Analysis

  • max time kernel
    31s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    12-08-2024 23:21

General

  • Target

    KRNL-REBORN/krnlss.exe.xml

  • Size

    202B

  • MD5

    0ed4b3831ff5e91dff636145f68aac4c

  • SHA1

    2d1140812945dc1b9e400a88c911803639cb2e49

  • SHA256

    03962ae5a55dfc70e2717771a9a7aa37b956b2c5b4c62e3cff9fe24360250347

  • SHA512

    4039d0272678777ba6fa496baf875050bd4c29352fffd37af8c3c07fb2abeedc54ba04a3dd085b491d848e951ccfcbd67ec7ba50a10ec0c624df45e98c18bf1c

Score
3/10

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\KRNL-REBORN\krnlss.exe.xml"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3064 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c42f9a5b436c41633376d29056fc6bef

    SHA1

    710997a94b61798fdb048fcfab0263624027afca

    SHA256

    dbbdcea3bf367cd54ce5a2b365116a6616f871c12805b4edfc196a96bc0e6bbd

    SHA512

    f0f3ae8513fbdb33bf444d9e700b12ec521b9350516f3b9b8a20c4e0df49d2273973cdc448ab88a577b148ce449b0bdbf25da2ab7ebf58bdbb92ff1d8b012a39

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    58ee02312ff8df72645e8445d9b0d5ef

    SHA1

    baea488cae172047f3c9c987984ea4f01fad9c93

    SHA256

    086655cde2b2f1cfabe214f40bc07c2f0b1270b527c1970284302d20a08e0684

    SHA512

    d4397d712c45c60802c533213e7ab61374800825e53b5f82c36c03a8ad62dc62a320ac3aeddac8ca1f480615ac7394c7305391c6a8a59a787a700c613cca74d5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9ba334d1c43895ae23d4b80fe6231d28

    SHA1

    863cda477c36b967d06a0e6d5e4347ccd9a5f1f3

    SHA256

    bc047504d8ae4b6f97a48efd686c6d40d392aedcb30294d1297658a7a472aff5

    SHA512

    7ce999985bc9032ff1d33bef1a71bbef686f6c226a50cea850e4ada8b44fe41f25e2796fb41cef0ffa9e4373b4e835a27e94450ea6123b5a9c59a93043c0afa3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fdcc9b51f60277c33de84d63d1fa4a1c

    SHA1

    da0ff9ceea3d85d61f69ab7da1b8e2cb183de01d

    SHA256

    6b068ac9e9e5c72e2dfdbc2d7ada28e18a60d247196b406f0e94aac250a27a7e

    SHA512

    8558da0c06038a478ff1113818509d3a7e83d4be32fbdbb877b072a8d0077671a17e4dca0b91c83d30f1c7f6025d645c56407d0f941d2fba19ab0c8e0cb75e5f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d62a83decfbe25af43210af731cae0e7

    SHA1

    1ccbe9c373144ea4b9ce5b4de5605e292f710f3b

    SHA256

    ebc5494407f849bf6e7c84ecaa502b0d93e8a673f8d2705998b44331e4e17c1d

    SHA512

    8beeb69b7cb2674641b531d6624c68336b4142ffafa1ddc4ac9c806b9298c0426f1ca41b54b294b1a4808288a56e0a3dc3d9fc9b59df97a667ca20ef279dca9b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4247e22ffeda681b3ae45af32946d0f9

    SHA1

    6c55d7d8e26edb7f58e2224aa2bc067bbbd30031

    SHA256

    2714f3f2e84774dc996c4c66160a3881e29fcc3d00357e6f1075b61ab71a189b

    SHA512

    ad972db557d12228f84effd88a910000af43272480c721fb3e14f8c94e59fc928dfc53fc4315012e4d53fe78a51a70791a4a79241a7e79205f4a71e49832047e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    769759f0af6a835310aa9e17bd6f2513

    SHA1

    5441ad697c7ac292b2f5a8888d8b156791a27cb3

    SHA256

    8c6c0256178487d459100b85432d5b81c25bc751df7419b7dec4a38a0741ae70

    SHA512

    ca8c770ddadf6d40be786cea8a3058fb77bf84e8fd4f6dd4ce4f5c56cd441fb3c9b154f4c42f9767e722b3798f14579938d2b65167149848e19bfd35846eba94

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    586b258481d63d5b736355916264fd82

    SHA1

    62ff5fca580117e13d0d6b64d1fd43804467d6e0

    SHA256

    daf2fc40b98e4cb4b50b340a40a23b717cd1415f9236a450cceea05b924415cb

    SHA512

    329a20bfb3ee9503d2f8214160566e4d693df6e03acf294a2bc54cc38af7317d83783e8204d72566453794577090d1ea90ef95127708899fffa21c8504d05563

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3d9cc49ff98da4a14ee132d286f5699c

    SHA1

    f4902dfab82a7b6c5289c374a64f67c438cb4005

    SHA256

    5f8de0701dcb0d4e7fe21d6847c289eff9255f167dc11a07361051800efad71d

    SHA512

    12cc7c1fecd76cb2a26d6a051c0d2776a9de8054d11a300d11aed247c34e7e079dce94d09d65e67d44fd81c279ce006b029c21642ba764be0d2961ad9eb029ae

  • C:\Users\Admin\AppData\Local\Temp\Cab9648.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar96F8.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b