Resubmissions
09-05-2023 18:34
230509-w77spsfc6z 10Analysis
-
max time kernel
29s -
max time network
46s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2023 18:34
Behavioral task
behavioral1
Sample
CraxsRat v4/Crack.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral2
Sample
CraxsRat v4/CraxsRat v4.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
CraxsRat v4/V4.exe
Resource
win10v2004-20230220-en
General
-
Target
CraxsRat v4/Crack.exe
-
Size
47KB
-
MD5
71499b2947646d03cf1f0addf810083e
-
SHA1
3d4d1e108ab43e0a6416bad34e3915e6e6a79873
-
SHA256
5a8e9e4691806bc732d2ac2dc4e1e1679f49ccf7c228d828dc329ffd85084512
-
SHA512
6fd9e8720a1be33b614cf2bdabdc813f5981f996187b6fb00be744d62a9d905d90bcab31e7f936f0d66eb60a9dea0d8c46e5a6d1475581b88e9606ffe2864b8f
-
SSDEEP
768:DeICljTILmCKi+DiBtelDSN+iV08Ybyge6D9KyvEgK/J3ZVc6KN:DeIYdmBtKDs4zb1P8ynkJ3ZVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
description-lease.at.ply.gg:25727
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
Updates.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/3588-133-0x0000000000770000-0x0000000000782000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\Updates.exe asyncrat C:\Users\Admin\AppData\Roaming\Updates.exe asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Crack.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation Crack.exe -
Executes dropped EXE 1 IoCs
Processes:
Updates.exepid process 4260 Updates.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 212 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
Crack.exepid process 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe 3588 Crack.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Crack.exeUpdates.exedescription pid process Token: SeDebugPrivilege 3588 Crack.exe Token: SeDebugPrivilege 4260 Updates.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Crack.execmd.execmd.exedescription pid process target process PID 3588 wrote to memory of 1900 3588 Crack.exe cmd.exe PID 3588 wrote to memory of 1900 3588 Crack.exe cmd.exe PID 3588 wrote to memory of 3288 3588 Crack.exe cmd.exe PID 3588 wrote to memory of 3288 3588 Crack.exe cmd.exe PID 1900 wrote to memory of 2528 1900 cmd.exe schtasks.exe PID 1900 wrote to memory of 2528 1900 cmd.exe schtasks.exe PID 3288 wrote to memory of 212 3288 cmd.exe timeout.exe PID 3288 wrote to memory of 212 3288 cmd.exe timeout.exe PID 3288 wrote to memory of 4260 3288 cmd.exe Updates.exe PID 3288 wrote to memory of 4260 3288 cmd.exe Updates.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat v4\Crack.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat v4\Crack.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Updates" /tr '"C:\Users\Admin\AppData\Roaming\Updates.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Updates" /tr '"C:\Users\Admin\AppData\Roaming\Updates.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAE27.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Updates.exe"C:\Users\Admin\AppData\Roaming\Updates.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAE27.tmp.batFilesize
151B
MD51116e778da1b5ac6272f2237f99274cf
SHA1aeffa3b72d1bfabb3244365ce7484975178e4f42
SHA256f4be819eeebfa351a98d79b01392077bbcc80bc45aae301486f681fc8194a939
SHA512b3eead2a6484582e0c3e5af9037a7aab244e73ccd8ae10fea74eb18733c013466798e61144e28ba4d8e1a061676b8b274b4787ba82e441145fb6c8a768f3aa26
-
C:\Users\Admin\AppData\Roaming\Updates.exeFilesize
47KB
MD571499b2947646d03cf1f0addf810083e
SHA13d4d1e108ab43e0a6416bad34e3915e6e6a79873
SHA2565a8e9e4691806bc732d2ac2dc4e1e1679f49ccf7c228d828dc329ffd85084512
SHA5126fd9e8720a1be33b614cf2bdabdc813f5981f996187b6fb00be744d62a9d905d90bcab31e7f936f0d66eb60a9dea0d8c46e5a6d1475581b88e9606ffe2864b8f
-
C:\Users\Admin\AppData\Roaming\Updates.exeFilesize
47KB
MD571499b2947646d03cf1f0addf810083e
SHA13d4d1e108ab43e0a6416bad34e3915e6e6a79873
SHA2565a8e9e4691806bc732d2ac2dc4e1e1679f49ccf7c228d828dc329ffd85084512
SHA5126fd9e8720a1be33b614cf2bdabdc813f5981f996187b6fb00be744d62a9d905d90bcab31e7f936f0d66eb60a9dea0d8c46e5a6d1475581b88e9606ffe2864b8f
-
memory/3588-133-0x0000000000770000-0x0000000000782000-memory.dmpFilesize
72KB
-
memory/3588-134-0x000000001B480000-0x000000001B490000-memory.dmpFilesize
64KB
-
memory/4260-143-0x0000000002CB0000-0x0000000002CC0000-memory.dmpFilesize
64KB
-
memory/4260-144-0x0000000002CB0000-0x0000000002CC0000-memory.dmpFilesize
64KB