kronos | 1c2d21587eb949fe719ae9499e42381d4250a0be5c770ea707a362afdd171936

General

Target

1c2d21587eb949fe719ae9499e42381d4250a0be5c770ea707a362afdd171936.exe
Size

275KB
MD5

d891cbbaf7fd229445a507bd8407fd96
SHA1

535501fbe60ff96890f46b1e2321c9bd0d25c4aa
SHA256

1c2d21587eb949fe719ae9499e42381d4250a0be5c770ea707a362afdd171936
SHA512

86de8aa1da926d1b50cf329dfbbf0d67bf033e73323421c399c80c502cd3e1f92091864c14f9e5bc14f89db9cbe85cd8c0ec7896c3c581b40d4efd09b9631d35
SSDEEP

6144:JBgedih3DLc2g4DEqXqAUTBqd/20dkMzTL7AQ05lmtLrD6LrD6deOHNHXE/Nn719:JSedyzLc8EqeTsdOHf7QlvrT6O2Bqnuq

Score

10^/10

kronos banker botnet persistence

Malware Config

Signatures

Kronos
banker botnet kronos

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6815cdb9 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{C5E8AF21-0414-43FD-9EE8-0F5D327E23D5}\\6815cdb9.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6815cdb9 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{C5E8AF21-0414-43FD-9EE8-0F5D327E23D5}\\6815cdb9.exe"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

1c2d21587eb949fe719ae9499e42381d4250a0be5c770ea707a362afdd171936.exe

pid	process
216	1c2d21587eb949fe719ae9499e42381d4250a0be5c770ea707a362afdd171936.exe
216	1c2d21587eb949fe719ae9499e42381d4250a0be5c770ea707a362afdd171936.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3852	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1c2d21587eb949fe719ae9499e42381d4250a0be5c770ea707a362afdd171936.exe

description	pid	process	target process
PID 216 wrote to memory of 3852	216	1c2d21587eb949fe719ae9499e42381d4250a0be5c770ea707a362afdd171936.exe	svchost.exe
PID 216 wrote to memory of 3852	216	1c2d21587eb949fe719ae9499e42381d4250a0be5c770ea707a362afdd171936.exe	svchost.exe
PID 216 wrote to memory of 3852	216	1c2d21587eb949fe719ae9499e42381d4250a0be5c770ea707a362afdd171936.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\1c2d21587eb949fe719ae9499e42381d4250a0be5c770ea707a362afdd171936.exe
"C:\Users\Admin\AppData\Local\Temp\1c2d21587eb949fe719ae9499e42381d4250a0be5c770ea707a362afdd171936.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3852-132-0x0000000000000000-mapping.dmp

Download
memory/3852-133-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

Filesize
56KB

Download
memory/3852-134-0x00000000031F0000-0x00000000031F5000-memory.dmp

Filesize
20KB

Download
memory/3852-135-0x0000000003900000-0x0000000003D50000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads