8a159b0175b55083291e8356499f7efe42083863aea317f553c0779326e7a1c2

Analysis

max time kernel
149s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2024, 21:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CraxsRat10.31_Cracked.exe
Size

86.2MB
MD5

39dd54c44266534e782cefcaa8ebd1fb
SHA1

ed8a35d1ad6bcde4853411de9fea036468dee95e
SHA256

8a159b0175b55083291e8356499f7efe42083863aea317f553c0779326e7a1c2
SHA512

5fb4d3c5623d4a5797d66983a7987c2c486878d3f8c1b6f0c15dca21d0d2fd52e20f0b0cd224b0ceb76dc797669627e60f30e8f8cee7701b9aba7ab279c617d4
SSDEEP

1572864:28wyR88P4amp+NX10qTQTAMzttZmFXtI:2P8Q5qUAM5HmhtI

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CraxsRat10.31_Cracked.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CraxsRat10.31_Cracked.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CraxsRat10.31_Cracked.exe

Loads dropped DLL 1 IoCs

pid	Process
1856	CraxsRat10.31_Cracked.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00080000000234c5-3.dat	themida
behavioral1/memory/1856-8-0x0000000180000000-0x0000000181D0F000-memory.dmp	themida
behavioral1/memory/1856-12-0x0000000180000000-0x0000000181D0F000-memory.dmp	themida
behavioral1/memory/1856-11-0x0000000180000000-0x0000000181D0F000-memory.dmp	themida
behavioral1/memory/1856-13-0x0000000180000000-0x0000000181D0F000-memory.dmp	themida
behavioral1/memory/1856-15-0x0000000180000000-0x0000000181D0F000-memory.dmp	themida
behavioral1/memory/1856-17-0x0000000180000000-0x0000000181D0F000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CraxsRat10.31_Cracked.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1856	CraxsRat10.31_Cracked.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1856	CraxsRat10.31_Cracked.exe
1856	CraxsRat10.31_Cracked.exe
1856	CraxsRat10.31_Cracked.exe
1856	CraxsRat10.31_Cracked.exe

C:\Users\Admin\AppData\Local\Temp\CraxsRat10.31_Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat10.31_Cracked.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1856

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\ProtectStop.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- System Location Discovery: System Language Discovery
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DN000000006569C4B6\Runtime64.dll

Filesize
13.6MB

MD5
21e00d8cffdb42642b3b413540e9dd24

SHA1
eae6d44c96117fcf12b4aebad2b95af76bd11f8c

SHA256
611bb16bff870f5de73b83a4dc37e1dd519c4dad9ca323e5908c67516f2109b7

SHA512
e938e2c94484da96ec813f401e20787e91923377be9f8217d3a9e3a4d10a36e1ec548db054c99e03abb117b2897a44556a9de4c34b57b1fd3b190a321746906f

Download Submit
memory/1856-14-0x00007FFF7D5F0000-0x00007FFF7E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/1856-1-0x0000020A8C960000-0x0000020A91F98000-memory.dmp

Filesize
86.2MB

Download
memory/1856-6-0x00007FF4325F0000-0x00007FF4327DF000-memory.dmp

Filesize
1.9MB

Download
memory/1856-8-0x0000000180000000-0x0000000181D0F000-memory.dmp

Filesize
29.1MB

Download
memory/1856-9-0x00007FFF7D5F0000-0x00007FFF7E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/1856-0-0x00007FFF7D5F3000-0x00007FFF7D5F5000-memory.dmp

Filesize
8KB

Download
memory/1856-12-0x0000000180000000-0x0000000181D0F000-memory.dmp

Filesize
29.1MB

Download
memory/1856-11-0x0000000180000000-0x0000000181D0F000-memory.dmp

Filesize
29.1MB

Download
memory/1856-13-0x0000000180000000-0x0000000181D0F000-memory.dmp

Filesize
29.1MB

Download
memory/1856-15-0x0000000180000000-0x0000000181D0F000-memory.dmp

Filesize
29.1MB

Download
memory/1856-16-0x00007FFF8D1F0000-0x00007FFF8D33E000-memory.dmp

Filesize
1.3MB

Download
memory/1856-18-0x00007FFF7D5F0000-0x00007FFF7E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/1856-17-0x0000000180000000-0x0000000181D0F000-memory.dmp

Filesize
29.1MB

Download