Overview
overview
7Static
static
7craxs3/ChangeLog.html
windows10-2004-x64
1craxs3/CraxsRat.exe
windows10-2004-x64
1craxs3/Cra...xe.xml
windows10-2004-x64
3craxs3/Dra...rk.dll
windows10-2004-x64
1craxs3/Fu#...er.exe
windows10-2004-x64
7craxs3/GeoIPCitys.dll
windows10-2004-x64
1craxs3/Liv...PS.dll
windows10-2004-x64
1craxs3/Liv...ms.dll
windows10-2004-x64
1craxs3/Liv...pf.dll
windows10-2004-x64
1craxs3/LiveCharts.dll
windows10-2004-x64
1craxs3/NAudio.dll
windows10-2004-x64
1craxs3/New...on.dll
windows10-2004-x64
1craxs3/Sys...le.dll
windows10-2004-x64
1craxs3/WinMM.Net.dll
windows10-2004-x64
1craxs3/Win...ve.dll
windows10-2004-x64
1Analysis
-
max time kernel
61s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2023, 11:05
Behavioral task
behavioral1
Sample
craxs3/ChangeLog.html
Resource
win10v2004-20230703-en
Behavioral task
behavioral2
Sample
craxs3/CraxsRat.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
craxs3/CraxsRat.exe.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral4
Sample
craxs3/DrakeUI.Framework.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral5
Sample
craxs3/Fu##ThisLoader.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral6
Sample
craxs3/GeoIPCitys.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
craxs3/LiveCharts.MAPS.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral8
Sample
craxs3/LiveCharts.WinForms.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral9
Sample
craxs3/LiveCharts.Wpf.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral10
Sample
craxs3/LiveCharts.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral11
Sample
craxs3/NAudio.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral12
Sample
craxs3/Newtonsoft.Json.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral13
Sample
craxs3/System.IO.Compression.ZipFile.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral14
Sample
craxs3/WinMM.Net.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral15
Sample
craxs3/Windows.UI.Immersive.dll
Resource
win10v2004-20230703-en
General
-
Target
craxs3/ChangeLog.html
-
Size
25KB
-
MD5
0d8019eac4f5ab83d2ab55334945aca8
-
SHA1
ac4f3691b367ef4fa86cbdab37ef088b22e17efe
-
SHA256
9bfa5afa938094221874ac8ea632c6d98074f4e36518ee69d24300974483d7af
-
SHA512
381da916f77e1cebc1c34ef687ee9fa682b5ba89fb2c48961ef4ae58c000390d76cb1d1ed3b5d714eca62c696b875ed62bcd5d9013d932af0e3dca4d869305b9
-
SSDEEP
768:aXBghTeUR0DBbyYLJTcGOTMqiWgEHhdkAgJTf:aehSUKdzcTMqiB+dPWf
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133337200058683704" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3352 chrome.exe 3352 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3352 chrome.exe 3352 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe Token: SeShutdownPrivilege 3352 chrome.exe Token: SeCreatePagefilePrivilege 3352 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe 3352 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3352 wrote to memory of 3968 3352 chrome.exe 85 PID 3352 wrote to memory of 3968 3352 chrome.exe 85 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4820 3352 chrome.exe 88 PID 3352 wrote to memory of 4624 3352 chrome.exe 87 PID 3352 wrote to memory of 4624 3352 chrome.exe 87 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89 PID 3352 wrote to memory of 2944 3352 chrome.exe 89
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\craxs3\ChangeLog.html1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0b279758,0x7ffa0b279768,0x7ffa0b2797782⤵PID:3968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1916,i,44712222615126081,14582795092176364997,131072 /prefetch:82⤵PID:4624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1916,i,44712222615126081,14582795092176364997,131072 /prefetch:22⤵PID:4820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1916,i,44712222615126081,14582795092176364997,131072 /prefetch:82⤵PID:2944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3216 --field-trial-handle=1916,i,44712222615126081,14582795092176364997,131072 /prefetch:12⤵PID:1820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3208 --field-trial-handle=1916,i,44712222615126081,14582795092176364997,131072 /prefetch:12⤵PID:3024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1916,i,44712222615126081,14582795092176364997,131072 /prefetch:82⤵PID:3824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1916,i,44712222615126081,14582795092176364997,131072 /prefetch:82⤵PID:4368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1916,i,44712222615126081,14582795092176364997,131072 /prefetch:82⤵PID:4568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1916,i,44712222615126081,14582795092176364997,131072 /prefetch:82⤵PID:3764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1916,i,44712222615126081,14582795092176364997,131072 /prefetch:82⤵PID:2276
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2224
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5d39eb70e002e2d91e19b0c6c972d7a43
SHA15ef109edea68f2b50a85a0c03180f5537afe9805
SHA2568ff8af6ec28611155ee6ce53d697ddb62f0878624b87a36e1e59de6725bd96ba
SHA51214413c84adb16d363fe5326f1853c6983b3dfd73e6ed10122fca6f3a45185d27f8778847c26babc3ff167c64f9bf67df5a6fd9bafbe021433d470dc74d7c374c
-
Filesize
6KB
MD5c04835468079039633236da37efa142d
SHA1f8fab63d70c73f0ada0eba186295fc79ec6ab956
SHA2560c657de59f435034f9a77bf6efcd3c9a59696dbe9523b07e254c99bc4ec749f0
SHA5127e77ee66f872a0fc50d624ab3d2e8ebc2c89e56283fd0e99acc2a1e769f1107e2bc3d2e9a40af95b026c123883b4dc43d43a12fd0c6a2886bee2f780c538e90b
-
Filesize
15KB
MD5afaaa6fc9c24ac462ac2258de65fa63b
SHA1383abbb2e46e5ef74c2838a04254456f1dc359e5
SHA2569f9f82c6e51c12fae9d77f9e8006d0ea5fedb4d4d00cd2c90aa671fecbf3e50e
SHA51230a03b98b1f19c63e8a06863590133bf1011486b033455c79aa468502284ec3676327ca619c9b73e80e920873fbf62df462b4c2e4f40d006040e5b9102235aee
-
Filesize
89KB
MD50a92bff9ef63e6fd2219e47f59b117a8
SHA197e100d0045db28496f7296db8d6daa97110d449
SHA2565ab8710ee3a54dd4a35989e7ccf0303b979e252cebf23c402db6568f56d0136b
SHA5123e514e67e640a0e58ccb2de16488720b6f0dccf78d5b0eae1f7b376ab1f81e298a11f73a39379987047b225020e4b893462249bce7d9ba02bb28be2f3f2e7049
-
Filesize
175KB
MD5a4a59c1682308bbe0874e1f1f9c75de7
SHA16579df1a85be27c7125b55fb2e64b13a3a21f90e
SHA2560c3b5f75f142a5db050ca0c4e93d40b969d3f3b419d41ff20b5083139bf85370
SHA5129d16dde7175057607a10b7ec0a3437201722f2529855ef4b037dc7a87ae445ef16ae930801a2cacc426adac96fbda4dd9c6f31a8f717a6ed7c6ee06450e7033b
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd