kronos | c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613

General

Target

c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
Size

263KB
MD5

b02ecc516834373f753b4a56428780f1
SHA1

9277f800d44bb7f9b184a8b517bcefc3a2dac752
SHA256

c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613
SHA512

78dba7da8f9891299baf98f62c3b8f1991a4a8d52eac4e5d16c831dd5371aec4ba5800faeb188fca3bf170a83cd437f78445a5d309d1d2b4b80af4b698531535
SSDEEP

6144:dPfLIcvFM9DZIhYz4sBc/p7ESYyq33Z7EIKTkq:GvsiIQtHZWk

Score

10^/10

kronos banker botnet persistence

Malware Config

Signatures

Kronos
banker botnet kronos

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6815cdb9 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{ADA9786A-03A1-4B26-8BFE-05C9969680FF}\\6815cdb9.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6815cdb9 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{ADA9786A-03A1-4B26-8BFE-05C9969680FF}\\6815cdb9.exe"	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe

description	pid	process	target process
PID 760 set thread context of 4000	760	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exe

pid	process
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe

pid	process
4000	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
4000	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exec3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe

C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
"C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
"C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe"
2⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
"C:\Users\Admin\AppData\Local\Temp\c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-132-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/760-136-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1456-137-0x0000000000000000-mapping.dmp

Download
memory/1456-139-0x0000000000BA0000-0x0000000000FD3000-memory.dmp

Filesize
4.2MB

Download
memory/1456-140-0x0000000000B90000-0x0000000000B95000-memory.dmp

Filesize
20KB

Download
memory/1456-141-0x0000000002FF0000-0x0000000003440000-memory.dmp

Filesize
4.3MB

Download
memory/4000-133-0x0000000000000000-mapping.dmp

Download
memory/4000-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4000-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4000-138-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

description	pid	process	target process
PID 760 wrote to memory of 212	760	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 760 wrote to memory of 212	760	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 760 wrote to memory of 212	760	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 760 wrote to memory of 4000	760	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 760 wrote to memory of 4000	760	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 760 wrote to memory of 4000	760	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 760 wrote to memory of 4000	760	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 760 wrote to memory of 4000	760	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 760 wrote to memory of 4000	760	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 760 wrote to memory of 4000	760	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 760 wrote to memory of 4000	760	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 760 wrote to memory of 4000	760	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 760 wrote to memory of 4000	760	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 760 wrote to memory of 4000	760	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe
PID 4000 wrote to memory of 1456	4000	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	explorer.exe
PID 4000 wrote to memory of 1456	4000	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	explorer.exe
PID 4000 wrote to memory of 1456	4000	c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613.exe	explorer.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads