaseQuotaPrivilege	872	Process not Found
Token: SeSecurityPrivilege	872	Process not Found
Token: SeTakeOwnershipPrivilege	872	Process not Found
Token: SeLoadDriverPrivilege	872	Process not Found
Token: SeRestorePrivilege	872	Process not Found
Token: SeSystemEnvironmentPrivilege	872	Process not Found
Token: SeAssignPrimaryTokenPrivilege	872	Process not Found
Token: SeIncreaseQuotaPrivilege	872	Process not Found
Token: SeSecurityPrivilege	872	Process not Found
Token: SeTakeOwnershipPrivilege	872	Process not Found
Token: SeLoadDriverPrivilege	872	Process not Found
Token: SeRestorePrivilege	872	Process not Found
Token: SeSystemEnvironmentPrivilege	872	Process not Found
Token: SeAssignPrimaryTokenPrivilege	872	Process not Found
Token: SeIncreaseQuotaPrivilege	872	Process not Found
Token: SeSecurityPrivilege	872	Process not Found
Token: SeTakeOwnershipPrivilege	872	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1224	Process not Found
1224	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1224	Process not Found
1224	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe

Suspicious use of UnmapMainImage 6 IoCs

pid	Process
792	Process not Found
792	Process not Found
792	Process not Found
792	Process not Found
792	Process not Found
792	Process not Found

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	28
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	28
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	28
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	28
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	28
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	28
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	28
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	28
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	28
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	28
PID 1972 wrote to memory of 1904	1972	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	28
PID 1904 wrote to memory of 1628	1904	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	29
PID 1904 wrote to memory of 1628	1904	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	29
PID 1904 wrote to memory of 1628	1904	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	29
PID 1904 wrote to memory of 1628	1904	a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe	29
PID 384 wrote to memory of 1628	384	Process not Found	29
PID 384 wrote to memory of 1628	384	Process not Found	29

C:\Users\Admin\AppData\Local\Temp\a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
"C:\Users\Admin\AppData\Local\Temp\a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe
  "C:\Users\Admin\AppData\Local\Temp\a0166b750e8a6fa96f813879e93593fdaef75ff63fad688e22d8beb4246f3926.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/260-68-0x0000000000110000-0x0000000000115000-memory.dmp

Filesize
20KB

Download
memory/300-82-0x0000000000940000-0x0000000000945000-memory.dmp

Filesize
20KB

Download
memory/332-69-0x00000000007F0000-0x00000000007F5000-memory.dmp

Filesize
20KB

Download
memory/372-70-0x0000000000150000-0x0000000000155000-memory.dmp

Filesize
20KB

Download
memory/384-71-0x00000000006A0000-0x00000000006A5000-memory.dmp

Filesize
20KB

Download
memory/420-72-0x00000000001C0000-0x00000000001C5000-memory.dmp

Filesize
20KB

Download
memory/464-73-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/480-74-0x0000000000050000-0x0000000000055000-memory.dmp

Filesize
20KB

Download
memory/488-75-0x0000000000280000-0x0000000000285000-memory.dmp

Filesize
20KB

Download
memory/584-76-0x00000000002D0000-0x00000000002D5000-memory.dmp

Filesize
20KB

Download
memory/660-77-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/740-78-0x00000000007F0000-0x00000000007F5000-memory.dmp

Filesize
20KB

Download
memory/792-79-0x00000000002F0000-0x00000000002F5000-memory.dmp

Filesize
20KB

Download
memory/824-80-0x0000000000180000-0x0000000000185000-memory.dmp

Filesize
20KB

Download
memory/836-89-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/872-81-0x00000000008B0000-0x00000000008B5000-memory.dmp

Filesize
20KB

Download
memory/936-83-0x0000000001AE0000-0x0000000001AE5000-memory.dmp

Filesize
20KB

Download
memory/1128-84-0x0000000000450000-0x0000000000455000-memory.dmp

Filesize
20KB

Download
memory/1192-85-0x0000000000120000-0x0000000000125000-memory.dmp

Filesize
20KB

Download
memory/1224-86-0x0000000002A00000-0x0000000002A05000-memory.dmp

Filesize
20KB

Download
memory/1628-64-0x0000000074D01000-0x0000000074D03000-memory.dmp

Filesize
8KB

Download
memory/1628-67-0x0000000000210000-0x0000000000215000-memory.dmp

Filesize
20KB

Download
memory/1628-66-0x0000000000250000-0x00000000004D1000-memory.dmp

Filesize
2.5MB

Download
memory/1628-65-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1644-87-0x0000000000080000-0x0000000000085000-memory.dmp

Filesize
20KB

Download
memory/1904-62-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1904-60-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1904-59-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1904-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1908-90-0x0000000000460000-0x0000000000465000-memory.dmp

Filesize
20KB

Download
memory/1936-88-0x0000000000340000-0x0000000000345000-memory.dmp

Filesize
20KB

Download