Overview

overview

10

Static

static

c3b3fcc4d9...13.exe

windows7-x64

10

c3b3fcc4d9...13.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe

  • Size

    263KB

  • MD5

    b02ecc516834373f753b4a56428780f1

  • SHA1

    9277f800d44bb7f9b184a8b517bcefc3a2dac752

  • SHA256

    c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613

  • SHA512

    78dba7da8f9891299baf98f62c3b8f1991a4a8d52eac4e5d16c831dd5371aec4ba5800faeb188fca3bf170a83cd437f78445a5d309d1d2b4b80af4b698531535

  • SSDEEP

    6144:dPfLIcvFM9DZIhYz4sBc/p7ESYyq33Z7EIKTkq:GvsiIQtHZWk

Score
10/10
kronosbankerbotnetpersistence

Malware Config

Signatures

  • Kronos
    bankerbotnetkronos
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
    "C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
      "C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe"
      2⤵
        PID:212
      • C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
        "C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe"
        2⤵
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4000
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\SysWOW64\explorer.exe"
          3⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1456

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/760-132-0x0000000074F10000-0x00000000754C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/760-136-0x0000000074F10000-0x00000000754C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1456-137-0x0000000000000000-mapping.dmp

      Download

    • memory/1456-139-0x0000000000BA0000-0x0000000000FD3000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/1456-140-0x0000000000B90000-0x0000000000B95000-memory.dmp

      Filesize

      20KB

      Download

    • memory/1456-141-0x0000000002FF0000-0x0000000003440000-memory.dmp

      Filesize

      4.3MB

      Download

    • memory/4000-133-0x0000000000000000-mapping.dmp

      Download

    • memory/4000-134-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

      Download

    • memory/4000-135-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

      Download

    • memory/4000-138-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

      Download