kronos | c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
Size

263KB
MD5

b02ecc516834373f753b4a56428780f1
SHA1

9277f800d44bb7f9b184a8b517bcefc3a2dac752
SHA256

c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613
SHA512

78dba7da8f9891299baf98f62c3b8f1991a4a8d52eac4e5d16c831dd5371aec4ba5800faeb188fca3bf170a83cd437f78445a5d309d1d2b4b80af4b698531535
SSDEEP

6144:dPfLIcvFM9DZIhYz4sBc/p7ESYyq33Z7EIKTkq:GvsiIQtHZWk

Score

10^/10

kronos banker botnet persistence

Malware Config

Signatures

Kronos
banker botnet kronos

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{1DC3AF6C-D547-46F8-BDF5-5EE59458E932}\\f5ea51da.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{1DC3AF6C-D547-46F8-BDF5-5EE59458E932}\\f5ea51da.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1408 set thread context of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	26

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe

Suspicious behavior: MapViewOfSection 24 IoCs

pid	Process
824	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
824	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	868	Process not Found
Token: SeIncreaseQuotaPrivilege	868	Process not Found
Token: SeSecurityPrivilege	868	Process not Found
Token: SeTakeOwnershipPrivilege	868	Process not Found
Token: SeLoadDriverPrivilege	868	Process not Found
Token: SeRestorePrivilege	868	Process not Found
Token: SeSystemEnvironmentPrivilege	868	Process not Found
Token: SeAssignPrimaryTokenPrivilege	868	Process not Found
Token: SeIncreaseQuotaPrivilege	868	Process not Found
Token: SeSecurityPrivilege	868	Process not Found
Token: SeTakeOwnershipPrivilege	868	Process not Found
Token: SeLoadDriverPrivilege	868	Process not Found
Token: SeSystemtimePrivilege	868	Process not Found
Token: SeBackupPrivilege	868	Process not Found
Token: SeRestorePrivilege	868	Process not Found
Token: SeShutdownPrivilege	868	Process not Found
Token: SeSystemEnvironmentPrivilege	868	Process not Found
Token: SeUndockPrivilege	868	Process not Found
Token: SeManageVolumePrivilege	868	Process not Found
Token: SeAssignPrimaryTokenPrivilege	868	Process not Found
Token: SeIncreaseQuotaPrivilege	868	Process not Found
Token: SeSecurityPrivilege	868	Process not Found
Token: SeTakeOwnershipPrivilege	868	Process not Found
Token: SeLoadDriverPrivilege	868	Process not Found
Token: SeRestorePrivilege	868	Process not Found
Token: SeSystemEnvironmentPrivilege	868	Process not Found
Token: SeAssignPrimaryTokenPrivilege	868	Process not Found
Token: SeIncreaseQuotaPrivilege	868	Process not Found
Token: SeSecurityPrivilege	868	Process not Found
Token: SeTakeOwnershipPrivilege	868	Process not Found
Token: SeLoadDriverPrivilege	868	Process not Found
Token: SeRestorePrivilege	868	Process not Found
Token: SeSystemEnvironmentPrivilege	868	Process not Found
Token: SeAuditPrivilege	868	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1272	Process not Found
1272	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1272	Process not Found
1272	Process not Found

Suspicious use of UnmapMainImage 5 IoCs

pid	Process
800	Process not Found
800	Process not Found
800	Process not Found
800	Process not Found
800	Process not Found

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	26
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	26
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	26
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	26
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	26
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	26
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	26
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	26
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	26
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	26
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	26
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	26
PID 824 wrote to memory of 672	824	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	27
PID 824 wrote to memory of 672	824	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	27
PID 824 wrote to memory of 672	824	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	27
PID 824 wrote to memory of 672	824	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	27

C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
"C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
  "C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/260-78-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/280-95-0x0000000000250000-0x0000000000255000-memory.dmp

Filesize
20KB

Download
memory/300-89-0x0000000000B30000-0x0000000000B35000-memory.dmp

Filesize
20KB

Download
memory/332-79-0x00000000006F0000-0x00000000006F5000-memory.dmp

Filesize
20KB

Download
memory/368-80-0x0000000000250000-0x0000000000255000-memory.dmp

Filesize
20KB

Download
memory/376-81-0x0000000000630000-0x0000000000635000-memory.dmp

Filesize
20KB

Download
memory/416-82-0x0000000000050000-0x0000000000055000-memory.dmp

Filesize
20KB

Download
memory/464-83-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/472-84-0x0000000000120000-0x0000000000125000-memory.dmp

Filesize
20KB

Download
memory/480-85-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/580-86-0x00000000003C0000-0x00000000003C5000-memory.dmp

Filesize
20KB

Download
memory/656-92-0x0000000000130000-0x0000000000135000-memory.dmp

Filesize
20KB

Download
memory/672-91-0x0000000002390000-0x0000000002510000-memory.dmp

Filesize
1.5MB

Download
memory/672-74-0x0000000074A21000-0x0000000074A23000-memory.dmp

Filesize
8KB

Download
memory/672-75-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/672-76-0x0000000000AD0000-0x0000000000D51000-memory.dmp

Filesize
2.5MB

Download
memory/672-77-0x00000000001D0000-0x00000000001D5000-memory.dmp

Filesize
20KB

Download
memory/720-93-0x00000000007A0000-0x00000000007A5000-memory.dmp

Filesize
20KB

Download
memory/800-87-0x00000000004D0000-0x00000000004D5000-memory.dmp

Filesize
20KB

Download
memory/824-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-70-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-61-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-59-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/836-94-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/868-88-0x0000000000780000-0x0000000000785000-memory.dmp

Filesize
20KB

Download
memory/1032-96-0x0000000000180000-0x0000000000185000-memory.dmp

Filesize
20KB

Download
memory/1128-97-0x0000000001BB0000-0x0000000001BB5000-memory.dmp

Filesize
20KB

Download
memory/1220-90-0x0000000000120000-0x0000000000125000-memory.dmp

Filesize
20KB

Download
memory/1272-100-0x0000000001DC0000-0x0000000001DC5000-memory.dmp

Filesize
20KB

Download
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1408-68-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-55-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-98-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/2004-99-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download