40c92384d321d4728f5f8a7e86066069313b91ed9368f0fa50a55b6ec7f72a25

Analysis

max time kernel
31s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KRNL-REBORN/krnlss.exe.xml
Size

202B
MD5

0ed4b3831ff5e91dff636145f68aac4c
SHA1

2d1140812945dc1b9e400a88c911803639cb2e49
SHA256

03962ae5a55dfc70e2717771a9a7aa37b956b2c5b4c62e3cff9fe24360250347
SHA512

4039d0272678777ba6fa496baf875050bd4c29352fffd37af8c3c07fb2abeedc54ba04a3dd085b491d848e951ccfcbd67ec7ba50a10ec0c624df45e98c18bf1c

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80180b980eedda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000749c45cfc5d007066c9786df2789b997b1abeebf843c161c95a92b6e3413224f000000000e80000000020000200000009b3a1bdf7c5999ffc268053115aceed16b82f4f74444bcd28b45cf9bc239511390000000c46c5f0ccc48132cd90820350b47f7357c398146c52064c121cbc89c02757e6fe8dfc89b094a3098d682020a46ce6bef6d887c6bddb9938294f6a923d98eb4979c1cbbca2b2946d30017efadb0401e20cdd9567416b87eb830a249f261ccdc57f0f8477e1fe937b2855222c45a2dcaf9da816e6d50246a86971b48979d3482f43d85262132a30c7e35e240216924a5844000000063148d869cee233667f6e7e5d8ab0d0b9bf28495a0464b15d1b7056b264077896f32f0c73ccc2e901cdcc327214492d87f70be88497100e67331b6ae1cbf289d	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000feb0c989c257c54866a106a65dc5c3e62e512933f01a421e42c13ad9dd90fa82000000000e8000000002000020000000d44d0359b60fff1822a4326d9ac17031b656eddf09bd3c9d50fd082899ef662520000000036ff406e354839e2528401f9fcb9ab85f0869e09353625bf3449cea0bb970804000000037e8af6e8ba77f0aaf19715a19aaa890c347e224a839a27d2d09fad8334a920dd0130bc5a9c5b67e58f7a557f870548c323504e932da8120eabc4e4417c012ce	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C3665E41-5901-11EF-A3CD-E6140BA5C80C} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3064	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
2932	IEXPLORE.EXE
2932	IEXPLORE.EXE
2932	IEXPLORE.EXE
2932	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2772	2756	MSOXMLED.EXE	30
PID 2756 wrote to memory of 2772	2756	MSOXMLED.EXE	30
PID 2756 wrote to memory of 2772	2756	MSOXMLED.EXE	30
PID 2756 wrote to memory of 2772	2756	MSOXMLED.EXE	30
PID 2772 wrote to memory of 3064	2772	iexplore.exe	31
PID 2772 wrote to memory of 3064	2772	iexplore.exe	31
PID 2772 wrote to memory of 3064	2772	iexplore.exe	31
PID 2772 wrote to memory of 3064	2772	iexplore.exe	31
PID 3064 wrote to memory of 2932	3064	IEXPLORE.EXE	32
PID 3064 wrote to memory of 2932	3064	IEXPLORE.EXE	32
PID 3064 wrote to memory of 2932	3064	IEXPLORE.EXE	32
PID 3064 wrote to memory of 2932	3064	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\KRNL-REBORN\krnlss.exe.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3064 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c42f9a5b436c41633376d29056fc6bef

SHA1
710997a94b61798fdb048fcfab0263624027afca

SHA256
dbbdcea3bf367cd54ce5a2b365116a6616f871c12805b4edfc196a96bc0e6bbd

SHA512
f0f3ae8513fbdb33bf444d9e700b12ec521b9350516f3b9b8a20c4e0df49d2273973cdc448ab88a577b148ce449b0bdbf25da2ab7ebf58bdbb92ff1d8b012a39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58ee02312ff8df72645e8445d9b0d5ef

SHA1
baea488cae172047f3c9c987984ea4f01fad9c93

SHA256
086655cde2b2f1cfabe214f40bc07c2f0b1270b527c1970284302d20a08e0684

SHA512
d4397d712c45c60802c533213e7ab61374800825e53b5f82c36c03a8ad62dc62a320ac3aeddac8ca1f480615ac7394c7305391c6a8a59a787a700c613cca74d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ba334d1c43895ae23d4b80fe6231d28

SHA1
863cda477c36b967d06a0e6d5e4347ccd9a5f1f3

SHA256
bc047504d8ae4b6f97a48efd686c6d40d392aedcb30294d1297658a7a472aff5

SHA512
7ce999985bc9032ff1d33bef1a71bbef686f6c226a50cea850e4ada8b44fe41f25e2796fb41cef0ffa9e4373b4e835a27e94450ea6123b5a9c59a93043c0afa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdcc9b51f60277c33de84d63d1fa4a1c

SHA1
da0ff9ceea3d85d61f69ab7da1b8e2cb183de01d

SHA256
6b068ac9e9e5c72e2dfdbc2d7ada28e18a60d247196b406f0e94aac250a27a7e

SHA512
8558da0c06038a478ff1113818509d3a7e83d4be32fbdbb877b072a8d0077671a17e4dca0b91c83d30f1c7f6025d645c56407d0f941d2fba19ab0c8e0cb75e5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d62a83decfbe25af43210af731cae0e7

SHA1
1ccbe9c373144ea4b9ce5b4de5605e292f710f3b

SHA256
ebc5494407f849bf6e7c84ecaa502b0d93e8a673f8d2705998b44331e4e17c1d

SHA512
8beeb69b7cb2674641b531d6624c68336b4142ffafa1ddc4ac9c806b9298c0426f1ca41b54b294b1a4808288a56e0a3dc3d9fc9b59df97a667ca20ef279dca9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4247e22ffeda681b3ae45af32946d0f9

SHA1
6c55d7d8e26edb7f58e2224aa2bc067bbbd30031

SHA256
2714f3f2e84774dc996c4c66160a3881e29fcc3d00357e6f1075b61ab71a189b

SHA512
ad972db557d12228f84effd88a910000af43272480c721fb3e14f8c94e59fc928dfc53fc4315012e4d53fe78a51a70791a4a79241a7e79205f4a71e49832047e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
769759f0af6a835310aa9e17bd6f2513

SHA1
5441ad697c7ac292b2f5a8888d8b156791a27cb3

SHA256
8c6c0256178487d459100b85432d5b81c25bc751df7419b7dec4a38a0741ae70

SHA512
ca8c770ddadf6d40be786cea8a3058fb77bf84e8fd4f6dd4ce4f5c56cd441fb3c9b154f4c42f9767e722b3798f14579938d2b65167149848e19bfd35846eba94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
586b258481d63d5b736355916264fd82

SHA1
62ff5fca580117e13d0d6b64d1fd43804467d6e0

SHA256
daf2fc40b98e4cb4b50b340a40a23b717cd1415f9236a450cceea05b924415cb

SHA512
329a20bfb3ee9503d2f8214160566e4d693df6e03acf294a2bc54cc38af7317d83783e8204d72566453794577090d1ea90ef95127708899fffa21c8504d05563

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d9cc49ff98da4a14ee132d286f5699c

SHA1
f4902dfab82a7b6c5289c374a64f67c438cb4005

SHA256
5f8de0701dcb0d4e7fe21d6847c289eff9255f167dc11a07361051800efad71d

SHA512
12cc7c1fecd76cb2a26d6a051c0d2776a9de8054d11a300d11aed247c34e7e079dce94d09d65e67d44fd81c279ce006b029c21642ba764be0d2961ad9eb029ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9648.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar96F8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit