Malware Analysis Report

2025-05-05 22:24

Sample ID 231011-g2819aee5s
Target CraxsRat_V6.7.7z
SHA256 aa3909078e3b6f111adfb3b797b275fdbf20d61c6d294956a126ee55c205d46d
Tags
agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

aa3909078e3b6f111adfb3b797b275fdbf20d61c6d294956a126ee55c205d46d

Threat Level: Shows suspicious behavior

The file CraxsRat_V6.7.7z was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet

Obfuscated with Agile.Net obfuscator

Unsigned PE

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 06:20

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:17

Platform

win7-20230831-en

Max time kernel

226s

Max time network

296s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\ChangeLog.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80571f2f1bfcd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf8120000000002000000000010660000000100002000000045fee651bcfb062da568a2b9e2c9dd516f9e860587fae5a8c9276890ba315194000000000e800000000200002000000097e51dd1985f52ccfdce67c6fc75a4e99088b4c57decc41b647e0910c1df371d90000000d1b76591001825199c2bea93267a364e13f42862d6b935274afeeaa028e6b9ecce615b5e2e24061e0fe775a4b4e0254cd28a55be54e009ff08b79f030e7b5d3d01f13b8a54f39597380010606887373d0d07cc43a98be12c676d7f34215f6fec5442bdcd439d61defa58609e3e0d90d91753da1a6e30146de80f70dda60b2cd3bdb38d92809acb0c6502571ab92cf934400000003de80b6a50a7ad63374ba08f62e5842c12afb0a34226fb0424860cd739aaf8a61c9d6316234e40bb59a415f640c96a3084f8bd2f15a7077757215dc09ed57864 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf81200000000020000000000106600000001000020000000fe0463a36b11340bcc819735625f99025dea201210acf119e80b3bc0e0183770000000000e8000000002000020000000b8fb38f323f8d4ce7b5612d6b23606b3df8e700aff4c56fef5f5dbe2d24c6b8f200000008840dbd49cf4a623d0e00361b669b943cb8a8ad37154101b25df27a27d915e2d40000000c3673735f3c8bb79265101ab1aad2b9d83ff2552766bd66dec66e8f49991d508d0952fb6d6d51dd51647036c58a9fc98d6fe6455adee20b9721d57c6453617e6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403173960" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3CCFEB11-680E-11EE-BCB6-6AEC76ABF58F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\ChangeLog.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabC063.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarC26B.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 079b41b33e493c6dbc2a10210ac0fab9
SHA1 a84742e7fa9e2d690a6bb83ee103f757e6851954
SHA256 d51ca7c72b0c4b17b2d61a050f91454da551283e010e52c1fbefcbdb7428d21e
SHA512 7d9484d07ccbcc9f9ecf3e7949b9a877c307d14b5ebabb5bd188ad51f69f35a6f5dff0e68d4955ed7cb87081a0951277932d5679255012d02eadbeb210d5f601

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 550b1d0e92852b355e509e555db56cd8
SHA1 7ce5eef1945fd940bb1807f0634119dcc96fa2c6
SHA256 6b398a5f612f3669e847f3214f77c974572601fc39444184791cbe585f9a08b0
SHA512 bd54817c9542d1d3a21a4f49311c375edd2797b4e1eb02349e51217db7a91853251292c4d6562ec91ac775db285b2a8cc914840a0c9008a9f1ee0d5c4599cb9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ade1b5e7a4efcb7836929a14d14bd4ce
SHA1 eb25c1de0197260d27ef03c0bcf5420b4e2b6e81
SHA256 b5c6540af709da167a491b234704489061ca77bcda4cc890e9d4cb266bd0600d
SHA512 ffd760ac439aad25efc5273ca3999e7cb6e0da62ca5242064c5c04fe9fb5c10a9c193c728bb16974dd1d09b94593da67ba14e625942416b0ecd7ced3160c4dac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd235adc9c4dd30bebb452c13c5793df
SHA1 59cd89ff7f4f0183a32311d8e0d192aa4e11e9e8
SHA256 363a290009d5d6f93ade3a02d5c6006cb303de82db3a93bc9b2e1427b5046a81
SHA512 c9ff685e3dc40be0b95100afb611674c365fdf375cc35e37f8ee5a08d165b4cb3712994174797410473ab3639663af245e840ba46a7a3a05c770d9b967f28088

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bca3f6aed46c0a75daea5a49c6ba437a
SHA1 0425643663a090371ad85f9617bf220ede8a7997
SHA256 0083ede6a225bef96b7a12b6a96a9f548fddce4056e265cfd01678597b3c988a
SHA512 ccd50a9e5d6aceb31e376286676f1a0346df02ad87673f6b9cf97fec696ff2d3a6a60fde75cd9a598771682074e93ba4b661a198c50e69b864307032ac42cf40

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c5d2083273a2378fe4a9f682e95fa95
SHA1 cb73fa078862dd41f32582d9f1999c21a373e22f
SHA256 6e9e1a2b859ebbdf52a32441ce25747c764cc11e1e0e8a005a9daf1a45119e96
SHA512 fae6c192e8762c2c25e5685b38369333154ee29223a4f9c99cb1786cb793c0a4596a7be667f4120e2be51f62d5f13c7991b1a56c3ab8ccced5efb88c8dc78e68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85569f848e47ed08a37b73fb9313d8c9
SHA1 06d5e8e4a93ee3a1af2b02fb76d5580601129d0a
SHA256 a90908e5b194316f135a8fc1dc6b2fc3fac538f526b3f1b12cd200aeafc0c205
SHA512 84797d25b2c5f2e4e417dcdd5fa704df1248f1b700877b343586ec5f23105db7a915c20285e07245d9150757a29385aa34bfdbb07a45f093b39ace86053cc7c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07ef960337374b2966b6ed5608ca440f
SHA1 a667980448bafa852f16bc6021c8f14aeaef40cb
SHA256 998ae3d27becb1dcc4e7edbe9d6da63b198402b5e71ea790de95d1516e8b8112
SHA512 ebac49615e0c435ddbd310531d21940a01869910affd2e6e06e8064eaa76e7641c91b34467d3ad96a271523ee3766f422a8491f55485fcba4ea086fab6d7d467

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ec3415f90568e49107e85bc3c6ecb83
SHA1 f5ecec4ccc3599bd1093647dfe363f26f1fc4c44
SHA256 7998efa00cd2b504fe4f2137c4364409f27e8b29e1bcf7317fd02a49f8b1e1d7
SHA512 a639ff361713d6cbaa3bf3899b0b2dadf4cf92b5c7c45df3501103ef915e342acb146fa149820e8ec5a57ce42c0e5b30881c2c102aa48eebc98de60de305131f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7125a5ee4e3d75252e54679f80070b55
SHA1 37163a9117498a68799a8878525681f82cd4e7e5
SHA256 5884e3b93023d218955492d528eb062e13f4611f23c20b4d9503b2ffa1676b32
SHA512 a1762dbd6b9761813ca4250534e8ee54c819bdde878991a7e4dec521c5fd4f99fc703ae0e7b3dea9657a3e87ec3bfb6fbed79fc30ccf33126b78200981ac1adf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7125a5ee4e3d75252e54679f80070b55
SHA1 37163a9117498a68799a8878525681f82cd4e7e5
SHA256 5884e3b93023d218955492d528eb062e13f4611f23c20b4d9503b2ffa1676b32
SHA512 a1762dbd6b9761813ca4250534e8ee54c819bdde878991a7e4dec521c5fd4f99fc703ae0e7b3dea9657a3e87ec3bfb6fbed79fc30ccf33126b78200981ac1adf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b1591a1ceca8aa7e4debb1b0b4eb771
SHA1 6112fe982a3735b3ac06616737ab0dacd6793d39
SHA256 9b13a8965d47c6a3e523d64208751f29c53365ee661fe976dafedb9bbd09c962
SHA512 ecf3ad524aaa5725368aecb846729fa45a1211479ba36b04376c0f6fcc1b23a4d391e0630a4df5c7b16cd0b1acd8fc50c1f9e02e7aed82c1df770a90f430e0ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97ae4f87a29dd0f9a3a5821b67068e61
SHA1 fb446a755b0e67c04653c2e532010903d4cecfd1
SHA256 d4e098eb4b3f6cee3c5f9bbb05e2cd994f42e22eb9d788844b8d04c0794f7f86
SHA512 afbd4433b778b72a57985240cc759cec49ec760fd5a6383795195a7917fe000d73ec4f317edc3323cec922bada8ce94e8f0478663a085820bf1308d37d043e31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fced8b5dab2da7a1842143ca6f67f44d
SHA1 4d72508a825bb32fc947184bdb4c79b0a1a9e12f
SHA256 1a230b22fb36267ee8289d8cde61d571a138b1aa1eadbc20ea59f8658752c5f6
SHA512 551afce05631fb57cfa529b77ec056023d2b4c969c47926646d0a01262f929e1bbfb9313c1c08a65e6fb3099dad1952b1dea00d6fe85c0ef1ad05c960026ccf7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58d08a314f27eff69c4206acb141021d
SHA1 ee4a6e65236860fe64ff95772d6ce9e1d4a0ebe6
SHA256 a21c7d7551a3664cc06c09d2cbcd7fa016390bdfeae78bd2293b5b6eff613dc3
SHA512 a27c05c27c558f607cfb66a2902375dd063d06fa253812ac45298f85e2c41f5107203b5d7845ef918177c98c3233be465c77b860afbe317e7c848d3e95fb29b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 559147c573ff23606a3de7c3e361451f
SHA1 ebdb8e4772e0ef0477fab619dbfe76eab2339126
SHA256 662466b2b8cb981f9bf00602e75f045f7621361b0bfae25421f476e336707fd1
SHA512 d202b0d8f8166922b37231147da87a353b13b808a2f3c2530a516dd32d5ba494e78e30a0289c18117e90caffd40bdfd53e815764db2147dbfe61f9e3dbc2c1d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 814ca304908df8481c7ba08d7f0b8581
SHA1 100126766adbb8c83e67c506cfc08abd8a842a77
SHA256 d19969e4befed577009186399d233a59e02d594c5c1ca60a597f5e133c1f7e3c
SHA512 a26d0c98fb21208bc5d6a2ad21d0af6fb671ec0f939e6f797bac5f5355660f72e0488bfcc39cd6bbafd2fd0b37727933dfa700fb698172ddba18292eb655242a

Analysis: behavioral8

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:16

Platform

win10v2004-20230915-en

Max time kernel

145s

Max time network

200s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\GeoIPCitys.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\GeoIPCitys.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:16

Platform

win10v2004-20230915-en

Max time kernel

164s

Max time network

218s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.WinForms.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.WinForms.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 121.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:22

Platform

win7-20230831-en

Max time kernel

244s

Max time network

365s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\Newtonsoft.Json.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:15

Platform

win10v2004-20230915-en

Max time kernel

117s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\DrakeUI.Framework.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\DrakeUI.Framework.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:18

Platform

win7-20230831-en

Max time kernel

107s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.Wpf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.Wpf.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:16

Platform

win10v2004-20230915-en

Max time kernel

140s

Max time network

173s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.Wpf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.Wpf.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:15

Platform

win10v2004-20230915-en

Max time kernel

114s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\NAudio.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\NAudio.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 126.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.101.122.92.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:16

Platform

win10v2004-20230915-en

Max time kernel

124s

Max time network

198s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\System.IO.Compression.ZipFile.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\System.IO.Compression.ZipFile.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:16

Platform

win10v2004-20230915-en

Max time kernel

173s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe

"C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp

Files

memory/4912-0-0x00000209102F0000-0x00000209148AE000-memory.dmp

memory/4912-1-0x00007FFCB6F60000-0x00007FFCB70AE000-memory.dmp

memory/4912-2-0x00007FFCB5D60000-0x00007FFCB6821000-memory.dmp

memory/4912-3-0x000002092EE60000-0x000002092EE70000-memory.dmp

memory/4912-4-0x0000020914D00000-0x0000020914D22000-memory.dmp

memory/4912-5-0x000002092EE60000-0x000002092EE70000-memory.dmp

memory/4912-6-0x000002092EE60000-0x000002092EE70000-memory.dmp

memory/4912-7-0x000002092EE60000-0x000002092EE70000-memory.dmp

memory/4912-9-0x000002092EE60000-0x000002092EE70000-memory.dmp

memory/4912-8-0x00007FFCB5D60000-0x00007FFCB6821000-memory.dmp

memory/4912-10-0x000002092EE50000-0x000002092EE5C000-memory.dmp

memory/4912-11-0x000002092FE30000-0x000002092FE4C000-memory.dmp

memory/4912-12-0x0000020930190000-0x00000209301BC000-memory.dmp

memory/4912-13-0x0000020930200000-0x000002093023C000-memory.dmp

memory/4912-14-0x000002092EE60000-0x000002092EE70000-memory.dmp

memory/4912-15-0x0000020930D80000-0x0000020930F26000-memory.dmp

memory/4912-16-0x000002092EE60000-0x000002092EE70000-memory.dmp

memory/4912-17-0x000002092EE60000-0x000002092EE70000-memory.dmp

memory/4912-18-0x000002092EE60000-0x000002092EE70000-memory.dmp

memory/4912-19-0x000002092EE60000-0x000002092EE70000-memory.dmp

memory/4912-20-0x0000020934A80000-0x0000020934B80000-memory.dmp

memory/4912-21-0x000002092EE60000-0x000002092EE70000-memory.dmp

memory/4912-22-0x000002092EE60000-0x000002092EE70000-memory.dmp

memory/4912-23-0x0000020934A80000-0x0000020934B80000-memory.dmp

memory/4912-24-0x0000020934A80000-0x0000020934B80000-memory.dmp

memory/4912-25-0x0000020934A80000-0x0000020934B80000-memory.dmp

memory/4912-26-0x0000020934A80000-0x0000020934B80000-memory.dmp

memory/4912-27-0x0000020934A80000-0x0000020934B80000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:18

Platform

win7-20230831-en

Max time kernel

164s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe

"C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe"

Network

N/A

Files

memory/2712-0-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

memory/2712-1-0x0000000001340000-0x00000000058FE000-memory.dmp

memory/2712-2-0x000007FEF3BC0000-0x000007FEF3CEC000-memory.dmp

memory/2712-3-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-4-0x00000000003E0000-0x0000000000402000-memory.dmp

memory/2712-5-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

memory/2712-6-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-7-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-8-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-9-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-10-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-11-0x00000000005A0000-0x00000000005AC000-memory.dmp

memory/2712-12-0x0000000000700000-0x000000000072C000-memory.dmp

memory/2712-13-0x0000000000CB0000-0x0000000000CEC000-memory.dmp

memory/2712-14-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-15-0x00000000005B0000-0x00000000005BA000-memory.dmp

memory/2712-16-0x00000000005B0000-0x00000000005BA000-memory.dmp

memory/2712-17-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-18-0x0000000020FF0000-0x0000000021196000-memory.dmp

memory/2712-19-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-20-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-21-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-22-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-23-0x00000000005B0000-0x00000000005BA000-memory.dmp

memory/2712-24-0x00000000005B0000-0x00000000005BA000-memory.dmp

memory/2712-25-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-26-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-27-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-28-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-29-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-30-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-31-0x000000001F410000-0x000000001F490000-memory.dmp

memory/2712-32-0x000000001F410000-0x000000001F490000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:18

Platform

win7-20230831-en

Max time kernel

240s

Max time network

298s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\GeoIPCitys.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\GeoIPCitys.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:16

Platform

win7-20230831-en

Max time kernel

22s

Max time network

40s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRuntm.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRuntm.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRuntm.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:18

Platform

win7-20230831-en

Max time kernel

182s

Max time network

320s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.WinForms.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.WinForms.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:18

Platform

win7-20230831-en

Max time kernel

120s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRun64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRun64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:22

Platform

win10v2004-20230915-en

Max time kernel

168s

Max time network

550s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRun64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRun64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:18

Platform

win10v2004-20230915-en

Max time kernel

138s

Max time network

203s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.MAPS.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.MAPS.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 121.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:18

Platform

win7-20230831-en

Max time kernel

237s

Max time network

294s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\NAudio.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\NAudio.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:16

Platform

win7-20230831-en

Max time kernel

17s

Max time network

26s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 224

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:19

Platform

win10v2004-20230915-en

Max time kernel

199s

Max time network

311s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4788 -ip 4788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:18

Platform

win7-20230831-en

Max time kernel

186s

Max time network

318s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.exe

"C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.exe"

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:17

Platform

win7-20230831-en

Max time kernel

51s

Max time network

59s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\DrakeUI.Framework.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\DrakeUI.Framework.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:22

Platform

win7-20230831-en

Max time kernel

250s

Max time network

319s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.MAPS.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.MAPS.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:19

Platform

win7-20230831-en

Max time kernel

176s

Max time network

321s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:18

Platform

win7-20230831-en

Max time kernel

240s

Max time network

291s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\System.IO.Compression.ZipFile.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\System.IO.Compression.ZipFile.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:16

Platform

win10v2004-20230915-en

Max time kernel

141s

Max time network

199s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\ChangeLog.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "580787930" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 003254221bfcd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31063067" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403777078" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0d50d1e1bfcd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "504226378" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31063067" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "504226378" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "580787930" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001525ae190b18d34db1dbd7ec8193257600000000020000000000106600000001000020000000908e858a7c32c91d79687287a679ef3b89b9c430e386fd7e510c46d6b652cbf7000000000e80000000020000200000009900f7c5df1c30d81e71dc82640839e33564db0e28cb14b960544d4147aa10fa20000000752df65c3227dec48923774844910ccf29d8dee2a642e98611e9f949b0cd5cda400000002c55e9bacee1136039fe305039fa55afce3ffaab4e36b492f372401af3ff849b3271a7a72b906187eef10c39ae07f09578ce765e5a0688a221aed27c5908c603 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31063067" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{45ED06A7-680E-11EE-8688-6A906B243823} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001525ae190b18d34db1dbd7ec81932576000000000200000000001066000000010000200000005851d5db9443da194ab2d135e5024303d21187c5424b4d561c5ca35f46838a1a000000000e8000000002000020000000e8cef9759a8920ea3eaaee6c0d9d1b0aa3ce403c32e8ee533cf5e10d65d8b24c20000000d83b0dfa49ac8b1edbd18d54da20e1161409da93c972deeef5fffc9cb4c470a3400000004feee38dfac2167a7d077aff3cca66d67d6bcbdda424e01d10deb38eb74c4925d1681aeb8389a0d34029a97afe67bcabce01d8bd59f213be0e613386fcc0321b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31063067" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\ChangeLog.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:556 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verCD68.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YQR9M4BX\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral24

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:18

Platform

win10v2004-20230915-en

Max time kernel

125s

Max time network

273s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:19

Platform

win7-20230831-en

Max time kernel

164s

Max time network

319s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\WinMM.Net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\WinMM.Net.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:16

Platform

win10v2004-20230915-en

Max time kernel

131s

Max time network

198s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\WinMM.Net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\WinMM.Net.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:17

Platform

win10v2004-20230915-en

Max time kernel

134s

Max time network

268s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRuntm.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4192 wrote to memory of 4208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4192 wrote to memory of 4208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4192 wrote to memory of 4208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRuntm.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRuntm.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:18

Platform

win10v2004-20230915-en

Max time kernel

189s

Max time network

284s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2023-10-11 06:19

Reported

2023-10-11 08:19

Platform

win10v2004-20230915-en

Max time kernel

137s

Max time network

267s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.exe

"C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A