8505c83167206b75f9b21bf02cb6aca0cecf769842221bed094b5677f879612e

Resubmissions

24/05/2023, 12:03

230524-n8dbgscd25 7

Analysis

max time kernel
124s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
24/05/2023, 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CraxRat V4 CRACK/res/Plugins/Android/crack.exe
Size

621KB
MD5

53e9f3c1f7e1cfcf9439bc0835efd644
SHA1

fd91e335c9da742f0972107a240606bb81bbc675
SHA256

47e39ef464af14cffd9e2cd2951a98e61afab9e37431feb3ba0730bef88d00b4
SHA512

b8835578bdfc45be76774106d5298f22915bc1d84ca39b3d9a1a4708f4dcf02a8eec8e1184644c22cd1f77b088cc731e551158ff34bb5bfcb139a48f8478940f
SSDEEP

12288:m1M2CoLIJHQ6dp82sv4UfFuXk8o2F6ujLZbpIgXTdlUFk5bSw/zBO5OiWsLVM/Ji:U4HQQpuv4D/36ulpImU25uoBcOBIh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3484	XsdType.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3484 set thread context of 5056	3484	XsdType.exe	72

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2808	powershell.exe
2808	powershell.exe
2808	powershell.exe
3484	XsdType.exe
3484	XsdType.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	crack.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeIncreaseQuotaPrivilege	2808	powershell.exe
Token: SeSecurityPrivilege	2808	powershell.exe
Token: SeTakeOwnershipPrivilege	2808	powershell.exe
Token: SeLoadDriverPrivilege	2808	powershell.exe
Token: SeSystemProfilePrivilege	2808	powershell.exe
Token: SeSystemtimePrivilege	2808	powershell.exe
Token: SeProfSingleProcessPrivilege	2808	powershell.exe
Token: SeIncBasePriorityPrivilege	2808	powershell.exe
Token: SeCreatePagefilePrivilege	2808	powershell.exe
Token: SeBackupPrivilege	2808	powershell.exe
Token: SeRestorePrivilege	2808	powershell.exe
Token: SeShutdownPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeSystemEnvironmentPrivilege	2808	powershell.exe
Token: SeRemoteShutdownPrivilege	2808	powershell.exe
Token: SeUndockPrivilege	2808	powershell.exe
Token: SeManageVolumePrivilege	2808	powershell.exe
Token: 33	2808	powershell.exe
Token: 34	2808	powershell.exe
Token: 35	2808	powershell.exe
Token: 36	2808	powershell.exe
Token: SeDebugPrivilege	3484	XsdType.exe
Token: SeDebugPrivilege	5056	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 5056	3484	XsdType.exe	72
PID 3484 wrote to memory of 5056	3484	XsdType.exe	72
PID 3484 wrote to memory of 5056	3484	XsdType.exe	72
PID 3484 wrote to memory of 5056	3484	XsdType.exe	72
PID 3484 wrote to memory of 5056	3484	XsdType.exe	72
PID 3484 wrote to memory of 5056	3484	XsdType.exe	72
PID 3484 wrote to memory of 5056	3484	XsdType.exe	72
PID 3484 wrote to memory of 5056	3484	XsdType.exe	72

C:\Users\Admin\AppData\Local\Temp\CraxRat V4 CRACK\res\Plugins\Android\crack.exe
"C:\Users\Admin\AppData\Local\Temp\CraxRat V4 CRACK\res\Plugins\Android\crack.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Users\Admin\AppData\Local\Data\oethvyd\XsdType.exe
C:\Users\Admin\AppData\Local\Data\oethvyd\XsdType.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Data\oethvyd\XsdType.exe

Filesize
621KB

MD5
53e9f3c1f7e1cfcf9439bc0835efd644

SHA1
fd91e335c9da742f0972107a240606bb81bbc675

SHA256
47e39ef464af14cffd9e2cd2951a98e61afab9e37431feb3ba0730bef88d00b4

SHA512
b8835578bdfc45be76774106d5298f22915bc1d84ca39b3d9a1a4708f4dcf02a8eec8e1184644c22cd1f77b088cc731e551158ff34bb5bfcb139a48f8478940f

Download Submit
C:\Users\Admin\AppData\Local\Data\oethvyd\XsdType.exe

Filesize
621KB

MD5
53e9f3c1f7e1cfcf9439bc0835efd644

SHA1
fd91e335c9da742f0972107a240606bb81bbc675

SHA256
47e39ef464af14cffd9e2cd2951a98e61afab9e37431feb3ba0730bef88d00b4

SHA512
b8835578bdfc45be76774106d5298f22915bc1d84ca39b3d9a1a4708f4dcf02a8eec8e1184644c22cd1f77b088cc731e551158ff34bb5bfcb139a48f8478940f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iueadoz0.4bq.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2204-121-0x0000000000050000-0x00000000000F2000-memory.dmp

Filesize
648KB

Download
memory/2204-122-0x0000000004A30000-0x0000000004B28000-memory.dmp

Filesize
992KB

Download
memory/2204-123-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-124-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-126-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-128-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-130-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-133-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2204-135-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-132-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-137-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-139-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-141-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-143-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-145-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-147-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-149-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-151-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-153-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-155-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-157-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-159-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-161-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-163-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-165-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-167-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-169-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-171-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-173-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-175-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-179-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-177-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-181-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-183-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-185-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-187-0x0000000004A30000-0x0000000004B21000-memory.dmp

Filesize
964KB

Download
memory/2204-1332-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2204-2463-0x0000000004B30000-0x0000000004B86000-memory.dmp

Filesize
344KB

Download
memory/2204-2464-0x0000000004C20000-0x0000000004C6C000-memory.dmp

Filesize
304KB

Download
memory/2204-2465-0x0000000004E10000-0x0000000004E76000-memory.dmp

Filesize
408KB

Download
memory/2204-2466-0x0000000005250000-0x00000000052A4000-memory.dmp

Filesize
336KB

Download
memory/2808-2473-0x0000024EAD9D0000-0x0000024EAD9E0000-memory.dmp

Filesize
64KB

Download
memory/2808-2474-0x0000024EAD9D0000-0x0000024EAD9E0000-memory.dmp

Filesize
64KB

Download
memory/2808-2475-0x0000024EAD970000-0x0000024EAD992000-memory.dmp

Filesize
136KB

Download
memory/2808-2478-0x0000024EADB60000-0x0000024EADBD6000-memory.dmp

Filesize
472KB

Download
memory/2808-2507-0x0000024EAD9D0000-0x0000024EAD9E0000-memory.dmp

Filesize
64KB

Download
memory/2808-2512-0x0000024EAD9D0000-0x0000024EAD9E0000-memory.dmp

Filesize
64KB

Download
memory/3484-2558-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/3484-4218-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/5056-4945-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/5056-6480-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download