kronos | d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972

Analysis

max time kernel
151s
max time network
177s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe
Size

250KB
MD5

6c4899330d4276d579a5282d8a6958c4
SHA1

537542e9611a142870f4738e6dba690a21bca459
SHA256

d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972
SHA512

b1b34fcfa634496c96333a05e91244af543ac2bfe12ae59dd99372f627c34c1997affbf955a6049dca606714f654b908182b7b09f35abf66f8150425730f258f
SSDEEP

3072:+9SojmNgurSrEt2fOp8TXhOrGM1OJSawFjUK/I0N7xy6T+3wpQ2LaM:yxRurSTy8zhZYCD34y6TJpP

Score

10^/10

kronos banker botnet persistence

Malware Config

Signatures

Kronos
banker botnet kronos

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{C453F4D7-0B5D-4B3D-B57F-2BE93BB3BC7B}\\f5ea51da.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{C453F4D7-0B5D-4B3D-B57F-2BE93BB3BC7B}\\f5ea51da.exe"	explorer.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	Process not Found

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1692 set thread context of 1708	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	29

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe

Suspicious behavior: MapViewOfSection 26 IoCs

pid	Process
1708	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe
1708	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	872	Process not Found
Token: SeIncreaseQuotaPrivilege	872	Process not Found
Token: SeSecurityPrivilege	872	Process not Found
Token: SeTakeOwnershipPrivilege	872	Process not Found
Token: SeLoadDriverPrivilege	872	Process not Found
Token: SeRestorePrivilege	872	Process not Found
Token: SeSystemEnvironmentPrivilege	872	Process not Found
Token: SeAssignPrimaryTokenPrivilege	872	Process not Found
Token: SeIncreaseQuotaPrivilege	872	Process not Found
Token: SeSecurityPrivilege	872	Process not Found
Token: SeTakeOwnershipPrivilege	872	Process not Found
Token: SeLoadDriverPrivilege	872	Process not Found
Token: SeSystemtimePrivilege	872	Process not Found
Token: SeBackupPrivilege	872	Process not Found
Token: SeRestorePrivilege	872	Process not Found
Token: SeShutdownPrivilege	872	Process not Found
Token: SeSystemEnvironmentPrivilege	872	Process not Found
Token: SeUndockPrivilege	872	Process not Found
Token: SeManageVolumePrivilege	872	Process not Found
Token: SeAssignPrimaryTokenPrivilege	872	Process not Found
Token: SeIncreaseQuotaPrivilege	872	Process not Found
Token: SeSecurityPrivilege	872	Process not Found
Token: SeTakeOwnershipPrivilege	872	Process not Found
Token: SeLoadDriverPrivilege	872	Process not Found
Token: SeRestorePrivilege	872	Process not Found
Token: SeSystemEnvironmentPrivilege	872	Process not Found
Token: SeAssignPrimaryTokenPrivilege	872	Process not Found
Token: SeIncreaseQuotaPrivilege	872	Process not Found
Token: SeSecurityPrivilege	872	Process not Found
Token: SeTakeOwnershipPrivilege	872	Process not Found
Token: SeLoadDriverPrivilege	872	Process not Found
Token: SeRestorePrivilege	872	Process not Found
Token: SeSystemEnvironmentPrivilege	872	Process not Found
Token: SeAssignPrimaryTokenPrivilege	872	Process not Found
Token: SeIncreaseQuotaPrivilege	872	Process not Found
Token: SeSecurityPrivilege	872	Process not Found
Token: SeTakeOwnershipPrivilege	872	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1384	Process not Found
1384	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1384	Process not Found
1384	Process not Found

Suspicious use of UnmapMainImage 6 IoCs

pid	Process
808	Process not Found
808	Process not Found
808	Process not Found
808	Process not Found
808	Process not Found
808	Process not Found

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1892	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	28
PID 1692 wrote to memory of 1892	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	28
PID 1692 wrote to memory of 1892	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	28
PID 1692 wrote to memory of 1892	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	28
PID 1692 wrote to memory of 1708	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	29
PID 1692 wrote to memory of 1708	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	29
PID 1692 wrote to memory of 1708	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	29
PID 1692 wrote to memory of 1708	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	29
PID 1692 wrote to memory of 1708	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	29
PID 1692 wrote to memory of 1708	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	29
PID 1692 wrote to memory of 1708	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	29
PID 1692 wrote to memory of 1708	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	29
PID 1692 wrote to memory of 1708	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	29
PID 1692 wrote to memory of 1708	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	29
PID 1692 wrote to memory of 1708	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	29
PID 1692 wrote to memory of 1708	1692	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	29
PID 1708 wrote to memory of 1996	1708	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	30
PID 1708 wrote to memory of 1996	1708	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	30
PID 1708 wrote to memory of 1996	1708	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	30
PID 1708 wrote to memory of 1996	1708	d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe	30

C:\Users\Admin\AppData\Local\Temp\d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe
"C:\Users\Admin\AppData\Local\Temp\d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe
  "C:\Users\Admin\AppData\Local\Temp\d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe"
  2⤵
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe
  "C:\Users\Admin\AppData\Local\Temp\d47b36c2fc5731e1fd4360595f608277579df21102712e048023bf7bb2226972.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/260-78-0x0000000000110000-0x0000000000115000-memory.dmp

Filesize
20KB

Download
memory/296-93-0x0000000000300000-0x0000000000305000-memory.dmp

Filesize
20KB

Download
memory/300-92-0x0000000000B40000-0x0000000000B45000-memory.dmp

Filesize
20KB

Download
memory/332-79-0x00000000009C0000-0x00000000009C5000-memory.dmp

Filesize
20KB

Download
memory/368-80-0x0000000000350000-0x0000000000355000-memory.dmp

Filesize
20KB

Download
memory/376-81-0x0000000000160000-0x0000000000165000-memory.dmp

Filesize
20KB

Download
memory/408-82-0x00000000001D0000-0x00000000001D5000-memory.dmp

Filesize
20KB

Download
memory/464-83-0x0000000000070000-0x0000000000075000-memory.dmp

Filesize
20KB

Download
memory/472-84-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/480-85-0x0000000000380000-0x0000000000385000-memory.dmp

Filesize
20KB

Download
memory/588-86-0x00000000002B0000-0x00000000002B5000-memory.dmp

Filesize
20KB

Download
memory/668-87-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/744-88-0x0000000000810000-0x0000000000815000-memory.dmp

Filesize
20KB

Download
memory/808-89-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/844-90-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/872-91-0x00000000008A0000-0x00000000008A5000-memory.dmp

Filesize
20KB

Download
memory/1044-94-0x0000000000180000-0x0000000000185000-memory.dmp

Filesize
20KB

Download
memory/1232-95-0x0000000000210000-0x0000000000215000-memory.dmp

Filesize
20KB

Download
memory/1320-96-0x0000000001B40000-0x0000000001B45000-memory.dmp

Filesize
20KB

Download
memory/1384-97-0x0000000002220000-0x0000000002225000-memory.dmp

Filesize
20KB

Download
memory/1412-100-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/1552-98-0x0000000000430000-0x0000000000435000-memory.dmp

Filesize
20KB

Download
memory/1636-102-0x0000000000460000-0x0000000000465000-memory.dmp

Filesize
20KB

Download
memory/1656-99-0x0000000000350000-0x0000000000355000-memory.dmp

Filesize
20KB

Download
memory/1692-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1692-68-0x0000000074E90000-0x000000007543B000-memory.dmp

Filesize
5.7MB

Download
memory/1692-55-0x0000000074E90000-0x000000007543B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-59-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-61-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-70-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1996-75-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1996-77-0x0000000000290000-0x0000000000295000-memory.dmp

Filesize
20KB

Download
memory/1996-74-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1996-101-0x0000000002320000-0x00000000024A0000-memory.dmp

Filesize
1.5MB

Download
memory/1996-76-0x0000000000A70000-0x0000000000CF1000-memory.dmp

Filesize
2.5MB

Download