Overview

overview

10

Static

static

1c2d21587e...36.exe

windows7-x64

10

1c2d21587e...36.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    190s
  • max time network
    229s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 22:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c2d21587eb949fe719ae9499e42381d4250a0be5c770ea707a362afdd171936.exe

  • Size

    275KB

  • MD5

    d891cbbaf7fd229445a507bd8407fd96

  • SHA1

    535501fbe60ff96890f46b1e2321c9bd0d25c4aa

  • SHA256

    1c2d21587eb949fe719ae9499e42381d4250a0be5c770ea707a362afdd171936

  • SHA512

    86de8aa1da926d1b50cf329dfbbf0d67bf033e73323421c399c80c502cd3e1f92091864c14f9e5bc14f89db9cbe85cd8c0ec7896c3c581b40d4efd09b9631d35

  • SSDEEP

    6144:JBgedih3DLc2g4DEqXqAUTBqd/20dkMzTL7AQ05lmtLrD6LrD6deOHNHXE/Nn719:JSedyzLc8EqeTsdOHf7QlvrT6O2Bqnuq

Score
10/10
kronosbankerbotnetpersistence

Malware Config

Signatures

  • Kronos
    bankerbotnetkronos
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c2d21587eb949fe719ae9499e42381d4250a0be5c770ea707a362afdd171936.exe
    "C:\Users\Admin\AppData\Local\Temp\1c2d21587eb949fe719ae9499e42381d4250a0be5c770ea707a362afdd171936.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/260-60-0x0000000000110000-0x0000000000115000-memory.dmp
    Filesize

    20KB

    Download
  • memory/280-71-0x0000000001110000-0x0000000001115000-memory.dmp
    Filesize

    20KB

    Download
  • memory/336-61-0x00000000009C0000-0x00000000009C5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/340-83-0x0000000000110000-0x0000000000115000-memory.dmp
    Filesize

    20KB

    Download
  • memory/372-62-0x00000000000E0000-0x00000000000E5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/384-63-0x0000000000420000-0x0000000000425000-memory.dmp
    Filesize

    20KB

    Download
  • memory/420-64-0x00000000003D0000-0x00000000003D5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/464-65-0x0000000000080000-0x0000000000085000-memory.dmp
    Filesize

    20KB

    Download
  • memory/484-67-0x0000000000120000-0x0000000000125000-memory.dmp
    Filesize

    20KB

    Download
  • memory/492-68-0x0000000000100000-0x0000000000105000-memory.dmp
    Filesize

    20KB

    Download
  • memory/584-79-0x0000000000520000-0x0000000000525000-memory.dmp
    Filesize

    20KB

    Download
  • memory/664-80-0x0000000000390000-0x0000000000395000-memory.dmp
    Filesize

    20KB

    Download
  • memory/752-69-0x00000000008F0000-0x00000000008F5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/800-81-0x0000000000800000-0x0000000000805000-memory.dmp
    Filesize

    20KB

    Download
  • memory/836-82-0x0000000000090000-0x0000000000095000-memory.dmp
    Filesize

    20KB

    Download
  • memory/868-70-0x00000000007F0000-0x00000000007F5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/884-59-0x00000000000E0000-0x00000000000E5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/884-55-0x0000000000000000-mapping.dmp
    Download
  • memory/884-58-0x0000000000A00000-0x0000000000A08000-memory.dmp
    Filesize

    32KB

    Download
  • memory/884-66-0x0000000001FD0000-0x0000000002194000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/884-57-0x0000000010000000-0x0000000010019000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1032-72-0x0000000000340000-0x0000000000345000-memory.dmp
    Filesize

    20KB

    Download
  • memory/1120-73-0x0000000001DA0000-0x0000000001DA5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/1188-84-0x0000000000120000-0x0000000000125000-memory.dmp
    Filesize

    20KB

    Download
  • memory/1256-74-0x0000000002A30000-0x0000000002A35000-memory.dmp
    Filesize

    20KB

    Download
  • memory/1616-54-0x00000000760A1000-0x00000000760A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1660-76-0x0000000000280000-0x0000000000285000-memory.dmp
    Filesize

    20KB

    Download
  • memory/1836-75-0x0000000000270000-0x0000000000275000-memory.dmp
    Filesize

    20KB

    Download
  • memory/2008-77-0x0000000000100000-0x0000000000105000-memory.dmp
    Filesize

    20KB

    Download
  • memory/2036-78-0x0000000000910000-0x0000000000915000-memory.dmp
    Filesize

    20KB

    Download