Analysis Overview
SHA256
e2ecef45c93106ac6362d113c14987ef52a318bb41b74b1c2c7c3f36868f723e
Threat Level: Likely benign
The file crab1.debug was found to be: Likely benign.
Malicious Activity Summary
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 15:34
Signatures
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-14 15:32
Reported
2024-06-14 15:47
Platform
android-x64-arm64-20240611.1-en
Max time network
36s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.187.238:443 | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-14 15:32
Reported
2024-06-14 15:47
Platform
debian12-mipsel-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 15:32
Reported
2024-06-14 16:12
Platform
win7-20240611-en
Max time kernel
1763s
Max time network
1820s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\debug_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\debug_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\debug_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\debug_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\debug_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.debug | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.debug\ = "debug_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\debug_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2576 wrote to memory of 2484 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2576 wrote to memory of 2484 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2576 wrote to memory of 2484 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2484 wrote to memory of 2460 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2484 wrote to memory of 2460 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2484 wrote to memory of 2460 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2484 wrote to memory of 2460 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\crab1.debug
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\crab1.debug
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\crab1.debug"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | be32956d9ebf6df7edbc8465a8f9af06 |
| SHA1 | 6e0a3afb5c461a6aa7cce144dbe34fd3c0a571c9 |
| SHA256 | 9cdfe19bcdd3cbc0bc8236d2a83f89fded56d3d081141545359cdadfaeae0148 |
| SHA512 | 73c39589d78b8da1e9c7c5de6939b41d1f228e597cc6ae5ac7aed795f17b8dc77d25a863dc0f047abd69407a83ea11297569574fdf59432e45bf0fd348956464 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-14 15:32
Reported
2024-06-14 16:11
Platform
win10v2004-20240611-en
Max time kernel
1371s
Max time network
1176s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\crab1.debug
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.131.50.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-14 15:32
Reported
2024-06-14 16:13
Platform
win11-20240508-en
Max time kernel
1773s
Max time network
1799s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\crab1.debug
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-14 15:32
Reported
2024-06-14 15:45
Platform
android-x64-20240611.1-en
Max time network
35s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 15:32
Reported
2024-06-14 16:08
Platform
win10-20240404-en
Max time kernel
300s
Max time network
1817s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\crab1.debug
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-14 15:32
Reported
2024-06-14 15:48
Platform
android-x86-arm-20240611.1-en
Max time network
35s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.206:443 | tcp | |
| GB | 142.250.187.206:443 | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-14 15:32
Reported
2024-06-14 15:47
Platform
debian12-armhf-20240221-en
Max time network
62s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-14 15:32
Reported
2024-06-14 15:47
Platform
debian9-armhf-20240611-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-14 15:32
Reported
2024-06-14 15:48
Platform
debian9-mipsbe-20240611-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-14 15:32
Reported
2024-06-14 15:48
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Max time network
11s
Command Line
Signatures
Processes
/tmp/crab1.debug
[/tmp/crab1.debug]
Network
| Country | Destination | Domain | Proto |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| GB | 195.181.164.19:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-14 15:32
Reported
2024-06-14 15:48
Platform
android-33-x64-arm64-20240611.1-en
Max time network
44s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.169.36:443 | udp | |
| GB | 172.217.169.36:443 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| GB | 216.58.201.106:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.201.106:443 | udp | |
| US | 162.159.61.3:443 | udp | |
| US | 162.159.61.3:443 | tcp | |
| GB | 142.250.179.227:443 | tcp | |
| GB | 142.250.179.227:443 | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-14 15:32
Reported
2024-06-14 16:18
Platform
macos-20240611-en
Max time kernel
341s
Max time network
1584s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/crab1.debug"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/crab1.debug"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/crab1.debug]
/bin/zsh
[/bin/zsh -c /Users/run/crab1.debug]
/Users/run/crab1.debug
[/Users/run/crab1.debug]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nehelper]
/usr/libexec/nehelper
[/usr/libexec/nehelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AddressBook.ContactsAccountsService]
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]
/usr/libexec/neagent
[/usr/libexec/neagent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.CoreAuthentication.agent]
/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd
[/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.akd]
/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd
[/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AccountPolicyHelper]
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
[/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.spindump]
/usr/sbin/spindump
[/usr/sbin/spindump]
/usr/libexec/xpcproxy
[xpcproxy com.apple.diagnosticd]
/usr/libexec/diagnosticd
[/usr/libexec/diagnosticd]
Network
| Country | Destination | Domain | Proto |
| GB | 17.250.81.67:443 | tcp | |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| GB | 51.132.193.104:443 | tcp | |
| US | 8.8.8.8:53 | gspe1-ssl.ls.apple.com.edgesuite.net | udp |
| GB | 104.77.118.121:443 | tcp | |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | a479.dscg4.akamai.net | udp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.189.173.17:443 | tcp | |
| GB | 104.91.71.135:443 | gspe1-ssl.ls.apple.com.edgesuite.net | tcp |
| GB | 17.253.77.202:80 | valid.apple.com | tcp |
| GB | 17.253.77.202:80 | valid.apple.com | tcp |
| GB | 17.253.77.202:80 | valid.apple.com | tcp |
| GB | 17.253.77.202:80 | valid.apple.com | tcp |
| GB | 17.253.77.201:80 | valid.apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| NL | 23.38.23.39:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| US | 23.220.113.166:443 | help.apple.com | tcp |
| US | 23.220.113.166:443 | help.apple.com | tcp |
| GB | 17.57.146.7:5223 | tcp | |
| US | 8.8.8.8:53 | 12-courier.push.apple.com | udp |
| GB | 17.57.146.8:5223 | 12-courier.push.apple.com | tcp |
| GB | 17.57.146.9:5223 | 12-courier.push.apple.com | tcp |
| GB | 17.57.146.10:5223 | 12-courier.push.apple.com | tcp |
| GB | 17.57.146.11:5223 | 12-courier.push.apple.com | tcp |
| US | 8.8.8.8:53 | lb._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
Files
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 95d1f6a479ea836bed553646ebef85c1 |
| SHA1 | 19da469018294e373c788d888e5c55e0bb18695e |
| SHA256 | fc78047a7293b7fba3abe949497f397804f86e2ff04c29c4a549df60aa877aa2 |
| SHA512 | 3f9b8aa7efc6cbbcf6672e0d08a630178c653894d800e9125ed18774de105bc564b097120e98b5711cec5d05d95b41fe822019bc10038055eabf341b0c12845d |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-14 15:32
Reported
2024-06-14 15:48
Platform
debian9-mipsel-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-14 15:32
Reported
2024-06-14 15:48
Platform
ubuntu2004-amd64-20240611-en
Max time kernel
0s
Max time network
9s
Command Line
Signatures
Processes
/tmp/crab1.debug
[/tmp/crab1.debug]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| N/A | 224.0.0.251:5353 | udp |