kronos | 59dc9cc5a82526223151f33fc16e4c2698c1725c93f8f7186efda9463aa9f166

Analysis

max time kernel
167s
max time network
215s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59dc9cc5a82526223151f33fc16e4c2698c1725c93f8f7186efda9463aa9f166.exe
Size

314KB
MD5

e8ab73bd31591fa5337be49241f8a7d8
SHA1

c00ea2df72fe2ed1536e4f80edff39c7ff3a2f5a
SHA256

59dc9cc5a82526223151f33fc16e4c2698c1725c93f8f7186efda9463aa9f166
SHA512

d257b5a6ba7a20c8835fe5f0553a481e628f89893a96df8e07779c00db28294d736e66dd904c6618b85820af2394040711c0ea45aeaf1e6f05e983b82f56fd5e
SSDEEP

6144:CWQ8QntTwcMT0RyE0h2D9AxxTlNKDPj9q:tQfta0RaMA/mL5q

Score

10^/10

kronos banker botnet persistence

Malware Config

Signatures

Kronos
banker botnet kronos

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{6CCA87B6-4362-473B-9778-4E5CB019562A}\\f5ea51da.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{6CCA87B6-4362-473B-9778-4E5CB019562A}\\f5ea51da.exe"	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe

Suspicious behavior: MapViewOfSection 26 IoCs

pid	Process
1952	59dc9cc5a82526223151f33fc16e4c2698c1725c93f8f7186efda9463aa9f166.exe
1952	59dc9cc5a82526223151f33fc16e4c2698c1725c93f8f7186efda9463aa9f166.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	Process not Found
Token: SeIncreaseQuotaPrivilege	872	Process not Found
Token: SeSecurityPrivilege	872	Process not Found
Token: SeTakeOwnershipPrivilege	872	Process not Found
Token: SeLoadDriverPrivilege	872	Process not Found
Token: SeRestorePrivilege	872	Process not Found
Token: SeSystemEnvironmentPrivilege	872	Process not Found
Token: SeAssignPrimaryTokenPrivilege	872	Process not Found
Token: SeIncreaseQuotaPrivilege	872	Process not Found
Token: SeSecurityPrivilege	872	Process not Found
Token: SeTakeOwnershipPrivilege	872	Process not Found
Token: SeLoadDriverPrivilege	872	Process not Found
Token: SeSystemtimePrivilege	872	Process not Found
Token: SeBackupPrivilege	872	Process not Found
Token: SeRestorePrivilege	872	Process not Found
Token: SeShutdownPrivilege	872	Process not Found
Token: SeSystemEnvironmentPrivilege	872	Process not Found
Token: SeUndockPrivilege	872	Process not Found
Token: SeManageVolumePrivilege	872	Process not Found
Token: SeAssignPrimaryTokenPrivilege	872	Process not Found
Token: SeIncreaseQuotaPrivilege	872	Process not Found
Token: SeSecurityPrivilege	872	Process not Found
Token: SeTakeOwnershipPrivilege	872	Process not Found
Token: SeLoadDriverPrivilege	872	Process not Found
Token: SeRestorePrivilege	872	Process not Found
Token: SeSystemEnvironmentPrivilege	872	Process not Found
Token: SeAssignPrimaryTokenPrivilege	872	Process not Found
Token: SeIncreaseQuotaPrivilege	872	Process not Found
Token: SeSecurityPrivilege	872	Process not Found
Token: SeTakeOwnershipPrivilege	872	Process not Found
Token: SeLoadDriverPrivilege	872	Process not Found
Token: SeRestorePrivilege	872	Process not Found
Token: SeSystemEnvironmentPrivilege	872	Process not Found
Token: SeAssignPrimaryTokenPrivilege	872	Process not Found
Token: SeIncreaseQuotaPrivilege	872	Process not Found
Token: SeSecurityPrivilege	872	Process not Found
Token: SeTakeOwnershipPrivilege	872	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1256	Process not Found
1256	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1256	Process not Found
1256	Process not Found

Suspicious use of UnmapMainImage 5 IoCs

pid	Process
808	Process not Found
808	Process not Found
808	Process not Found
808	Process not Found
808	Process not Found

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1764	1952	59dc9cc5a82526223151f33fc16e4c2698c1725c93f8f7186efda9463aa9f166.exe	28
PID 1952 wrote to memory of 1764	1952	59dc9cc5a82526223151f33fc16e4c2698c1725c93f8f7186efda9463aa9f166.exe	28
PID 1952 wrote to memory of 1764	1952	59dc9cc5a82526223151f33fc16e4c2698c1725c93f8f7186efda9463aa9f166.exe	28
PID 1952 wrote to memory of 1764	1952	59dc9cc5a82526223151f33fc16e4c2698c1725c93f8f7186efda9463aa9f166.exe	28

C:\Users\Admin\AppData\Local\Temp\59dc9cc5a82526223151f33fc16e4c2698c1725c93f8f7186efda9463aa9f166.exe
"C:\Users\Admin\AppData\Local\Temp\59dc9cc5a82526223151f33fc16e4c2698c1725c93f8f7186efda9463aa9f166.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-74-0x00000000008E0000-0x00000000008E5000-memory.dmp

Filesize
20KB

Download
memory/260-63-0x0000000000290000-0x0000000000295000-memory.dmp

Filesize
20KB

Download
memory/324-75-0x0000000001BE0000-0x0000000001BE5000-memory.dmp

Filesize
20KB

Download
memory/332-64-0x00000000009C0000-0x00000000009C5000-memory.dmp

Filesize
20KB

Download
memory/368-65-0x0000000000250000-0x0000000000255000-memory.dmp

Filesize
20KB

Download
memory/380-66-0x0000000000180000-0x0000000000185000-memory.dmp

Filesize
20KB

Download
memory/416-67-0x0000000000050000-0x0000000000055000-memory.dmp

Filesize
20KB

Download
memory/460-68-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/476-69-0x0000000000120000-0x0000000000125000-memory.dmp

Filesize
20KB

Download
memory/484-72-0x0000000000180000-0x0000000000185000-memory.dmp

Filesize
20KB

Download
memory/596-78-0x00000000001D0000-0x00000000001D5000-memory.dmp

Filesize
20KB

Download
memory/676-70-0x0000000000430000-0x0000000000435000-memory.dmp

Filesize
20KB

Download
memory/752-71-0x0000000000AF0000-0x0000000000AF5000-memory.dmp

Filesize
20KB

Download
memory/808-79-0x0000000000800000-0x0000000000805000-memory.dmp

Filesize
20KB

Download
memory/844-73-0x0000000000110000-0x0000000000115000-memory.dmp

Filesize
20KB

Download
memory/872-80-0x0000000000A40000-0x0000000000A45000-memory.dmp

Filesize
20KB

Download
memory/1048-76-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1128-77-0x0000000001C60000-0x0000000001C65000-memory.dmp

Filesize
20KB

Download
memory/1160-87-0x0000000000260000-0x0000000000265000-memory.dmp

Filesize
20KB

Download
memory/1224-81-0x00000000001A0000-0x00000000001A5000-memory.dmp

Filesize
20KB

Download
memory/1256-85-0x0000000001D90000-0x0000000001D95000-memory.dmp

Filesize
20KB

Download
memory/1672-82-0x0000000000170000-0x0000000000175000-memory.dmp

Filesize
20KB

Download
memory/1764-62-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1764-84-0x00000000020B0000-0x0000000002274000-memory.dmp

Filesize
1.8MB

Download
memory/1764-60-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1764-61-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/1884-83-0x0000000000440000-0x0000000000445000-memory.dmp

Filesize
20KB

Download
memory/1952-55-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/1952-56-0x0000000000250000-0x000000000027E000-memory.dmp

Filesize
184KB

Download
memory/1952-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1952-57-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2044-86-0x0000000000340000-0x0000000000345000-memory.dmp

Filesize
20KB

Download