19bd57fa080deeb94b3b07325b0d45d0e1a5abde38c123010b5fd640504751e0

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KRNL Remake/KRNL Remake.exe
Size

3.5MB
MD5

eac81de18872f7b27bcd18701391d932
SHA1

43d16d2bc7c2da594f082cff18c8cb5988a815d4
SHA256

fd0db4e58b8a1fa05b8cb7f02d4bce5f3f5a6e9a28ef774dda7086b840cc72c3
SHA512

63158849d438da8b5b5b2addfb86705243147fe08e3ca81f9efad642ffaf483c50ac4e5886bf479c59ced068767d3cfdf7b5659aa4f3b050791171118f85642c
SSDEEP

49152:60N0fEE942x58snxIX5q9+/Cp9GLy8W4SVII2UR47Lr0F5SMI7:f0fl42Pbnxz9+6ue8xSVIIdWrYgMI7

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KRNL Remake.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001b3711825f087948bd0e19d2c124f0cf00000000020000000000106600000001000020000000b11e21d90cd0c27a7ce7fc70ad08d522c80a4085164652e3ba119e93fa400e44000000000e800000000200002000000017ef3616609e9105aa3a131facd6815cb52d5f34e23b9970b74ee53345c37fb6200000009a03482ffa9ae050cba8a2dc1af5ffa46032020a3af76bd4d089507c4ccf953d40000000d4d0f4a22eae201530b418ba5974feeda0bf1844aae12b875d4be91287ef0ed276829078b5eb04cf540bc53bd1df347a5f9411ccc37db6b980b91bc966fef584	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001b3711825f087948bd0e19d2c124f0cf000000000200000000001066000000010000200000005ac6e6969557e5ae3526ba9ed8324e1fdd16cd3549bc9385596baf9fdcd9f9d3000000000e800000000200002000000056debc8ab461ad83c8f1f46d953f35083db4cadbf49c6e06457fc14509185881900000006d8dbfd66e83c4c078c86d5709af560d89c58193d80bfea6d65afc79327777aa163e07fa81d80c336ec652ac1a831106efc971e25ca2e06be123046db052d9fb74176beec8cce16534ffb081bf53b50a54a9b2f2710e82411480b4f24f2d7acb31e3311dbbfbe29132914401321d9aadf49f8b0fb42af0bd136c248ed129ad1cdccd2ae6aeaeb0b183a3898817392f3a4000000028d4268ef498f8b31ce7187428698e7fee3853c35948916af785992775fa273b59cb4db00d769448d71551792084e8e850ce5f6ddb0b3918da864dedb40aa77c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c09d02447d6adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6E04CBC1-D670-11EF-93F4-C28ADB222BBA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2068	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2068	iexplore.exe
2068	iexplore.exe
3068	IEXPLORE.EXE
3068	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 2068	1120	KRNL Remake.exe	28
PID 1120 wrote to memory of 2068	1120	KRNL Remake.exe	28
PID 1120 wrote to memory of 2068	1120	KRNL Remake.exe	28
PID 1120 wrote to memory of 2068	1120	KRNL Remake.exe	28
PID 2068 wrote to memory of 3068	2068	iexplore.exe	29
PID 2068 wrote to memory of 3068	2068	iexplore.exe	29
PID 2068 wrote to memory of 3068	2068	iexplore.exe	29
PID 2068 wrote to memory of 3068	2068	iexplore.exe	29
PID 2068 wrote to memory of 696	2068	iexplore.exe	33
PID 2068 wrote to memory of 696	2068	iexplore.exe	33
PID 2068 wrote to memory of 696	2068	iexplore.exe	33
PID 2068 wrote to memory of 696	2068	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\KRNL Remake\KRNL Remake.exe
"C:\Users\Admin\AppData\Local\Temp\KRNL Remake\KRNL Remake.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=KRNL Remake.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2068 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3068
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2068 CREDAT:668677 /prefetch:2
    3⤵
    PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0700ede66c0be53aa6613f72b4e26833

SHA1
f5f1a5d48f4a34fba76b0a47c87316353660723f

SHA256
fe6f136170ae18a8bf66befb256e3c01502369b4c98cf5bc332e68d0c829625e

SHA512
d01118eceec04cbf07eaaa7ec8d34a73af54dc2f082845242d92cd5aa3f64184f0ca6167330c84a51d12d4297846622a8af2a53b47ee90729f0fe10700ffd5d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1539683eba96b84852c59fb18bd1c67

SHA1
72bb19a217731f9435e5c27ae82f30a4efc70e12

SHA256
d0a2f9cddb28096b948a5ae73bc1f2ab52101c5dca065e1a85facfbd1d89818d

SHA512
a36c602fc35ce52dffdfe1218f58777d6e69f9a5a4fe8079759c202b061cc3e41a55e2e48bbbb75938d06c0d04108d0513c7806edc07e96875ddbc515381aec4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fec815c7cc7bd6645b739a69c2ac84b3

SHA1
69df935505fa91e27badb2862cfc062fc3939965

SHA256
4f3e6b1163df0dec70e5e4eef7eb806fa6b42342fe10a5214cfa646540eb91ef

SHA512
2374b5ebe24acbca3cf4335cd2e99ad6a3f66a1e6c2e3a9bf898d493813c5661ed367e6d1b739894eb5ce18a4d9f2fb555375bf972f4bc8b63c8bb36008af5ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1fb97721ad128100272cd497a3fb959

SHA1
bb704383356ce6674c259cc802101ffb50240a5d

SHA256
9c1b20ff82325f2751d945fa90e51bcf116fa9b8b03678bb924637d96044a24e

SHA512
226247631ddd93ceaa71c5d258eb3bb5e787b5c569aaf60c9dc2817080ae1d569df46ebbe2898e25811b804375b8d17949e1f39d127ae22724918e4a60a1b687

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2e63ccb71f70b4dab5c929b3df183ad

SHA1
54a27d8eaaa1750a1e74833c48c10d554a97b16d

SHA256
55813f72a5238ea8d372754cce81a7b69e8ea81a7fe14533fb959c0ae08fbb49

SHA512
92caa5533a7358dc55e52e94e14f87ef8f9288dd6f70fbd429b3771a41d5bd0973bde8fa6da4e608b317188c9cc4f4efaa7d8b4ef55b704599703312e8a141ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab6b10be1e37da102a5d65980308b04c

SHA1
da576b9ac8f9e94725fd4e0583845bf11a6be0d9

SHA256
6c2a6e909705e30d865ed19ab48c9eef995f730a930190666f2e1efb8a925c77

SHA512
ad04745ce756c9dac7292bf528b39073b7f18299d96bff1fd2b2cf1c76c64effe2f27abba6cbac73ad10d395194bb6e343b92bb2e7dbe526eb4c46a855978473

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e68c85fb675c6c5f9194eb20885c245e

SHA1
a84f990b9deb234015068b3f295fc3e7786b3845

SHA256
9ac2033e570f2912e0a4dcf53d463de39fb91aac973a4e87077ffee8a328d31d

SHA512
8eb90b52e0cdf3d1834f4cc2bad9d1e8f27068a0dd0db536d9442ff7f3676c4a4f89d9edc604d069d6e7a334c74ecd87e24c9bb7780fa2587f90ea827eccebb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9dbfec5f22708958c121e65a4302e7d

SHA1
f116bbedf1505560005256c88161318857825281

SHA256
6e2d53bc1a0d986e6b5acbe6143a0dc155924462f7a1b41c478a2b182a94fd41

SHA512
a665829208a068d2991e534b479b0c385da93f3862259eee4f896517bedf8325053cf223e6cad48cf2ed2d14f8d1618714dc6a379d2cb3a4d50c799f25fbde9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
545950a80fa7adc7016ecbdeba1e1059

SHA1
4e7511ec5db83d631bfaef504d051081ab86f129

SHA256
7295fb0ccd36f7cd360dc8aa663d5f48dcc55278956185dfcdf785e19a18a63d

SHA512
b24b7db30b0b153f28e21b16aca6179c46b8f82687dda567224f16db16365023c434eb44a197d4de1ce0fa4b35ef5c39928615fec0ece81e58c5d5cc7920c43d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
572348de0201541a9194ef622317c66b

SHA1
46226f0a1b9817a11a98be6acd35bcb203c1fad0

SHA256
3c5734c518bc01fcc2d524a55ccb7b9c6801c13797f15274e081797d52e999ef

SHA512
2c1886b4273c8f74765df88042ce51a36a3153ccac1588072145ef21e4c40b48d60a4de1b74de57c187159fca23009a9372505824568fe08b911b0539e528b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA057.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA069.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit