Overview
overview
10Static
static
7ChangeLog.html
windows10-1703-x64
1CraxsRat.exe.xml
windows10-1703-x64
1CraxsRat.xml
windows10-1703-x64
1License.xml
windows10-1703-x64
1LiveCharts.Wpf.xml
windows10-1703-x64
1SimplicLoader.exe
windows10-1703-x64
10System.IO....le.dll
windows10-1703-x64
1Vip.Notification.dll
windows10-1703-x64
1WinMM.Net.dll
windows10-1703-x64
1Analysis
-
max time kernel
1200s -
max time network
1089s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
11/04/2023, 20:30
Behavioral task
behavioral1
Sample
ChangeLog.html
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
CraxsRat.exe.xml
Resource
win10-20230220-en
Behavioral task
behavioral3
Sample
CraxsRat.xml
Resource
win10-20230220-en
Behavioral task
behavioral4
Sample
License.xml
Resource
win10-20230220-en
Behavioral task
behavioral5
Sample
LiveCharts.Wpf.xml
Resource
win10-20230220-en
Behavioral task
behavioral6
Sample
SimplicLoader.exe
Resource
win10-20230220-en
Behavioral task
behavioral7
Sample
System.IO.Compression.ZipFile.dll
Resource
win10-20230220-en
Behavioral task
behavioral8
Sample
Vip.Notification.dll
Resource
win10-20230220-en
Behavioral task
behavioral9
Sample
WinMM.Net.dll
Resource
win10-20230220-en
General
-
Target
ChangeLog.html
-
Size
1KB
-
MD5
e13a142fd65ba98dcd14acab49b75f5c
-
SHA1
5259cc36a8473edab4b5328dd45ba2c0579185cc
-
SHA256
adedda589be1f4181787e5f3453ca48f74f950ba7628099ba217d89fd9eb7f73
-
SHA512
10dfc63549eb15d2bd787f83e5da43a9a2eb34fd9fbc22d10b1015eb0869c3e323db1d49c7338a567105fea9139a04294a51a9f44e2562b703c5c10e07685004
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133257259340537265" chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 2628 chrome.exe 2628 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4824 chrome.exe 4824 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe Token: SeShutdownPrivilege 4824 chrome.exe Token: SeCreatePagefilePrivilege 4824 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe 4824 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4824 wrote to memory of 3920 4824 chrome.exe 66 PID 4824 wrote to memory of 3920 4824 chrome.exe 66 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 1536 4824 chrome.exe 69 PID 4824 wrote to memory of 2136 4824 chrome.exe 68 PID 4824 wrote to memory of 2136 4824 chrome.exe 68 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70 PID 4824 wrote to memory of 3536 4824 chrome.exe 70
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\ChangeLog.html1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8bd769758,0x7ff8bd769768,0x7ff8bd7697782⤵PID:3920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1780,i,159014943100734640,7268190779050712165,131072 /prefetch:82⤵PID:2136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1780,i,159014943100734640,7268190779050712165,131072 /prefetch:22⤵PID:1536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1700 --field-trial-handle=1780,i,159014943100734640,7268190779050712165,131072 /prefetch:82⤵PID:3536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=1780,i,159014943100734640,7268190779050712165,131072 /prefetch:12⤵PID:4584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1780,i,159014943100734640,7268190779050712165,131072 /prefetch:12⤵PID:4544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1780,i,159014943100734640,7268190779050712165,131072 /prefetch:82⤵PID:4392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1780,i,159014943100734640,7268190779050712165,131072 /prefetch:82⤵PID:4376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1780,i,159014943100734640,7268190779050712165,131072 /prefetch:82⤵PID:700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1780,i,159014943100734640,7268190779050712165,131072 /prefetch:82⤵PID:3200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4568 --field-trial-handle=1780,i,159014943100734640,7268190779050712165,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD531673402fcf3808c147e91ee4db19b25
SHA1a97381bc3c68421bc5cc25d9add0169a3fb40794
SHA2565d03952ca6b2ea325dc5af869936b67e7df81d307ba864e5230b871fbf0658d3
SHA512e038d06e6574456f2bfb2131ec6870d9b1866a9c115b5c30cd8e92f03f63485bc98a642353e55bc598251d8d778c371ccb9df8af9ce4aaa3f1fb49fb92c1cf2f
-
Filesize
5KB
MD5b2ad5d06eb8ecf3c44e4d06a826e143c
SHA116c6983e172b2ac9da411aa8bf80a8a4ae609467
SHA25617729a21d676812473acf6c023139901ab5fd8a3cc96acc84c05cbdd36cfde94
SHA51217dbcaa86adbca1d35612ac305d08adba8b22d83a2f9858cef71077d16692b04c07465a8fb9f30da7a8eedb389552cd7c1a6d7dec45af989735845e86e814e3d
-
Filesize
5KB
MD50910df89948021b444a667e3581f95ce
SHA1245842b1268039a90c9bbf0e05ccde7852a81d6d
SHA256972e5c4f4caf86a5e9da6f7f64cb6f42e6631bd6116285009ac12fbff6fe30de
SHA512c04fda2c074086161bf31f04886efbda9e3aa45112bfc56d5c64ef363a54277af86c834b8e83ae4a0a5c87b17c08c09f5059246c7a090da713161de64437e411
-
Filesize
5KB
MD56ff02d495dd0c99daf6465e0ba3ff276
SHA1c3cba885bf9b9749013182321d9d93ef16a0b09b
SHA256022694ea106cdad9d0daed38ca1f2e73de7e3d46354b587f62f1340644292445
SHA5127fce57fba14d8c96aca986743ae015e4d9d9bb00c196e9f24b3621ffaf1054d7d16594e481d28b165ec346f2cf395a8380b2ad100ff03461aba377788af2a256
-
Filesize
201KB
MD5ecf2820f424f17414f8076d49e0fbe99
SHA16474ce998205b5750966cdd354e4caec499a9040
SHA2567db39a127cc3961fe82f8c2894c2544edfb80628fdaf90ca2eddb9172a75a2d6
SHA512e4a6016dfc2fb07ba0ac3279a82ed3885d2b25ab4c44d9ea05e33f4865a989d822610f5474a8b991aac42dbe274c876690a1bb1a5ebb28075ccb246837c4761e
-
Filesize
72KB
MD5869e8bbd2ffeecb18f23a7895ceab353
SHA156d8263faa112cc7b5a08229765cf0782c3ab073
SHA25683cdd1a8e117002e959c07f4d51b37412b35ba5ea892efc1f96c4aa3519ce442
SHA51213a0c97f08b35005e4d68873809b72e94d830df103ae65dca2f1d29fe19b9df240f2bd411d8c58b96dc1bbb5511071ea81f04aa81628469afee787ef9d158c0a
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd