Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
7CraxRat V4...CK.exe
windows10-1703-x64
7CraxRat V4...es.dll
windows10-1703-x64
3CraxRat V4...on.dll
windows10-1703-x64
3CraxRat V4...UI.dll
windows10-1703-x64
1CraxRat V4...io.dll
windows10-1703-x64
1CraxRat V4...le.dll
windows10-1703-x64
1CraxRat V4...on.dll
windows10-1703-x64
1CraxRat V4...V4.exe
windows10-1703-x64
3CraxRat V4...ck.exe
windows10-1703-x64
7Resubmissions
24/05/2023, 12:03
230524-n8dbgscd25 7Analysis
-
max time kernel
124s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
24/05/2023, 12:03
Behavioral task
behavioral1
Sample
CraxRat V4 CRACK/CraxRat V4 CRACK.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
CraxRat V4 CRACK/LiveChartsCountries.dll
Resource
win10-20230220-en
Behavioral task
behavioral3
Sample
CraxRat V4 CRACK/LiveChartsRegion.dll
Resource
win10-20230220-en
Behavioral task
behavioral4
Sample
CraxRat V4 CRACK/MetroSet UI.dll
Resource
win10-20230220-en
Behavioral task
behavioral5
Sample
CraxRat V4 CRACK/NAudio.dll
Resource
win10-20230220-en
Behavioral task
behavioral6
Sample
CraxRat V4 CRACK/System.IO.Compression.ZipFile.dll
Resource
win10-20230220-en
Behavioral task
behavioral7
Sample
CraxRat V4 CRACK/System.IO.Compression.dll
Resource
win10-20230220-en
Behavioral task
behavioral8
Sample
CraxRat V4 CRACK/V4.exe
Resource
win10-20230220-en
Behavioral task
behavioral9
Sample
CraxRat V4 CRACK/res/Plugins/Android/crack.exe
Resource
win10-20230220-en
General
-
Target
CraxRat V4 CRACK/res/Plugins/Android/crack.exe
-
Size
621KB
-
MD5
53e9f3c1f7e1cfcf9439bc0835efd644
-
SHA1
fd91e335c9da742f0972107a240606bb81bbc675
-
SHA256
47e39ef464af14cffd9e2cd2951a98e61afab9e37431feb3ba0730bef88d00b4
-
SHA512
b8835578bdfc45be76774106d5298f22915bc1d84ca39b3d9a1a4708f4dcf02a8eec8e1184644c22cd1f77b088cc731e551158ff34bb5bfcb139a48f8478940f
-
SSDEEP
12288:m1M2CoLIJHQ6dp82sv4UfFuXk8o2F6ujLZbpIgXTdlUFk5bSw/zBO5OiWsLVM/Ji:U4HQQpuv4D/36ulpImU25uoBcOBIh
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3484 XsdType.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3484 set thread context of 5056 3484 XsdType.exe 72 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2808 powershell.exe 2808 powershell.exe 2808 powershell.exe 3484 XsdType.exe 3484 XsdType.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2204 crack.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeIncreaseQuotaPrivilege 2808 powershell.exe Token: SeSecurityPrivilege 2808 powershell.exe Token: SeTakeOwnershipPrivilege 2808 powershell.exe Token: SeLoadDriverPrivilege 2808 powershell.exe Token: SeSystemProfilePrivilege 2808 powershell.exe Token: SeSystemtimePrivilege 2808 powershell.exe Token: SeProfSingleProcessPrivilege 2808 powershell.exe Token: SeIncBasePriorityPrivilege 2808 powershell.exe Token: SeCreatePagefilePrivilege 2808 powershell.exe Token: SeBackupPrivilege 2808 powershell.exe Token: SeRestorePrivilege 2808 powershell.exe Token: SeShutdownPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeSystemEnvironmentPrivilege 2808 powershell.exe Token: SeRemoteShutdownPrivilege 2808 powershell.exe Token: SeUndockPrivilege 2808 powershell.exe Token: SeManageVolumePrivilege 2808 powershell.exe Token: 33 2808 powershell.exe Token: 34 2808 powershell.exe Token: 35 2808 powershell.exe Token: 36 2808 powershell.exe Token: SeDebugPrivilege 3484 XsdType.exe Token: SeDebugPrivilege 5056 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3484 wrote to memory of 5056 3484 XsdType.exe 72 PID 3484 wrote to memory of 5056 3484 XsdType.exe 72 PID 3484 wrote to memory of 5056 3484 XsdType.exe 72 PID 3484 wrote to memory of 5056 3484 XsdType.exe 72 PID 3484 wrote to memory of 5056 3484 XsdType.exe 72 PID 3484 wrote to memory of 5056 3484 XsdType.exe 72 PID 3484 wrote to memory of 5056 3484 XsdType.exe 72 PID 3484 wrote to memory of 5056 3484 XsdType.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\CraxRat V4 CRACK\res\Plugins\Android\crack.exe"C:\Users\Admin\AppData\Local\Temp\CraxRat V4 CRACK\res\Plugins\Android\crack.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
C:\Users\Admin\AppData\Local\Data\oethvyd\XsdType.exeC:\Users\Admin\AppData\Local\Data\oethvyd\XsdType.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
621KB
MD553e9f3c1f7e1cfcf9439bc0835efd644
SHA1fd91e335c9da742f0972107a240606bb81bbc675
SHA25647e39ef464af14cffd9e2cd2951a98e61afab9e37431feb3ba0730bef88d00b4
SHA512b8835578bdfc45be76774106d5298f22915bc1d84ca39b3d9a1a4708f4dcf02a8eec8e1184644c22cd1f77b088cc731e551158ff34bb5bfcb139a48f8478940f
-
Filesize
621KB
MD553e9f3c1f7e1cfcf9439bc0835efd644
SHA1fd91e335c9da742f0972107a240606bb81bbc675
SHA25647e39ef464af14cffd9e2cd2951a98e61afab9e37431feb3ba0730bef88d00b4
SHA512b8835578bdfc45be76774106d5298f22915bc1d84ca39b3d9a1a4708f4dcf02a8eec8e1184644c22cd1f77b088cc731e551158ff34bb5bfcb139a48f8478940f
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a