kronos | c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613

General

Target

c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
Size

263KB
MD5

b02ecc516834373f753b4a56428780f1
SHA1

9277f800d44bb7f9b184a8b517bcefc3a2dac752
SHA256

c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613
SHA512

78dba7da8f9891299baf98f62c3b8f1991a4a8d52eac4e5d16c831dd5371aec4ba5800faeb188fca3bf170a83cd437f78445a5d309d1d2b4b80af4b698531535
SSDEEP

6144:dPfLIcvFM9DZIhYz4sBc/p7ESYyq33Z7EIKTkq:GvsiIQtHZWk

Score

10^/10

kronos banker botnet persistence

Malware Config

Signatures

Kronos
banker botnet kronos

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{1DC3AF6C-D547-46F8-BDF5-5EE59458E932}\\f5ea51da.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{1DC3AF6C-D547-46F8-BDF5-5EE59458E932}\\f5ea51da.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe

description	pid	process	target process
PID 1408 set thread context of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exe

pid	process
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe

Suspicious behavior: MapViewOfSection 24 IoCs

Processes:

c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exeexplorer.exe

pid	process
824	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
824	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeDebugPrivilege	672	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	868
Token: SeIncreaseQuotaPrivilege	868
Token: SeSecurityPrivilege	868
Token: SeTakeOwnershipPrivilege	868
Token: SeLoadDriverPrivilege	868
Token: SeRestorePrivilege	868
Token: SeSystemEnvironmentPrivilege	868
Token: SeAssignPrimaryTokenPrivilege	868
Token: SeIncreaseQuotaPrivilege	868
Token: SeSecurityPrivilege	868
Token: SeTakeOwnershipPrivilege	868
Token: SeLoadDriverPrivilege	868
Token: SeSystemtimePrivilege	868
Token: SeBackupPrivilege	868
Token: SeRestorePrivilege	868
Token: SeShutdownPrivilege	868
Token: SeSystemEnvironmentPrivilege	868
Token: SeUndockPrivilege	868
Token: SeManageVolumePrivilege	868
Token: SeAssignPrimaryTokenPrivilege	868
Token: SeIncreaseQuotaPrivilege	868
Token: SeSecurityPrivilege	868
Token: SeTakeOwnershipPrivilege	868
Token: SeLoadDriverPrivilege	868
Token: SeRestorePrivilege	868
Token: SeSystemEnvironmentPrivilege	868
Token: SeAssignPrimaryTokenPrivilege	868
Token: SeIncreaseQuotaPrivilege	868
Token: SeSecurityPrivilege	868
Token: SeTakeOwnershipPrivilege	868
Token: SeLoadDriverPrivilege	868
Token: SeRestorePrivilege	868
Token: SeSystemEnvironmentPrivilege	868
Token: SeAuditPrivilege	868

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1272
1272
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1272
1272
Suspicious use of UnmapMainImage 5 IoCs

Processes:

pid process

800
800
800
800
800

pid	process
1272
1272

pid	process
1272
1272

pid	process
800
800
800
800
800

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exec3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe

C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
"C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
"C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/260-78-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/280-95-0x0000000000250000-0x0000000000255000-memory.dmp

Filesize
20KB

Download
memory/300-89-0x0000000000B30000-0x0000000000B35000-memory.dmp

Filesize
20KB

Download
memory/332-79-0x00000000006F0000-0x00000000006F5000-memory.dmp

Filesize
20KB

Download
memory/368-80-0x0000000000250000-0x0000000000255000-memory.dmp

Filesize
20KB

Download
memory/376-81-0x0000000000630000-0x0000000000635000-memory.dmp

Filesize
20KB

Download
memory/416-82-0x0000000000050000-0x0000000000055000-memory.dmp

Filesize
20KB

Download
memory/464-83-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/472-84-0x0000000000120000-0x0000000000125000-memory.dmp

Filesize
20KB

Download
memory/480-85-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/580-86-0x00000000003C0000-0x00000000003C5000-memory.dmp

Filesize
20KB

Download
memory/656-92-0x0000000000130000-0x0000000000135000-memory.dmp

Filesize
20KB

Download
memory/672-91-0x0000000002390000-0x0000000002510000-memory.dmp

Filesize
1.5MB

Download
memory/672-71-0x0000000000000000-mapping.dmp

Download
memory/672-74-0x0000000074A21000-0x0000000074A23000-memory.dmp

Filesize
8KB

Download
memory/672-75-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/672-76-0x0000000000AD0000-0x0000000000D51000-memory.dmp

Filesize
2.5MB

Download
memory/672-77-0x00000000001D0000-0x00000000001D5000-memory.dmp

Filesize
20KB

Download
memory/720-93-0x00000000007A0000-0x00000000007A5000-memory.dmp

Filesize
20KB

Download
memory/800-87-0x00000000004D0000-0x00000000004D5000-memory.dmp

Filesize
20KB

Download
memory/824-66-0x000000000008342E-mapping.dmp

Download
memory/824-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-70-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-61-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-59-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/836-94-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/868-88-0x0000000000780000-0x0000000000785000-memory.dmp

Filesize
20KB

Download
memory/1032-96-0x0000000000180000-0x0000000000185000-memory.dmp

Filesize
20KB

Download
memory/1128-97-0x0000000001BB0000-0x0000000001BB5000-memory.dmp

Filesize
20KB

Download
memory/1220-90-0x0000000000120000-0x0000000000125000-memory.dmp

Filesize
20KB

Download
memory/1272-100-0x0000000001DC0000-0x0000000001DC5000-memory.dmp

Filesize
20KB

Download
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1408-68-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-55-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-98-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/2004-99-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download

description	pid	process	target process
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 1408 wrote to memory of 824	1408	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 824 wrote to memory of 672	824	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	explorer.exe
PID 824 wrote to memory of 672	824	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	explorer.exe
PID 824 wrote to memory of 672	824	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	explorer.exe
PID 824 wrote to memory of 672	824	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	explorer.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads