latentbot | 7d185fe0dc2abd855c8429d894cb08da8329e07371ab4088614735fe5feb9b5d

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PatronusKoxp Beta v2.1/Patronus Koxp Beta v2.1.exe
Size

1.9MB
MD5

cae504db8e67eb5c36210d2d5abcf3fd
SHA1

ff8c508712a1577a29f329a1d70878140651cd50
SHA256

148424a49616617d73d96f0e8b3d28138349ea8fd3eb9312a8d62abf496aa1b9
SHA512

229cb5eff1cea50104e0301e5b5217a261e69e9985829e3ee3aae821dc408f1cbe8f8cf09566d541924afab8348bac9260b4f358455e3c5768455bcf98c8dd0e
SSDEEP

24576:aaeH5Z7Y4LvYQNqTwlAET6fw+DLN5jDftcXRg6puB364ROPwCGnR+ai3cMipYrG:aP0mqTRHrrPGXKuC64QoDurG

Score

10^/10

latentbot discovery persistence trojan

Malware Config

Extracted

Family

latentbot

yeniceriler.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Executes dropped EXE 3 IoCs

Processes:

standard.exePATRONUS KOXP BETA V2.1.EXERUNDLL.EXE

pid	Process
2320	standard.exe
2484	PATRONUS KOXP BETA V2.1.EXE
2832	RUNDLL.EXE

Loads dropped DLL 8 IoCs

Processes:

Patronus Koxp Beta v2.1.exestandard.exeRUNDLL.EXEPATRONUS KOXP BETA V2.1.EXE

pid	Process
2060	Patronus Koxp Beta v2.1.exe
2060	Patronus Koxp Beta v2.1.exe
2320	standard.exe
2320	standard.exe
2320	standard.exe
2320	standard.exe
2832	RUNDLL.EXE
2484	PATRONUS KOXP BETA V2.1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Patronus Koxp Beta v2.1.exestandard.exePATRONUS KOXP BETA V2.1.EXERUNDLL.EXEcmd.execmd.exereg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Patronus Koxp Beta v2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	standard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PATRONUS KOXP BETA V2.1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUNDLL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

PATRONUS KOXP BETA V2.1.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	PATRONUS KOXP BETA V2.1.EXE

Modifies registry class 64 IoCs

Processes:

PATRONUS KOXP BETA V2.1.EXE

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Programmable	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}\InprocServer32	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}\ProxyStubClsid32	PATRONUS KOXP BETA V2.1.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\InprocServer32\ThreadingModel = "Apartment"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{BDC217C8-ED16-11CD-956C-0000C04E4C0A}"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}\TypeLib\ = "{BDC217C8-ED16-11CD-956C-0000C04E4C0A}"	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}\ = "SSTabCtl General Property Page Object"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PatronusKoxp Beta v2.1\\TABCTL32.OCX"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\MiscStatus\1\ = "197009"	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Required Categories\{D40C2700-FFA1-11CF-8234-00AA00C1AB85}	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\ = "ISSTabCtl"	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\InprocServer32	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Version	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}	PATRONUS KOXP BETA V2.1.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}\1.1	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\ = "Microsoft Tabbed Dialog Control 6.0 (SP6)"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TabDlg.SSTab.1\CLSID\ = "{BDC217C5-ED16-11CD-956C-0000C04E4C0A}"	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\TypeLib\ = "{BDC217C8-ED16-11CD-956C-0000C04E4C0A}"	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Control	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\MiscStatus	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\MiscStatus\1	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PatronusKoxp Beta v2.1\\TABCTL32.OCX"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.1"	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TabDlg.SSTab\CLSID	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TabDlg.SSTab\CLSID\ = "{BDC217C5-ED16-11CD-956C-0000C04E4C0A}"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{BDC217C8-ED16-11CD-956C-0000C04E4C0A}"	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\TypeLib	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}\1.1\0\win32	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.1"	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.1"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{BDC217C8-ED16-11CD-956C-0000C04E4C0A}"	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TabDlg.SSTab	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\ProgID\ = "TabDlg.SSTab.1"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}\ = "DSSTabCtlEvents"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}\TypeLib\ = "{BDC217C8-ED16-11CD-956C-0000C04E4C0A}"	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\TypeLib	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}\1.1\FLAGS	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\ = "ISSTabCtl"	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.1"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}\1.1\FLAGS\ = "2"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.1"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TabDlg.SSTab.1\ = "Microsoft Tabbed Dialog Control 6.0 (SP6)"	PATRONUS KOXP BETA V2.1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Required Categories	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{BDC217C8-ED16-11CD-956C-0000C04E4C0A}"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.1"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}\TypeLib\Version = "1.1"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PatronusKoxp Beta v2.1\\TABCTL32.OCX"	PATRONUS KOXP BETA V2.1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TabDlg.SSTab\ = "Microsoft Tabbed Dialog Control 6.0 (SP6)"	PATRONUS KOXP BETA V2.1.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
2736	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Patronus Koxp Beta v2.1.exestandard.exe

pid	Process
2060	Patronus Koxp Beta v2.1.exe
2320	standard.exe
2320	standard.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

PATRONUS KOXP BETA V2.1.EXERUNDLL.EXE

pid	Process
2484	PATRONUS KOXP BETA V2.1.EXE
2832	RUNDLL.EXE
2484	PATRONUS KOXP BETA V2.1.EXE
2484	PATRONUS KOXP BETA V2.1.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Patronus Koxp Beta v2.1.exestandard.exeRUNDLL.EXEcmd.execmd.exe

description	pid	Process	procid_target
PID 2060 wrote to memory of 2320	2060	Patronus Koxp Beta v2.1.exe	29
PID 2060 wrote to memory of 2320	2060	Patronus Koxp Beta v2.1.exe	29
PID 2060 wrote to memory of 2320	2060	Patronus Koxp Beta v2.1.exe	29
PID 2060 wrote to memory of 2320	2060	Patronus Koxp Beta v2.1.exe	29
PID 2320 wrote to memory of 2484	2320	standard.exe	30
PID 2320 wrote to memory of 2484	2320	standard.exe	30
PID 2320 wrote to memory of 2484	2320	standard.exe	30
PID 2320 wrote to memory of 2484	2320	standard.exe	30
PID 2320 wrote to memory of 2832	2320	standard.exe	31
PID 2320 wrote to memory of 2832	2320	standard.exe	31
PID 2320 wrote to memory of 2832	2320	standard.exe	31
PID 2320 wrote to memory of 2832	2320	standard.exe	31
PID 2832 wrote to memory of 2868	2832	RUNDLL.EXE	32
PID 2832 wrote to memory of 2868	2832	RUNDLL.EXE	32
PID 2832 wrote to memory of 2868	2832	RUNDLL.EXE	32
PID 2832 wrote to memory of 2868	2832	RUNDLL.EXE	32
PID 2868 wrote to memory of 2728	2868	cmd.exe	34
PID 2868 wrote to memory of 2728	2868	cmd.exe	34
PID 2868 wrote to memory of 2728	2868	cmd.exe	34
PID 2868 wrote to memory of 2728	2868	cmd.exe	34
PID 2728 wrote to memory of 2736	2728	cmd.exe	35
PID 2728 wrote to memory of 2736	2728	cmd.exe	35
PID 2728 wrote to memory of 2736	2728	cmd.exe	35
PID 2728 wrote to memory of 2736	2728	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\PatronusKoxp Beta v2.1\Patronus Koxp Beta v2.1.exe
"C:\Users\Admin\AppData\Local\Temp\PatronusKoxp Beta v2.1\Patronus Koxp Beta v2.1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\standard.exe
  C:\Users\Admin\AppData\Local\Temp\\standard.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Roaming\PATRONUS KOXP BETA V2.1.EXE
    "C:\Users\Admin\AppData\Roaming\PATRONUS KOXP BETA V2.1.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2484
- - C:\Users\Admin\AppData\Roaming\RUNDLL.EXE
    "C:\Users\Admin\AppData\Roaming\RUNDLL.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\PatronusKoxp Beta v2.1\run.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PatronusKoxp Beta v2.1\run.bat

Filesize
145B

MD5
6b8393408a3f2df19ff1e68a4f720729

SHA1
03cbc980dd47a33bdfa18be80cbd3efdbbaf95c6

SHA256
623fecae412449f60ffd8f38862e73504124afb0754952a45103daff0de5a7c9

SHA512
235e3c1f0074282c8cd8d6d9b6dc0c71ae591f5ca6a2f2248f832359a1a452cfce26b5f80fddc5acd5aae811630441b640212b9b7a885f2d69e67813d8d846ca

Download Submit
C:\Users\Admin\AppData\Roaming\rundll.exe

Filesize
678KB

MD5
b4d736875783a1048e6e216d3b2b38c6

SHA1
1496c92d77fef5a02934bccec920c08ea97f43f7

SHA256
1de33c51c314957f3fc1084cbeac14ac6b1552da21b7fd91e604aca00e514b98

SHA512
d64d43663330caef3f8a65a37b9ab93b4a662308776faf390f3d1b59e9540572b7f262b04acd3737a90fbe542773ac94e32413058d84024c6c3e388e918a3865

Download Submit
\Users\Admin\AppData\Local\Temp\standard.exe

Filesize
1.6MB

MD5
a40786ce73f802fbcce5c2c9ad18d930

SHA1
0e33426188644e0dcfcdd981d9d40ce8e86fb64a

SHA256
7d939b66f8bc2b5fde0f876fc5b664152d6c3308203fcafedd1512cb769269d2

SHA512
48ce814bd5940932f047ac9743ce4ab0faad3c9a8f2de60b80ff4608fa98a649470d9082e79c0982a1546c4aedbc835b59018889dee4a147d66fcd0038137690

Download Submit
\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
93KB

MD5
19fc09ffc7c367c396bd944ac36929e5

SHA1
09b4b657ca58881a649e16fc5dffe921e4f05056

SHA256
2d881e059893bc0bfb41d2a515f4ecca0e372df9048a00c873381eb9ae950852

SHA512
d15f9d8099f11611ea117b8302f27362180c4898e1bd52bc026d9a00b5a3010508b5c6fc65fb7dadf20f388c841296703acbd78abe44948ddcd643b530372577

Download Submit
\Users\Admin\AppData\Roaming\patronus koxp beta v2.1.exe

Filesize
372KB

MD5
70d61abd6492d8d343de51ab9f78c08e

SHA1
a589c0817754a19ad750517bde22d2a8998a1aa9

SHA256
362adcd9adc2581c6d6701c94e5777583888a310fa3a14de525fb89363710b4d

SHA512
4648731184385b89bfe2f2e0cca8c71d1b29b69c00f1717a2fe47080a724ea25632da27092277f72162422b2d900dac3f7452d30bc6d3ec5a43d6783cd8f3b90

Download Submit
memory/2060-10-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2320-32-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2320-8-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2484-45-0x0000000001DA0000-0x0000000001DBC000-memory.dmp

Filesize
112KB

Download
memory/2484-46-0x0000000004DB0000-0x0000000005E12000-memory.dmp

Filesize
16.4MB

Download
memory/2484-59-0x0000000001DA0000-0x0000000001DBC000-memory.dmp

Filesize
112KB

Download
memory/2832-31-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2832-61-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2832-60-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download