Malware Analysis Report

2025-05-05 22:25

Sample ID 231011-gy4blaeb7s
Target CraxsRat_V6.7.zip
SHA256 f6791a29f821f63c240d4afb4e2163299071e298b12f8365ddc9256263289a14
Tags
agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f6791a29f821f63c240d4afb4e2163299071e298b12f8365ddc9256263289a14

Threat Level: Shows suspicious behavior

The file CraxsRat_V6.7.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet

Obfuscated with Agile.Net obfuscator

Unsigned PE

Program crash

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 06:15

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral23

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:00

Platform

win7-20230831-en

Max time kernel

57s

Max time network

64s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\Newtonsoft.Json.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 07:59

Platform

win10v2004-20230915-en

Max time kernel

141s

Max time network

221s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\WinMM.Net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\WinMM.Net.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 07:59

Platform

win10v2004-20230915-en

Max time kernel

140s

Max time network

233s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 2976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1956 wrote to memory of 2976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1956 wrote to memory of 2976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2976 -ip 2976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 126.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 120.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:00

Platform

win7-20230831-en

Max time kernel

51s

Max time network

63s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.exe

"C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.exe"

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:07

Platform

win10v2004-20230915-en

Max time kernel

112s

Max time network

562s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.exe

"C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 07:58

Platform

win10v2004-20230915-en

Max time kernel

88s

Max time network

199s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:00

Platform

win7-20230831-en

Max time kernel

240s

Max time network

352s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\ChangeLog.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 608122cf18fcd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000301e05fe967ef933f37a4008cc5ffe53feb90ef6c13086a3fb313d60875c9020000000000e8000000002000020000000b9f1f168eb2e28bcfc681095374fd77f8b942497a5b3b6cfd59a860707af341790000000e2efa8715c7785395c4b2524bfc9df948a0febd17d9315ed7213358dc3f5280e48f409a3d769c846c68bdd0890966fc5b9f91d5368d4c2ef5031341fc9e03c3f20f014913beeed799741f2c822959968eea309ed9bed68c3e8a6664e191f37c16c0c7eed8c5c62ee30af0e8776b92c198fbc8888008944c0c57d55f77e0aa66707711040f739731a3d73272e6ad6acfe40000000f36716e8cf153f56b9dece3a794a298030ebbd30ef8beb2f6fdc0392a42dffab210d45b3479b179cddcd24ed322cc5d81974db4def498612b20e083d743fae15 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403172986" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000f24f16a951eed3389e00b75c75fd0ebc2d56e6cb92f249c91b90cdeb015883fb000000000e8000000002000020000000d6d5933f13e3665393626061aafd2207b0924ea2a465563f9400d0bda803afac2000000004cbcab2586a1b15fbdce2246b20129421e083f835c35f36a7f5ccf802f360e64000000074ba1be4d9d56152b1856be3b545094cdd1ad4fa8f9597a567d827500ccd6302931100c0393d66f4e1fd58942c671336824c37b9b0ff0f37bf9bb6f6315d271f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FA3B2870-680B-11EE-AB25-5AA0ABA81FFA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\ChangeLog.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabBBB4.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarBC34.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5d3a5fc8b3d3ff1aa86785a825988d3
SHA1 25c3cb375ad415ceb333737340573edd48b7d639
SHA256 9598faeecf99c8a5f5fe53a56a789c6d6c5fe2b7872d3d5cf859b6f9ea56a0d7
SHA512 23dc741b5991b5b4bc703d831dbb43a8fe2d58a1e0d6ceb82938d41c7bcddcc16f6072dda846624ba91f90a5fd5f5ee9ea561323214a0bf838ae3353e4a1e7ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd8518b3317f1cb9a61efa818f479038
SHA1 a31975e7125118f7111009bc037e79d5a807d47b
SHA256 e5426d1e92b3cc1777e798f5a96335ecf04f626e639f59c994b7dd51ffb4b5ed
SHA512 a2fef0689c44ea48c9be1fb99825a6d310330e76446f117fbaf0d8ac7993c4ec05892b9637042814ff8b7d36c9949031758cf56de7b4512233adc954c2e45879

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 088371ae4446c7cd5b814899a3e1d227
SHA1 99a983f807257778bf2fb474c4cca8c11e998ef0
SHA256 44c8db345bf13b68200cca59fc4a9612391d8d4eea417545247493ca305831b9
SHA512 e183ba9f259a76f9c25894413bc66a1f9a64afb38e878ada4c3e29fa6186a661023517d9e51c4924fd709076f263fda7e6459f26f808617694bedb4515f119e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bac9941f23ed3fae86cf011fc258afd5
SHA1 addf1b2cfd135194777f4047596deb78fe934f63
SHA256 989b4d59184071607860c00947acbf588537f87133b5a2d1be9d885e2706adb1
SHA512 c88ed4fa9714f61ba2af306381f36ec835a8e6465c4e8497a2586aeea08d218b038ee6c5fa78ce8df16ef9c816cdb99d3d0d3d0381ac35a1dec8238acdfbf420

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d171ae45c53b0b472b24fb570217d0ee
SHA1 64f94cb2190f6b022fe21a2445a3e4f4b6534663
SHA256 27586e0a8c0282023dc743592802d94f6256344dd5e89d164e03a429fd052155
SHA512 2a63e4ebd3de3d3b43ec4f5cf3425ae0a5385f6fa26158f2cabcf05b9e6ade0091cfb49bd68a84bf9565f13714ad09bc4b953554d06f5a8d398d4434298672fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 166c2ed1b56c87a4d74c6ff0ea2d8073
SHA1 de25338e06dc6dcf593db08dabd57ed0e9f2002b
SHA256 c92169ac74b7536389f594f18d1cbd1e9c9c9d7a8b3b56391d54a7e3382efa6b
SHA512 745f614abc733c870c420db0a1da04b894c30bdc5ec0d773779d86c27c49e51bff4e8f9928f68c05660504e38a98f2bbfa34013f23a0795eda9b8965e5a13f4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 515b66aa774b2429b5b3a131744254e2
SHA1 1abdce34149d95610a9e78317d7c8806a129d1f4
SHA256 c8fe6a66d24ea1334d036ba25f08e42130daba5cd2652d1bdd8517e4a56a1a37
SHA512 e78004b9ac57d953f8f884626df2228c79db27f843facb474522f259fc11a5c789bc9c0a66dd900ea8fd92ab586fd37b342a59e2382f87329299be6b79296526

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce0dc9d322098558d414de5ce56d2717
SHA1 8eb9cb1ae4c48f6f76b8f2c362be8eeabeb3c746
SHA256 52368382f7a989e0c4fa85e0e40a5f6a2a4e754d5a1581f86ff4f3eb71247da6
SHA512 f4c2b982b96891e854bdc70ef5330fb163011fd4b9a3e75577dc99e3973bf4a20a35a76b8584cdd1305ab0f10c0c38248447722079cd90d0d8fa2e7cf30b9257

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d5cf90c62476735df64c378597526b3
SHA1 384ac449c2b4603f1135f6da28fcf41f557000a5
SHA256 3926694920ae02c8cc844f9cf8a543cc3b038a510ba5c09aec3781486e9e42bf
SHA512 975b69fe1dda50b0b4aa4c27c4eba758bafc79f36599df85be8efeba93ef8118d45498b8703bf5ce1492e10d2ae5a8315bb5820cf0c916ccfc863f97e188bba7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66acba7e6a3d7101bbda3230f903c603
SHA1 c1220f2ea0fdbc4cc0f12ed9a563aa5be5111df9
SHA256 1ccacf60e07d7194d9f1bd1583b4f50684f7ca46a0c81fd46679763abad11d69
SHA512 0fdc481e87fc7e430dcfce1e35a6691c792213e6014888a788facf7e9074c5da002254cc2138dff25b11200f3d1a8f5ee39c5d37b09797850a06ae773539afcd

Analysis: behavioral8

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:00

Platform

win10v2004-20230915-en

Max time kernel

144s

Max time network

305s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\GeoIPCitys.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\GeoIPCitys.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 07:59

Platform

win10v2004-20230915-en

Max time kernel

114s

Max time network

186s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.Wpf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.Wpf.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 07:58

Platform

win10v2004-20230915-en

Max time kernel

152s

Max time network

203s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 07:59

Platform

win10v2004-20230915-en

Max time kernel

110s

Max time network

257s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\DrakeUI.Framework.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\DrakeUI.Framework.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.34.232.68.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:00

Platform

win10v2004-20230915-en

Max time kernel

185s

Max time network

294s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRuntm.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3088 wrote to memory of 4368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3088 wrote to memory of 4368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3088 wrote to memory of 4368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRuntm.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRuntm.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:00

Platform

win7-20230831-en

Max time kernel

246s

Max time network

320s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 07:59

Platform

win10v2004-20230915-en

Max time kernel

152s

Max time network

233s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\ChangeLog.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31063064" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2269497798" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31063064" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31063064" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000017e431d9a2c98c4f9f85fcb7a9559b03000000000200000000001066000000010000200000002632e1c18a3cbf286decb3b695786cb55ab4ca3319657334af6d4793ab46da79000000000e80000000020000200000002c170fd7b390412fcc846f9aecfbf3404d1111e213e4be6c4d75db3ff4a5dcdf200000008ce17111e6b564c43088099973e3398d7cf48ef28c4f312fe3ebdf9d5e1944514000000084807f3fe1989fb295a804f1eb01eb6c6586d2624333c1a6feef4b859a4030a6e554d7b5ce8367734a6dea960d4da6508e3489e25a7c13200d31b0ab09460ccf C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90de4c9f18fcd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403775997" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C27A8746-680B-11EE-B0C5-7ED7EF050214} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000017e431d9a2c98c4f9f85fcb7a9559b0300000000020000000000106600000001000020000000c1af676dc15b0fc00066b815a6007c9b42c685246d93e55c1ef2a1daf4274fa4000000000e8000000002000020000000656ebafd09f5a4f7c1fc4edf418f2fd61ff18f2d651835075f621348a6a0801320000000644c94853e1f329aa48c6c2b71f9e13fab3946d55a3d960f1c09e3aefd50998a40000000dee00b72805db801ad42e91c58d132e53e0a342c144ec62aaf09e7e747c03753fa079896378cb9a21f826d615300abfbc8c2efed13df15b5e7e5f0e95201882a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2269497798" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d040399d18fcd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2675590964" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\ChangeLog.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3812 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 120.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HEITGDYC\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral5

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:00

Platform

win7-20230831-en

Max time kernel

240s

Max time network

293s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\DrakeUI.Framework.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\DrakeUI.Framework.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:00

Platform

win7-20230831-en

Max time kernel

53s

Max time network

88s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\res\Lib\7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 224

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:00

Platform

win7-20230831-en

Max time kernel

57s

Max time network

88s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\GeoIPCitys.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\GeoIPCitys.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 07:59

Platform

win10v2004-20230915-en

Max time kernel

171s

Max time network

239s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRun64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRun64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 07:59

Platform

win7-20230831-en

Max time kernel

48s

Max time network

74s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRuntm.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRuntm.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRuntm.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:00

Platform

win7-20230831-en

Max time kernel

240s

Max time network

319s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.WinForms.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.WinForms.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:00

Platform

win7-20230831-en

Max time kernel

237s

Max time network

324s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\NAudio.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\NAudio.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:01

Platform

win10v2004-20230915-en

Max time kernel

184s

Max time network

277s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\System.IO.Compression.ZipFile.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\System.IO.Compression.ZipFile.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.34.232.68.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:01

Platform

win7-20230831-en

Max time kernel

240s

Max time network

291s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\WinMM.Net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\WinMM.Net.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 07:58

Platform

win10v2004-20230915-en

Max time kernel

175s

Max time network

259s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.MAPS.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.MAPS.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:02

Platform

win10v2004-20230915-en

Max time kernel

281s

Max time network

359s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.WinForms.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.WinForms.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:01

Platform

win7-20230831-en

Max time kernel

240s

Max time network

320s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\System.IO.Compression.ZipFile.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\System.IO.Compression.ZipFile.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:00

Platform

win7-20230831-en

Max time kernel

238s

Max time network

322s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe

"C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe"

Network

N/A

Files

memory/2352-0-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

memory/2352-1-0x0000000000CD0000-0x000000000528E000-memory.dmp

memory/2352-2-0x000007FEF4100000-0x000007FEF422C000-memory.dmp

memory/2352-3-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-4-0x0000000000170000-0x0000000000192000-memory.dmp

memory/2352-5-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-6-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

memory/2352-7-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-8-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-9-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-10-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-11-0x00000000003B0000-0x00000000003BC000-memory.dmp

memory/2352-12-0x00000000003C0000-0x00000000003EC000-memory.dmp

memory/2352-13-0x0000000000570000-0x00000000005AC000-memory.dmp

memory/2352-14-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-15-0x00000000005C0000-0x00000000005CA000-memory.dmp

memory/2352-16-0x00000000005C0000-0x00000000005CA000-memory.dmp

memory/2352-17-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-18-0x00000000211C0000-0x0000000021366000-memory.dmp

memory/2352-19-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-20-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-21-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-22-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-23-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-24-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-25-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-26-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-27-0x00000000005C0000-0x00000000005CA000-memory.dmp

memory/2352-28-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-29-0x000000001F480000-0x000000001F500000-memory.dmp

memory/2352-30-0x000000001F480000-0x000000001F500000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 07:59

Platform

win7-20230831-en

Max time kernel

119s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRun64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\HVMRun64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 07:57

Platform

win7-20230831-en

Max time kernel

19s

Max time network

36s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.Wpf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.Wpf.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:01

Platform

win10v2004-20230915-en

Max time kernel

153s

Max time network

306s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe

"C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\CraxsRat_V6.7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp

Files

memory/3024-0-0x0000017D27260000-0x0000017D2B81E000-memory.dmp

memory/3024-1-0x00007FFC57190000-0x00007FFC572DE000-memory.dmp

memory/3024-2-0x00007FFC55870000-0x00007FFC56331000-memory.dmp

memory/3024-3-0x0000017D45FB0000-0x0000017D45FC0000-memory.dmp

memory/3024-4-0x0000017D45FB0000-0x0000017D45FC0000-memory.dmp

memory/3024-5-0x0000017D2BC30000-0x0000017D2BC52000-memory.dmp

memory/3024-6-0x00007FFC55870000-0x00007FFC56331000-memory.dmp

memory/3024-7-0x0000017D45FB0000-0x0000017D45FC0000-memory.dmp

memory/3024-8-0x0000017D45FB0000-0x0000017D45FC0000-memory.dmp

memory/3024-9-0x0000017D45FB0000-0x0000017D45FC0000-memory.dmp

memory/3024-10-0x0000017D45FB0000-0x0000017D45FC0000-memory.dmp

memory/3024-11-0x0000017D45FB0000-0x0000017D45FC0000-memory.dmp

memory/3024-12-0x0000017D45FB0000-0x0000017D45FC0000-memory.dmp

memory/3024-13-0x0000017D45FB0000-0x0000017D45FC0000-memory.dmp

memory/3024-14-0x0000017D45DB0000-0x0000017D45DBC000-memory.dmp

memory/3024-15-0x0000017D478B0000-0x0000017D478CC000-memory.dmp

memory/3024-16-0x0000017D478D0000-0x0000017D478FC000-memory.dmp

memory/3024-17-0x0000017D47940000-0x0000017D4797C000-memory.dmp

memory/3024-18-0x0000017D48490000-0x0000017D48636000-memory.dmp

memory/3024-19-0x0000017D4C190000-0x0000017D4C290000-memory.dmp

memory/3024-20-0x0000017D45FB0000-0x0000017D45FC0000-memory.dmp

memory/3024-21-0x0000017D4C190000-0x0000017D4C290000-memory.dmp

memory/3024-22-0x0000017D45FB0000-0x0000017D45FC0000-memory.dmp

memory/3024-23-0x0000017D4C190000-0x0000017D4C290000-memory.dmp

memory/3024-24-0x0000017D45FB0000-0x0000017D45FC0000-memory.dmp

memory/3024-25-0x0000017D4C190000-0x0000017D4C290000-memory.dmp

memory/3024-26-0x0000017D4C190000-0x0000017D4C290000-memory.dmp

memory/3024-27-0x0000017D4C190000-0x0000017D4C290000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 07:57

Platform

win7-20230831-en

Max time kernel

13s

Max time network

28s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.MAPS.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\LiveCharts.MAPS.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2023-10-11 06:13

Reported

2023-10-11 08:09

Platform

win10v2004-20230915-en

Max time kernel

184s

Max time network

657s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\NAudio.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CraxsRat_V6.7\NAudio.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.34.232.68.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.109.26.67.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A