Analysis

  • max time kernel
    112s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-uk
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-uklocale:uk-uaos:windows10-2004-x64systemwindows
  • submitted
    03-03-2024 13:53

General

  • Target

    Ransomware/Krotten.exe

  • Size

    53KB

  • MD5

    87ccd6f4ec0e6b706d65550f90b0e3c7

  • SHA1

    213e6624bff6064c016b9cdc15d5365823c01f5f

  • SHA256

    e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

  • SHA512

    a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

  • SSDEEP

    768:4yKoNLsn4Jp9ZvRInygrpMoZN+WtOl08jxBEHCDwBLpZTPCUvQK:j/sn4/OycxZN+MKxp8t9zQK

Score
8/10

Malware Config

Signatures

  • Disables RegEdit via registry modification 2 IoCs
  • Disables Task Manager via registry modification
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Control Panel 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • System policy modification 1 TTPs 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware\Krotten.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware\Krotten.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:4516
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=uk --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3512 --field-trial-handle=2236,i,15087499320637845760,12598239521961063480,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3912

    Network

    • flag-us
      DNS
      133.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      0.205.248.87.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.205.248.87.in-addr.arpa
      IN PTR
      Response
      0.205.248.87.in-addr.arpa
      IN PTR
      https-87-248-205-0lgwllnwnet
    • flag-us
      DNS
      57.169.31.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      57.169.31.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      48.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      48.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      www.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      www.microsoft.com
      IN A
      Response
      www.microsoft.com
      IN CNAME
      www.microsoft.com-c-3.edgekey.net
      www.microsoft.com-c-3.edgekey.net
      IN CNAME
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      IN CNAME
      e13678.dscb.akamaiedge.net
      e13678.dscb.akamaiedge.net
      IN A
      2.17.5.133
    • flag-gb
      GET
      http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt
      Remote address:
      2.17.5.133:80
      Request
      GET /pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: www.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Length: 1126
      Content-Type: application/octet-stream
      Content-MD5: YAUaFgF7vUODUG8XQQW6BQ==
      Last-Modified: Fri, 28 Sep 2018 22:50:05 GMT
      ETag: 0x8D62594BC0C84D8
      x-ms-request-id: 248119ca-e01e-000c-7bd0-f8d0b8000000
      x-ms-version: 2009-09-19
      x-ms-lease-status: unlocked
      x-ms-blob-type: BlockBlob
      Date: Sun, 03 Mar 2024 13:56:07 GMT
      Connection: keep-alive
      TLS_version: UNKNOWN
      ms-cv: CASMicrosoftCV467ee724.0
      ms-cv-esi: CASMicrosoftCV467ee724.0
      X-RTag: RT
    • flag-gb
      GET
      http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt
      Remote address:
      2.17.5.133:80
      Request
      GET /pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: www.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Length: 1126
      Content-Type: application/octet-stream
      Content-MD5: YAUaFgF7vUODUG8XQQW6BQ==
      Last-Modified: Fri, 28 Sep 2018 22:50:05 GMT
      ETag: 0x8D62594BC0C84D8
      x-ms-request-id: 248119ca-e01e-000c-7bd0-f8d0b8000000
      x-ms-version: 2009-09-19
      x-ms-lease-status: unlocked
      x-ms-blob-type: BlockBlob
      X-EdgeConnect-Origin-MEX-Latency: 105
      Date: Sun, 03 Mar 2024 13:56:08 GMT
      Connection: keep-alive
      TLS_version: UNKNOWN
      ms-cv: CASMicrosoftCV646bd519.0
      ms-cv-esi: CASMicrosoftCV646bd519.0
      X-RTag: RT
    • flag-us
      DNS
      26.165.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.165.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.5.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.5.17.2.in-addr.arpa
      IN PTR
      Response
      133.5.17.2.in-addr.arpa
      IN PTR
      a2-17-5-133deploystaticakamaitechnologiescom
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      140.71.91.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      140.71.91.104.in-addr.arpa
      IN PTR
      Response
      140.71.91.104.in-addr.arpa
      IN PTR
      a104-91-71-140deploystaticakamaitechnologiescom
    • flag-us
      DNS
      194.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      194.178.17.96.in-addr.arpa
      IN PTR
      Response
      194.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-194deploystaticakamaitechnologiescom
    • flag-us
      DNS
      0.204.248.87.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.204.248.87.in-addr.arpa
      IN PTR
      Response
      0.204.248.87.in-addr.arpa
      IN PTR
      https-87-248-204-0lhrllnwnet
    • 2.17.5.133:80
      http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt
      http
      418 B
      1.8kB
      5
      4

      HTTP Request

      GET http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

      HTTP Response

      200
    • 2.17.5.133:80
      http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt
      http
      418 B
      1.8kB
      5
      4

      HTTP Request

      GET http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

      HTTP Response

      200
    • 13.107.253.64:443
      46 B
      40 B
      1
      1
    • 8.8.8.8:53
      133.32.126.40.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      133.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      0.205.248.87.in-addr.arpa
      dns
      71 B
      116 B
      1
      1

      DNS Request

      0.205.248.87.in-addr.arpa

    • 8.8.8.8:53
      57.169.31.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      57.169.31.20.in-addr.arpa

    • 8.8.8.8:53
      48.229.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      48.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      www.microsoft.com
      dns
      63 B
      230 B
      1
      1

      DNS Request

      www.microsoft.com

      DNS Response

      2.17.5.133

    • 8.8.8.8:53
      26.165.165.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      26.165.165.52.in-addr.arpa

    • 8.8.8.8:53
      133.5.17.2.in-addr.arpa
      dns
      69 B
      131 B
      1
      1

      DNS Request

      133.5.17.2.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      140.71.91.104.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      140.71.91.104.in-addr.arpa

    • 8.8.8.8:53
      194.178.17.96.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      194.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      0.204.248.87.in-addr.arpa
      dns
      71 B
      116 B
      1
      1

      DNS Request

      0.204.248.87.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.