Malware Analysis Report

2024-11-15 08:36

Sample ID 240901-t1d6pswbrl
Target CraxsRat V7.zip
SHA256 38a7cfbcb792042b1c5ccd4e0b3cbcffdf48f54830af1b20de4c88ba4d5e6971
Tags
discovery agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

38a7cfbcb792042b1c5ccd4e0b3cbcffdf48f54830af1b20de4c88ba4d5e6971

Threat Level: Shows suspicious behavior

The file CraxsRat V7.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery agilenet

Obfuscated with Agile.Net obfuscator

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-01 16:32

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win7-20240704-en

Max time kernel

120s

Max time network

130s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\Config.json"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\Config.json"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\Config.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\Config.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 829d1f3e92bdff8128e4b5fe15e1a778
SHA1 460577aaf7d57329d48b472df02ffdef69948680
SHA256 00c196f798df04da0696c78f764f091178f3da9c5a3c38a365657c2f83a4894a
SHA512 c1a6892cba87e966683cfbff37e2eb8f4f7dd19c13b4c4383953d657eadeaeac469c02c41dbbd2aa09a18d5354e7bb28e984c6c0a82a2a3d1a5d4b67627a9e4f

Analysis: behavioral10

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

159s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\CraxsRat.exe.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\CraxsRat.exe.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4888-0-0x00007FFB22410000-0x00007FFB22420000-memory.dmp

memory/4888-1-0x00007FFB6242D000-0x00007FFB6242E000-memory.dmp

memory/4888-2-0x00007FFB62390000-0x00007FFB62585000-memory.dmp

memory/4888-3-0x00007FFB62390000-0x00007FFB62585000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:37

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

158s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\ChangeLog.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3852 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3852 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\ChangeLog.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fb0e46f8,0x7ff9fb0e4708,0x7ff9fb0e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,9444760444103797420,12352994342664129904,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,9444760444103797420,12352994342664129904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,9444760444103797420,12352994342664129904,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9444760444103797420,12352994342664129904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9444760444103797420,12352994342664129904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,9444760444103797420,12352994342664129904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,9444760444103797420,12352994342664129904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9444760444103797420,12352994342664129904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9444760444103797420,12352994342664129904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9444760444103797420,12352994342664129904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9444760444103797420,12352994342664129904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,9444760444103797420,12352994342664129904,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e765f3d75e6b0e4a7119c8b14d47d8da
SHA1 cc9f7c7826c2e1a129e7d98884926076c3714fc0
SHA256 986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89
SHA512 a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

\??\pipe\LOCAL\crashpad_3852_XPYMSLIMPXHOFGFP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 53bc70ecb115bdbabe67620c416fe9b3
SHA1 af66ec51a13a59639eaf54d62ff3b4f092bb2fc1
SHA256 b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771
SHA512 cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3864a2a9a897e6aa376f135d94bf8f1d
SHA1 e72cda4e65de416dd566878dedcb2ca0fbcecf79
SHA256 de7c7d94b3e6ab9600e2106731b20633954b5e4e67ae4c9efe9a01922532421c
SHA512 b6deaddda62d2f279819398c2789924343ca1aef70b380fe122288f560482be64ad871ca291f4199529d340a1ddc06abd0308104820a07bf79f013ef0a3ad882

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 90cfd1836396b9aa4102732436bda0f7
SHA1 b0df819b778fa63a628bc46c5212a39aa5d3b4f3
SHA256 c526367a3996bd4459359430827ac3175d46b824bc9199e2580710774786bfe9
SHA512 96a6f9e81b4fa964c4b611567c9da34580ed7d8416982fd7078ff1af91b8763026891b7cce85f0b354f80d27b449956b0d1f07d713d039b566f1f01eddc5a00d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 118fe8d89153a12f7a9fdd9c1705167f
SHA1 aa6dc5a50be9445b43381ccdf0d3ea67c650b80a
SHA256 117cc408f323eb1a62cdde11d91a1f74442014d544e452039b2a1fc0dad381a4
SHA512 529af953db0e90b58106c0ea36ffc11168764bc8183896696767bdf8e2f2baa72a7a67c9b21ff2620ec9b2e6a3f84db8de0bec881dd623e9658554ced786155e

Analysis: behavioral6

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win10v2004-20240802-en

Max time kernel

88s

Max time network

162s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\Config.json"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\Config.json"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

159s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\HVMRuntm.dll",#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3800 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3800 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3800 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\HVMRuntm.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\HVMRuntm.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win7-20240705-en

Max time kernel

122s

Max time network

132s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.MAPS.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.MAPS.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win10v2004-20240802-en

Max time kernel

130s

Max time network

143s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.Wpf.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.Wpf.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/2464-1-0x00007FFAE502D000-0x00007FFAE502E000-memory.dmp

memory/2464-0-0x00007FFAA5010000-0x00007FFAA5020000-memory.dmp

memory/2464-2-0x00007FFAE4F90000-0x00007FFAE5185000-memory.dmp

memory/2464-3-0x00007FFAE4F90000-0x00007FFAE5185000-memory.dmp

memory/2464-4-0x00007FFAE4F90000-0x00007FFAE5185000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:39

Platform

win7-20240704-en

Max time kernel

117s

Max time network

141s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\CraxsRat V7.zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\CraxsRat V7.zip"

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win7-20240708-en

Max time kernel

121s

Max time network

129s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\HVMRun64.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\HVMRun64.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win7-20240708-en

Max time kernel

122s

Max time network

133s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.WinForms.pdb"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.pdb C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pdb_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pdb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.pdb\ = "pdb_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pdb_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pdb_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pdb_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pdb_auto_file\ C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.WinForms.pdb"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.WinForms.pdb

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.WinForms.pdb"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 8c299e6655c1dab3abed6a7a3582235b
SHA1 076ffc560b2d5ee166e198b4d95f3a921b5d8168
SHA256 ffcafec2c68fdc019daa40321503ef361b1db8ad73a5332a25d21aa59819eda2
SHA512 a13f2fb84ae28f85307162209c960bfd2b8ff100e5719d6caab8a466d018b20f3e13bae4b69261e8cbe96533534da7d88792ca84ec0f2b420be19426ebfb1a43

Analysis: behavioral27

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:39

Platform

win7-20240704-en

Max time kernel

117s

Max time network

145s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.Wpf.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.Wpf.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:39

Platform

win10v2004-20240802-en

Max time kernel

90s

Max time network

153s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\CraxsRat V7.zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\CraxsRat V7.zip"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:37

Platform

win7-20240708-en

Max time kernel

117s

Max time network

135s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\ChangeLog.html"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{18F46861-6880-11EF-9452-E2BC28E7E786} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000476b75a6cdae5660e3c738c88094ab1bb56752b8d013d78d0fac1754359e7259000000000e8000000002000020000000c4396c01c73967c8758d3181aed068c8e61285a15d846fd24344c286b42ef856200000001652ca2c78436128776583c01afc8b01ee013e6d0b3c7b9e0c9d7c5af4bf542440000000ee99280f156788372bd8ee01b03148974a5f19bcbaaa6a5f5afdbbb6f9f3f3c6597aa338292b45ee3032bd39273985226969687cc3d74018817fc0bc3d8ab6d7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431370353" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 306076ed8cfcda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000023586e81435ac1bdfd5614755b9faa8c0e017b5f5b3b825653dcdbfdfc6fd7fa000000000e8000000002000020000000bb0b0d2935749b30d57a494ba7c1ec2354ee23a3b16b58b3fc86055a340761d890000000d50e94ddfce21c4824cc77668942e2dd40613bc2b806a1ba76e10feb141bc2c90c6ea85703ee9f31902cac31bdb385d54887fef8a3c9bc51c352bdd3e6e2727b29c0ad27d6f4eb70ec134d6cf4e9dd83174e836a79e0dbcecb37596610a4ab938631577ef913150b76828cdd093169ff449d54ede7c33f425bb631fdac49332ddd7e96ada38cf8c69c730bb8d2ce989f400000008f9be1ec3c1bb12278ff1d29ca0b9ab0c673838a9f8a3871f408b92b008cf54d479f9fc40f8dff02a5a91e7f00a6fb511633c1bb1467fb2078e05fdf02429587 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\ChangeLog.html"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabF27D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF31C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99d988a239d45ed6e56db46535f2fa3b
SHA1 aee7c2010429f2a792451a68eabec736afe3806d
SHA256 758a479f9f5ab4a1173a9eca87504792e00009f2b180d77d681519a59b4473af
SHA512 d6bb8f7376df76ea47f5de75ccb888763d39f2fdfb8bb6e7b1c17742b503a6559f94167bc64893dc500a62070ff8051408a42374776283a6730691fada524b37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0bc7449a38fc0e48b4e1942b4b9176d2
SHA1 8b52e3c2fbff8689fd3878e9473ad55390fe39da
SHA256 fc85aa7e1df685c69691ce5f1dd283051771d64df51581ac96ecb0885eac8687
SHA512 c0f14c1bebc0b687905b44bccabcf7eb8de07ec3b52dc47534776eb2cd22736a21576e2a8fda7668171a1c3ea960fb1597319b7e388efd0f5d71719e005e2879

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9dd4c2aca2780b929fddaffa27987fb
SHA1 ade954e9794c77970cee380b56410de9623decb0
SHA256 742c203af67fbf16e30e9d717ce12131808e60b4f63bc210ee3bdddfc747449f
SHA512 d871f04416f69f1303c7e72bf5313e27d21262cb04d7cee7418c4369b0e35cc35d481d87cbe1aa58a94f9f3ce5b66b1c19f497ff1f8099c345e0c2cdb2c87bec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9dacf3ea98d2c83dac12ec9d5e069b83
SHA1 b8b61852099a176cf0e879063876596f7ca89c23
SHA256 819fd82c2c721202ab7ef360e48968da52e74d3b1ae411872bb23c8e632087ba
SHA512 93eb92c21f97df7fbc7435ca7a2a558a361495f770908014a30d96fb0db41ac11295ccb44b989407ccbea6790865df2612d9c81384a7dc41dea228162005063e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 247bca0ec5398a9aa040adc54e730656
SHA1 3c5249a6ef04b784fecf6ddd712d03f44a3f2cf7
SHA256 038e473d4512828d614fe9380908c911eb055ef7ad668ea764119dbcc512878a
SHA512 7af5dd737184516e3c095c4bc556c0d6c9fb29e0dbf9d6450283566d062d9d7d028808e319247eca25b784b4ac46cbf2e71fa164bd1708278230c6f1f973df04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 834218b1ba5557a2ea8cef5835f3252b
SHA1 a9f8298dfaffe1f066883949c6dff024ec37a5b4
SHA256 33c9167c9d64d30bc947f2bed219d4df4d41eb246fb1f950cbd57033a17cdb8e
SHA512 aee3aba85e4a06a5f0a12e4084f50d5c1cf6df9615cc5b4218742bbcf48aa213102a40d5d1c90604c073d4a2ace53f8a52a4edd4ef610813e96d39404b722295

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97b90eddf3aa9ec35434001d37a14ec0
SHA1 30640fc994edf7ea180541aa162a0f1acf0a6749
SHA256 967e65e64b1d21789d2dcd6366b11c5920432c923fac75270009b934e08a287a
SHA512 b0dfd4471c952a6f2482eec9929fdf3b3123c2b74d56ccb028b686de1bb5ce99f52b07a48542263c75684f7af27a358797a2f694934a5c9d414ee8f54653c52c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e7e70a4344bfa13eafc67906e8883cf
SHA1 6cb6b7259573de6a13a8a68c80b39ce1cbbae3b1
SHA256 2c8f0d94d1589e5a3ef075afdce54a442a5598119657a2a6e7047ace4ebe6e91
SHA512 24bfd71d76df5d80888a19853c9fd8fe464869f35c114cdde501fc9f09d9071a64800b1bde50f6433f3dd0408572ebb4b0ef6f5168767e13f88e6a18f9289da2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d911dc16ff5cc787c99e468a06ed96ec
SHA1 fb6370ffbb07f2f2d70dc32b9b8d78c76328d3a8
SHA256 f42e024e67705f397a365ed7904521cf9983ac49d1386bb8e2a9da9b6bfd0a34
SHA512 bc090cddb3b1d31440b88f59ef377314b2bcf7c622047a4fcb860dc6481ccca7903d9d711a924506540d06f30a955dc1f40519e9525c3919ae48ad47f3f00104

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13830dc8eb408ea13c2c9b6ce6f65701
SHA1 8bb867ba6e74654e2667908924a793167c04be44
SHA256 9320137da84b85d763cdbb1251500ebea7f36c92136f9019d5a93ec5a074723a
SHA512 21b5e8abcd060397da6e1e8c8488ccf9aa55f8bc3927c0a3666772af6bb0066a0bee2f22e999078a2d494d7b180a8594b250b94b1a6a3ab795a17a0393345f59

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ada85372448aedcab4962125fd0bcdb2
SHA1 7e44ea5d52cd8239ff24a87187efaaf4a804e944
SHA256 5f703d40dcb4967fec50a191be2d985fe3d4cc2e572bb1407f41aa8f6e519c6c
SHA512 bd6d8259b6b4760751f6c11d49bbc5d4a580075cb2b863d06cfc6959bd17d825ac41e553584b19f980519f943ecf1c739fff7b4350aa4d6b0cd7257ac867306b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fabc45fcd20687dafb8c3f773fbb3a7
SHA1 d71595d71085b7d0e9e92d0cf1f95bceb04b5e6c
SHA256 968ced58ac1df7ea42e9cef6ec8e6b0b1693c48c3be4c9fe0be014754e8e4955
SHA512 dbca3d2a901961d36cfb84a8ef62c094f09e4c6082768bfd8dea358e779156a45ac29071cf7209602cc2f8273e1be2605f4257ecaf5262600109d18cca1f7d29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf7e3577794027fa4bbf58b8bacc24e6
SHA1 c5e5ed2c9fbddf54f1a29d6d0ebbd7474cd61de5
SHA256 ab7e0c5cb3bdf23daa0107a49125961df49e10ad8bb453d5b2d65d18040870df
SHA512 f5b7ac72af790eda750d7703ed5329a2caee25dff4c6706605b40756eb8d0029fed7c4226727841d196092142e13d7d16a01c939b84ce640f86936bf10b0938a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d59e5aa3013b15d628566c7fe0ebc05
SHA1 858d092e5543c0412feac1c6c4d6f238b53830b1
SHA256 e642ee52151de46f89fd0bb7d8975973bb468d6cd198cf6edcfd081020bb6ec9
SHA512 2e22839a598f360afec559ff604e63ea8ba1206655415e799f0d67515ea56e3b1c66914400eac9e87fef6c2cceb469f005ce7bd1a022daa5975087eef0b34379

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fdc9d6fc6c020200ac6ca15d7ee048ef
SHA1 1aa5e096ba32c56861193760e2c3ac4c976c85d8
SHA256 f44790969f0b1aba88d87a2cb420ed8c662853fdc2b672550ec00a0cbce6fedf
SHA512 476140265fd64981e5719b4c75b08705e79c7e9b4eb3d0d9b6db835110f0733d785a14e1dccc952f0afa9b3353e168ef12313c2979b5e521e37ecf6d8fdd031f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee9e152d142f48b2a4186c39fdc78c66
SHA1 0b790e01385eee5e81b1dac4438f8c3e82221cf5
SHA256 180c9b18691ce9d5444721bde3d5f990315ac354217aceb7a0d9e5c1bce058a0
SHA512 3e9fde50b447ab0934a5aa71969c53f69e95afd9dbf50b5ce441caa56655dee02c3e4ead13c4f5e40717d4387044e6d4ca11d53ded309c84226f897c8f5f1912

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6625ea47aba9d8c8b4955be51dd83873
SHA1 734c1241631c6712f37b168298d3665f0618ec15
SHA256 6bf3359d7e00199721b098a9ca4590e4211c3c93e9085ea0ffad2d9c2466183a
SHA512 e6e0bca6ebed3833f9ec3fabb05eb157f3b890296c1162a3ed1fab907438e11ba16330dce176649bb072cfb4de0a5777c64835d548d7fdc6cc64e12ec29717d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 282502e288d53d7d483f06cbc9f8568d
SHA1 3e4085748d1071b563d5a6615baa61dfb2036ece
SHA256 cc8bd2ac01a14a63f8bc8bf8afd2a29aa07a1cdcdd5475a0b0420bd19cd3080c
SHA512 be45ed5d92347ca0d84867aa70b94196ae85f323144287ddfaab1c890992b2aa5953fc97c57c72ed5ef7b92c566d0c9046a246b71c3a2b30b2dbfbc639aaf939

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 776b60c5627580c24281d9ef0bfe4e7d
SHA1 c1a4c25ab22e0b7468c01da433d6f9813a65f217
SHA256 cdc2749c582a0b6809f3e6dd2e68330d7112a334c12520fc54315a4bd454e2c3
SHA512 671357e7ef0b7556b59834742967ebba34082cb4ae05988b750e7f1194a384b192158a6188389b94f27ad7ace6d6a73c1e627e5861f4e521578f6049de2f0c5d

Analysis: behavioral9

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win7-20240704-en

Max time kernel

73s

Max time network

165s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\CraxsRat.exe.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3DBB4381-6880-11EF-A251-667598992E52} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20b7fa128dfcda01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000cfb0673734904e017c001adad580ccb18815b629c475f0dccb8776291bee712a000000000e80000000020000200000002359e69899fa4cbde339f2cbc9206312e7f112aed43c29260f946b9107e7dcf62000000072a6a551560e25674ca8840d26538636cb785e11012d9e63a302dc61ac6c27d4400000002716568fbf2a6797ec3c72439ab6f6fe67288c1e45e9da12bd1ddfae73ca6c7edd3f92128fa6641e5fdadfe0d4c74f7b412bdc6d73e14f1940db9a43a5954844 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000f0e6bf642c5a47c63ddc626232bb3b84e856ab12503dc7073721151d4d2c8c63000000000e8000000002000020000000bd4649366fd834d46dafd038f8ce814a76d0122c69af148082ab3916a2ab8d05900000008a34849aa876daba1f3f44443b16232834305d326414097ff604e2fcf476e5605e0b603938a4673151373eb2b4483f0f9520f938449f1ed6542b69145c039ec760442a1a3c867463f37ca798a7819013195ac33d57e25da9ba6d40a6d77f018f4ec2ff84cf7f388ed0a2397f0deefbe5d6c86d91e14653050c34dde2390a9cd693424e16b8c802407dc81036dad2410a40000000bb66e37efcc2f226f39ef96f9e53a3a989e79b5f6491f002eb611d547abec51214a3e79f04052dd03028b3fc5659a4767939e85b599087f0b2f674c9fcdcd2ae C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431370417" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1716 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1716 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1716 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2804 wrote to memory of 2836 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2836 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2836 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2836 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2836 wrote to memory of 2932 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2836 wrote to memory of 2932 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2836 wrote to memory of 2932 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2836 wrote to memory of 2932 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\CraxsRat.exe.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2836 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab4674.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4753.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7e5b37aa11fd27173b9cdfaedb15f39
SHA1 dc43f499c440d34d7a0d81ed57cf7dbdbce1ba2a
SHA256 6459ac7284fddbd188647bdcf2532ac5fce7205bd609e7b218e70f621a683188
SHA512 5cee65d2bf56c7e689a9cc3e9a8a57e1ca7569d87051eb9e922dd7d10a3b63a2ebcbd4b44e5ddd0c47f1673190ef2f425b97077011d8007ca8797e9e84f6d43d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a0bdecfe9599d8f6dbda8764aa90ef6
SHA1 cedf7a5489d071f148df06a36b94e27e220f3002
SHA256 e47008139870bc9c720075dd0387a03b7a6d9465a353f30a0e4241010621831e
SHA512 d53d1a1419242bf60889dc8726a385df5be0f374ca2be0f978c44e0b509f7312f0cc32838037e1aaf350991a580faaf5617f9c76dd0e84d36a359246de595141

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b80e6d445ed881bf1332ebce5e4eaf4
SHA1 5d8118976d11133629157c1c869ebf05828ab9ce
SHA256 37a942508e7cd69cef944625722df5246196e22eb7dd5ac1d88c80efc728525e
SHA512 5991e2dde2160229128e2303e60874566a52f56bc42a6d72fefcd651042ce653efd454371ac6c146faed0018c1917ef6222e5b50babd34aec4ed21c57d763c02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc815ca753af684b0e2e6154213d20a0
SHA1 097d291879334fc1b6ff242fdfa2a98ddb6e90a7
SHA256 a066ecdb9bdf6b468c7513d3605f06e0b6d2671ad812a19aba51e724895688e6
SHA512 2a72f430526065263dc5a805d73a592069a8a57069fc9b00a1259537e6a60167234117c478f5fcc9b355641ef95377b944116c5f18a0389a0741378083028ec5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e8b5d9aa9e4fb79acf45122b69970fc
SHA1 4e8ae5abfd5733cc023de4aa83897e3480fcc8e8
SHA256 0f48637c8ca937b7e04465bf2413b09c3ebc08a3aa124642f93e5c8e89480f9c
SHA512 61313b3548fe3659e57a29910d4f9d0abb2ecad15e0b05d17a6d8d8eba9d022369cde95034f60985a23ca8d833fae7f9c7a4d858f9d1d451d74f788331979174

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ddcdc053db5402ddae72ceb878fd0e0
SHA1 98b1047180a494022b9323e7e6783c30260065c6
SHA256 2f4a165f8f083f3efe4bb92548dde1af94bd6c1edf82bfee95f5f9cf3a840337
SHA512 53af87a51fccebaa5fce185162cc61856e4abfb3ddbba92b06e297e82c7cb4300c5af08eaa0ec1c90a3d0f430bc86c46a25ed1c315398c0a8065863328f59b91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b1ecf6455cea6d1e3adc4c4e4969467
SHA1 715be29e97ee297218ed44f3ac42bb3c67811b43
SHA256 c0ecc8291b1e8a4c2fbe117cdae6350b220d88bbf3ae130ded169de65e6c3064
SHA512 edd508d668fe9b5138052d1ca64a78552407f7bbcc8137e1ec48aa467e6eff351978397ea8b9fc33c055e94accf995ebebd45d8ca2761584c1aed81e867adda8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0048d97e5555eb8bb67bbdc89c788250
SHA1 ab886bdb8a87b5746b2c34b15487f1f79304e172
SHA256 9ad361057f896006252c0ed9d7d8f8f91f30735902c7f25bf7f81fae232faf48
SHA512 afb4869cfbdd8667b8b55e44ff1954a4ad979c9b46acc73e8f0e3dafba207f806651e144c4ac517719bf94c38665479fb25bb429513931ea38a0a118dd6a3486

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 655b56866f324dbe3eab76f8cbefff71
SHA1 16a3b24f691421d483869fd498a97e52dd8df578
SHA256 fec37d66b7867c91abc67043f4b586086c2e7703055c4ccc88a6a9429833bbd7
SHA512 f6cdf9a8fdc50827092b12110d74af116a7ac49848b3bc114a70f06286403a1fd52ec8e968cc5acd2b378229ef0d4909bd0386f4f0faff28f98800ab67858364

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 efcc8f679616f20533f199460c0e973d
SHA1 e539a4ec0e32a98d7bd675555e218567724c3489
SHA256 021ddabcc6f5a6588204fd14b75af918ecda554874974a85e594a9f47a67e39b
SHA512 e97bb54e7b65cf5c5445bf0a80baec39dca2d4ec0ac8e3a606fde3785c6033c12ca6689d282a38f014779c25220f88edbb3753532fe7bb350262342cd1d6465f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52533df0372923caea78c1e0e99bfe2b
SHA1 26f9619ebe8fe78de828486d856f65050f134558
SHA256 5bbea645d75515d51de243e0a6a26c406b82f7f2bb61e5a0b0475e0c585d7b97
SHA512 a7768ccfca74dfb4073f8216587fdf1e93bae0125ce7983548dacb237c6df5f883fa477fabaa0069a2a686d8b7fd991df5daf8909ea40d5aded896144827ba12

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc5c892915b369f9f290a9e3c934e5c7
SHA1 81ebb06471c83c67946dcc996a69088dc52678ac
SHA256 26925504b7fd96bcb906feb10e3d5e005ddd4f02fd6fa672b74cc2d1be5bc6da
SHA512 7a921d088845be17433307f8884edcc836b67ac6c489c0012be54e9be7da5848770eeb226a3318d8d052034c395b8e0942506e01a6179f98b3e560e485daa6bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23d59a2c4b9f7a3a59f1b0ae7458234f
SHA1 7e6cfff27cc23a1f677a6f923cd735334f56a671
SHA256 41e5677009f8e4ab964562ffd05bae96f1d12a034d892ce1454e808409df1657
SHA512 d7479010967096efa7441567492fa2ebf045271a140dbb8088ceaa6201457b4b3328cebcd142f7b44bbfff2d048fc380d522c4962d123af17f15c565b35574c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5488d9296d157f91b2c1bb6c27b40267
SHA1 3550974b24897ea024becc03700c3e14eb998c61
SHA256 e9a298c962d46e5b9b35960d8bda0663342ff0b3542b47e0a4e6d5266356b76a
SHA512 a0596d588a1360befa6f6d35ee653f29fdda75abdf3b53e9024ff327f92c187b1fad6b7449f9312c97b02f01a8baaf4ca5698cfa47045c24009c512038e0e61e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5222e7e20f489e51e89a150236f4e9a1
SHA1 5f853734af6e33530fabaca8b619d1d1c60c7983
SHA256 da8f10947a826bc5be1ab564fb33d483e622c55b8bb6e5366c3c2d472cb53400
SHA512 52d7f614e48c2c55e2e9fe84729ac3d64e3c5d0729a0c28dd462465a1646e0e6c4bcd2b8e1b391092bd8452fd42dbdd27be1fdc2f9350454dc58db951bf24dfc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 699ad9fafeecbc96fed396510d3723ce
SHA1 28026ea35ab5994350dad72c3162d7634339411f
SHA256 d965ff72651e7f61988849c62f66aed51a70ad6c5e08d352548178b02ca7c744
SHA512 2b8cc2457f20552a38a3eb967482f2e05b515eb8ff855811cb975b1dedd10896bee3e22520dfb778f480475bacb3606399fad89b0b05803f5c1529a784cb6476

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fe29915ada71730221a1fd08ec1a95f
SHA1 81ab32b20d1a82c460d614785bb413b66c66486d
SHA256 9b8ce2e69d44a8fb46f3a742062b232aa9444a531c850f579ae72ae316a64ba2
SHA512 7ad5b5386542566ae4879c451b6796a086b40c9e23fc006f4d322084f6fe756458dce4adeb963f4b6837bd015f2d2827728bdfb56a49af2f99283f54b724806c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd9b4275cf6db5a62a60056c6115f430
SHA1 2619ff88ab7d3ff4b819e71fae25de7662d9e499
SHA256 e03ef5c2d0847fb5e00708bbdd4d988222e32d0aeefa29150dd3760fffcf6d9f
SHA512 d500a22a93e6f3dc7297ea57612233c4d645c40b676476f62c24c55abd0605f9030af911c7db67eef7e0e1c18827c063bdc1ef86cd288df8e539485a98a0be63

Analysis: behavioral20

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:39

Platform

win10v2004-20240802-en

Max time kernel

121s

Max time network

168s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.MAPS.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.MAPS.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win10v2004-20240802-en

Max time kernel

125s

Max time network

164s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.WinForms.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.WinForms.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win7-20240708-en

Max time kernel

119s

Max time network

140s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.Wpf.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431370411" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3B696441-6880-11EF-80BD-DAEE53C76889} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000bdb4a870f70970b2eabfe58156c6040871e445e7884801367de39f4d0835f77d000000000e800000000200002000000016f225620eb8920e1b18e07b09c5d8a39d51c2972d159b31aa4678f206562f2220000000d009e28b3bb54628b6baf34f66e1626bc4eef830053bb97f7b72efddda290eda40000000a082b08845bae520721f8a18da740dd81c9d4121e39be1b492816d51106fa19078a36b048a4f7d611cda477013feada808cf3e93958ff23e0efbaab81298ac15 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0df63108dfcda01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000064a30f1602b8d582d7da29a2b6ee57166e308ca134af89d7c941c505e8472b55000000000e8000000002000020000000a02e828bdce6d9a943112bb8699bae863f56e221da1017f14db6c9167d7c42879000000083e86f29d57fcc3203345fe6dedd596335b4c58e074b51cefac8bcd2eff5d530ac3cef55aeebb1ddc62807bae4f74a7873d731c18fd3169cd1fcb8095a0dd478aa3ab57f7da962bb5e3b81b241d67fb45a5549cee282f5f3dde0aaf11eaec81df450bd1d048c202864c0101d0c30ad004ea2d086a8df2cfd086dd2b283caa10fa87c6c693200bc7329ae70fd19b00dbe40000000fb2edaa699b81e0d782a787cd32f1fc85720d54f98b0ea0ff55e5abadd2295c413c49490634862aa0f2e9fb39f12dfff1170237b3d171ddc1a6ddeb7a300a48a C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2528 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3028 wrote to memory of 2528 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3028 wrote to memory of 2528 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3028 wrote to memory of 2528 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2528 wrote to memory of 2176 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2528 wrote to memory of 2176 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2528 wrote to memory of 2176 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2528 wrote to memory of 2176 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2352 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2352 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2352 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2352 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.Wpf.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabDB93.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDC22.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c030a3887099137afe94952cc724ccc
SHA1 81adc0aa25b8252f27c5a380308e7073f9513bb0
SHA256 c946aa46da45f4ae88d2ff983ad33fc8de88a280c6818816f319a918760a9f0a
SHA512 80191a3fc51d5bd7f8f6c93bdf71e38965614c422721704202ec164d7921b6aa696d8ad4929732f69f292cecb3931d96ca2021781c8dcf779c0ea93055a0657b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 25a365770907885b91074127a31d9d71
SHA1 36a08838a26d5ef22f339e528fefd6864f11efec
SHA256 8217dfeb32bf4c89f19f935eebc375917bb7b55f07469924fef7959e723fa79e
SHA512 e8d88a78768cd8204f06b3495c911be11432e7d9f9a9d884137c58b0959e6c286d3a3352d62f2a57f2b230757ee103b43a05cba0ab8bb8628599307a75aa712a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b476d317b798a3445417c9c08a2a0002
SHA1 1bc81a8b5060d06e1ec56f4024564be382de07c1
SHA256 c6238ca959df674f65a74ed65c6e23b447d7898c7bddc1b9c0bdfbe44926be39
SHA512 d5bffaaeaf7f7273e0a121b4f6413106ca415af57e925595ab0ca1dbfe104d1f9b20356101a24a4f5152644b584326c6bf40c6e089f36507c51d89bf4680ddc9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18c2638ec28bafe5986e7a0782bec994
SHA1 67abcaa094496ab408b62d0047a180d6c50b8d50
SHA256 f1de46b9745d4ddf3e2d9db6926f020f3adc7e43fbfb39c0aa1d0a7b85ac1d9f
SHA512 a4cd9fed9740df35b7861ca5fa542596c6c3feb9276f45375705922a4d3baa45207848048a1a841c82e83cc297a9a0028add832d8ac2a81116151f6f02974589

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acff5a31f6450301245ffd124ffea68e
SHA1 5aa27cca398bc1c779af30cb4d2180c786f31e13
SHA256 2cfe774f120a13fe4a532587452682be8789422df41ff6db56ce860e304bc197
SHA512 1fe7ad2451c25ead42b513ffe9d40a9d07b9a4d4d09e7356877bc4eef93f3b4a27bdb68a9f872a358073eb00047199855f4080a231d99529280023c0fe11e511

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28471b1885ff77a67018b27182cca0dd
SHA1 d90a45787efce9d05871a2e6966a865d764868fe
SHA256 f8251057c154ee25b32792389ee22dcfaa7b2505f18ea27d504aafdbff1fcac7
SHA512 51fade573068aef6d39c7b88a8c9d6cf37bf4d4e9d4ad2328f765ca1c01ee9f677264b409f463724fdfd7318f10a6d7f6cedf438c1551df5ff17feae31dc3400

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1809b31c62db76fde6d28115d9d69a07
SHA1 23c55cd410fa65c0274ce5b28376f0d7eeddfabe
SHA256 ab8fe9653e2c765915dbb5404184b3d3d7e96293ecfbabeff39ff9a8b3447e66
SHA512 42671171f8b199ae6fc88116512a47d52485327a3ca2c08e804b0f8de19e828d9e88e88afd2a1ae79391c8baf6369118947359f6b740437dcfc072b0231c635e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3268fab211f488a97cd4bc1c24b72898
SHA1 5d95fc71f4112fd0f09c4b031f8666084ad5e491
SHA256 1dfe23cf5f22ef8a2710bbb0c5101e303a5fb6e0a8ffc74b5d1bebf5125ff1bc
SHA512 be12e0656f1b40f8b81fee56d034fd977c2aa3a9db1c6cfa4cf6359555346ce3293178d519305b56698e05d70f3d670e89fa000e2bf3f92fc897d59a40b7f7d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc2ad4faeeddd69f69c3632e1256bae1
SHA1 7662a763f77fc494eb62db1aaf99754f3d858a26
SHA256 e20c0f8722cc6f39febff1bce495cdcc69f8b87f387ce110c730cc12376bd84e
SHA512 04ee48a26857fd0356ebead7b750b796c9432b1f5e4e308e6a67dfd40a0101cc3ca18e134ce53c5208f384f6cebfd8f3a5c06ab4b5acda678ff072437ff0c06c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90c0f533b58dce1122e1f641bf357948
SHA1 456f4b6f9c1be6171119a17395a8f1588c51d3dc
SHA256 2f3513f876e547669b6d2ee4c692d08f0028ce35b4d9e687d6207a8d84c0eb2c
SHA512 3a7a0258012938257b7cb4fe054639a84aae30ce4172f787267595b7b6969532853d087e29c2deade0ebc05c2606debc001101005c7c41e0c43f7221f0cd8236

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b4a7411a01d873f8967aaf4526cfd87
SHA1 2350c1b803cbd64780ac52599b8c5cd4628774c7
SHA256 957fb1e6dcaeaf401eae1f640d0e9a65d3e7586cacc04dd895aa515583d5646f
SHA512 87a89c6055840d86256109ffcd152afc42cb709b053c585e768f894c81bd1fd009c6c044f2ac33b6ad5e8016ab24f314b185363dd141ae94844ff079c582369f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0dfab6ab99baaf0228f9b782cbb633b6
SHA1 48196888ea5827b048d67275e5c085a7588b8104
SHA256 061b3a81cedbc37183197ce88ff86101c4709985ab75a11eeaba0cbfb7a9b90e
SHA512 b9f71f69686fde94d8fbacd22f49dfc7128d8d59afb753ff5b423d6eea2d1e20ac23c509466c154b3b84f025d81d981a1d4982365f775a4ef2644bd4caa884f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27ffcbc565672cfe86860869785e4b65
SHA1 46e2aec10c9447214663a700c1336cb84c664c7d
SHA256 cf30a8a79ac711361e750ed642583d593be9c39d5afebe39c2554b8891b96fae
SHA512 e4b06eace6fb1278e8f04d6c86f5077528460a3b74af858412c23020b8c26f19819e63bd05d68b4fc9aa0ea4ef9a3253d6c516744f05e6b69d1b74be92a29fc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6612e828e52df8f72b01979fae61fc49
SHA1 cba39e024b0f627917cb3614ca0343eb649f48cb
SHA256 29ac30c800ea405d151e6fc1b1440790602596637c5ebe09296d578453b699ff
SHA512 6ff4f5e5df4c2561e07353fa4eeea42e5b7cc41e5c3c266dc88f8f921c44cca97c2adafdcc7c167861982e5509991afc6c99b92ac9e8c13a4fc96ce4a41d722e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5d0a8b4110f9d76c8ea1f8f1a808dfa
SHA1 394018a0ff1c1519f9ae96bd26d2feebe5b6d16b
SHA256 2fd9c2e1c686bd5eda3bfcb843908ed3dcb8ed679bb46b1475d3c68a68d981c0
SHA512 e383686a1557db4afb53a01036f4ce2f7cbf6cc31ac8a7ca2e745aabdb5c64614776d9921d0c8371e4a4b6c91a375bba269b423537f85f069cf4137a3af75ba0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc8c6c6759f265e4c45743100f47ce5a
SHA1 4b6e6ac7fc3b5a40575bbeb4bdac2f9ec9d67593
SHA256 b1005d5101c3824590af08a56dd3f7a849388b026a15696309e88d0052e92494
SHA512 75a2d7ce2e16ea6575c17ea6996e42cf0e2036f28a20d92d078636e5e85bfa7f1218f2b716a27a02e89a7381132be6d497ed1c08dc4d5e999c01575bc20333d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1557826eba1bcb64912038ae1630c712
SHA1 a889ea375a55c10766f948bee10518c2eb714f4d
SHA256 b18ed023234cefb0c829cf02b3c6cf0311323afb9d4da2459de2207b25c5b426
SHA512 7ac7bb08a8d8ddedc1f0728f48f727e145ca5aad1605f868dd7f46d93aac692ee4973adb2231735ffc3f56dd433f510795233ab597eb8643a2f38dfeb5f0379b

Analysis: behavioral11

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:39

Platform

win7-20240729-en

Max time kernel

118s

Max time network

133s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\DrakeUI.Framework.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\DrakeUI.Framework.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:37

Platform

win10v2004-20240802-en

Max time kernel

89s

Max time network

157s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\HVMRun64.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\HVMRun64.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:37

Platform

win7-20240705-en

Max time kernel

121s

Max time network

131s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.WinForms.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.WinForms.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win7-20240704-en

Max time kernel

121s

Max time network

148s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.WinForms.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f03551000000000200000000001066000000010000200000007f980ae91816b3cf2bc3f75e960dcb8c3e77f376a8e93c2bf84c7a0b6ca118ae000000000e8000000002000020000000e2d0accc3ba79ed42181fad289f594cf3da2c18d9d6e1b12f524495fad01eeb190000000abe4c36db1e7c59790f9720ac6f764e1ca138edf27df2cf93d7045d823f9d96e24b047a0755810914089677ccff3b85bce54d4287a419c4e8d90001c82aa0e539aa7792298f1eb1d98c3bf5217462688e0e5f5fdd4d58c20361cd1ba824899b0f682cb6e0657185d2b01702e19d22fdf76a5afec04367dd41c27c4555f1e7cc0438ce29f0feb00a6c8f825efa38594154000000024aecfb7cf8a83580fdae6b4d7e11ed2a726decf44451d977cac291d0d0196cd5a4672a86b9476b6a17f689c937369e838a14276909be02deeb05069a9a70716 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431370414" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 902966108dfcda01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3B8AA7E1-6880-11EF-8B50-EA829B7A1C2A} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000f810ef68d82bf193772d17e7ec0c0317df1618931267eb2d0ae03287bcdc21e7000000000e800000000200002000000097e0ac4e482c519301f7ad61f4845dd9ba49ff9d96ddfe510ef02f174edaebeb20000000d5c15f4937af5531a220a422c761a77b095e3cfa87b14850ed53c4393fcc5128400000008db9aa3f3ce11eb0b0ddb1429cd3ac035d93fdf7cb0840e65807fca4b135ca6f9980da563b90b3251376be6b13189124df408dcb8e432e32609d763b6f2514bc C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 2404 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1612 wrote to memory of 2404 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1612 wrote to memory of 2404 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1612 wrote to memory of 2404 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2404 wrote to memory of 1808 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2404 wrote to memory of 1808 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2404 wrote to memory of 1808 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2404 wrote to memory of 1808 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1808 wrote to memory of 2088 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1808 wrote to memory of 2088 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1808 wrote to memory of 2088 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1808 wrote to memory of 2088 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.WinForms.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1808 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab61C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar6DA.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a856e4753a0305fd1d736dcb42d79db
SHA1 fbd8a925a67342843bb76f66cc261b6525383c7a
SHA256 ea8fdb37706767157339215021969cb81e84cbddd54188e5f5e9508f88976998
SHA512 d4b9ba5e11ff4d9a4caf37b6ecd5f578c98165aeee6e873d9c825c28826f2d7b24498854995a2b75c28707f53f3b986cd4f2ca3eb6d71d174418b503101ceba9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5e1422f5a6d73da2e6dba631ae20f67
SHA1 22c37e912c741d66d08f35f54be642e5d05fa17b
SHA256 261481a4c42862754b4ad948925dc6e8352da2132b146f0664edf7c55a23105d
SHA512 a8c06e2e6c481834708f457a78625dac5209246aca1c2602d2aca6cc9b832ed694a84d4f219b23975396003bbd01a1fc4db7c157c30125620d1ccc65be2ceba9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f60834905a1c8021247ba1529690300
SHA1 1d50c727ce951c29fdab89ee348c5775da2950d9
SHA256 a52730bd10187dcec62699b47e1bff88ee609fbfe3930d219f144019ac11bcf5
SHA512 9cdfff98d8dc284b09da2594cef0d5f290f620d1daf4e35fe16205bd7d4f82af5e020faa9ea8c78166193153b9d0c89d5ddc97e9100d453dee888a525dfd402d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74f718cea1e680273bff140a694f6aef
SHA1 37d0ef7db7a1db705b7508b81b33521c6ef1e82f
SHA256 60b7b802455b9f85962a7c854decfb890ebb41c19b11a359c8aaafb80d81ec0d
SHA512 9091a32be8866f95fec71d06a61d66e84999978d2539afbc2522137079b0ab9a337ce849300fd8d408511e29d0d1cfcf07fd1404ab23f9fe54a5e0a8c756c857

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d8398916594e3c914b1e2ccb34d96dd
SHA1 660c31a0cf53805abf2048e49de8136e8d09377b
SHA256 30fc7d658a2cf321e9aeed59ed316a233ccbdf629331bf65262b34c739f4175a
SHA512 0c6fde43ba4680f0e8fb8ddd49a2914b8e7c4483488931de30eeb1c046ac950ba5d72a9ac15b4dc25ef3b149042c9ba44aa3b00ada9889dad9c3c2847d0b70c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e92754e2a6db16901363607c6cb66ef
SHA1 5ed7cc3a544499b2bc728ce4d63944a02222b472
SHA256 a10845c9031f8949eeb7e5cc6cc8e9a1e6a129aa7e1270d7606c14eade7267f7
SHA512 8a06737e38b5d7a0e1f7312430ebe95a99fea1a6b53b800573c8fb8186e9ecec64c7e428c37e267a294cd49f95bf91a2826880e64ca26f6e8b4738417668cbe0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a94a69fb7605c3acccce99b976bb0df5
SHA1 c639af8f1dada335fc3eebbb37441db51fec5f37
SHA256 fb5bc480ddfafc6ba8da869ee6bdfbd56aabe8859be8ef755b9ba4e6e5d0b67a
SHA512 552628c50a95af4d1c72c0129e0d378e2640a728652535659e1d494aa2a5f24e49a50bf3ddd19b0209bcb219d7c7b2ddf4c53e8cdcb90a4ae7465398fcaa67d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 247db592bd81bafcc0fd82a35e0fb09a
SHA1 ae19bf3ac2f4b6198763f74f32cba55b706acbc1
SHA256 b4edf3d8d37484e45eed2a295f69820f26c55b0fa5716b8836365151436b30f6
SHA512 61ec61ddebd87c644ee58bb30d4e98099997d8f0f8fa6eb18e75860d27a2f59ed0e8c8347763dec7a7b9e57b32fe3685713a0e7dd8ae659b2ffc9b0a3c400053

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d2bbece4d557460d7be49a7fc85511d
SHA1 135b04ee385931234e0fabc8bd77ef53fe712a90
SHA256 5251a13134f1adac32429439718c742ba3a45cfd9f193d5385985e35145f5ddd
SHA512 3d023c87f57110208e7bf1cfe622309e774962c6cefde37c643969464e7e170c47301bcadbbe96e4f67435d227e4da0841ea9ab533ccc3092035b89225dddf2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff39ffae25ea0c5e189b68619c6e8cdd
SHA1 f4359ae2f7df818b937983a7286ad556f9891f27
SHA256 3b6426672f883b4cb7bb332159d213d7a651f77857ebe97554211bf6e990452a
SHA512 a07fc74fe94bf541729856982300c85b8a08955a19b6e3972603f2a1f45528f76539d6bc92ca93178d6ca57d12cfe111fa3c3c4197f0624c7525ba9c4389ce13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1c5c4c97308058ed0bf46ccc0dfc6b6
SHA1 c52f668bffe841ab16126c3df2c2f3207e44c25c
SHA256 cb99503eff32ca40e2d03acbd30d7e7b53fb1f799bd17a03408468363d7c3349
SHA512 aac7ebce84dbb2ca8e6345cddfad951096bc8fdce583eaaaf87c7843eae014a40f0d8a844ddc0e34ea6c1b28276920ad299d7e0ab41ebc49969116360ef3d3ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 802bfcf8cd5f1e9426543a9d53a42ad8
SHA1 666190d4bcf35c64fe68757670647d786f988695
SHA256 4da7727f441115c4c910616a48f74dcf79a53a3b0c8dd49dba915ff22dda9a1f
SHA512 547ab5209533db5a901dbf13d7e82dce674cbed64b7c56d2e6008e88786f22a3d2105193f36e9c27fba7a107ebc440db5f7f782f8425d66b10516095a97e1646

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 277b26f2f3a5a0b7b67fd94702a5c74d
SHA1 dacbb2b3866d7101af4db4c662eaffc1774182cc
SHA256 551cfc19e59e80698f8050682e1117d0d7dc62be3afa9f4c81f4df11da058434
SHA512 31919e122901e1f23e13276b206243d80a4f86382bc12fd9830391f0746e2305a6f07c5b5863bdb76e4f39f627bfd585854374cf41a52331e2b40934f17e06d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23de74152b4a31a6e349f255673d79f4
SHA1 55b5b1c7ab43027347dff18a71fd410d5c6c2cca
SHA256 79f5da3c9c5661177a4c365378b12dad35e57876c7b7610531673bc1775fa90f
SHA512 361ab11e3810a4df219550e83ef37ee1c24217c4af44d2426c1036539cb559780348412c4b8dab9023d971291073251b7e3f4d2b0aa0c6a6be01087b677f213f

Analysis: behavioral28

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win10v2004-20240802-en

Max time kernel

131s

Max time network

159s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.Wpf.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.Wpf.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win7-20240708-en

Max time kernel

119s

Max time network

134s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.Wpf.pdb"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pdb_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.pdb C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.pdb\ = "pdb_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pdb_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pdb_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pdb_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pdb_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pdb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.Wpf.pdb"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.Wpf.pdb

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.Wpf.pdb"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 95958f681e216acb215d032a5778267a
SHA1 889106bfbf84337d70fbb9bbe3fc4b7a02d579f1
SHA256 a6919ab4a40e456e7cf9ad453cf7a512d7d23e286b2f74469f98d3256bb1ad7e
SHA512 166e34ed214e1b51f71f915594414f74c2d851fce0c6fa38404917cad9f056ddeeaa2799f34da7b638e7db7e5bd20ff5c05940bc3817ad49f98604a06a71c19a

Analysis: behavioral30

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:39

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

166s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.Wpf.pdb"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.Wpf.pdb"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:37

Platform

win7-20240704-en

Max time kernel

117s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\CraxsRat.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\CraxsRat.exe

"C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\CraxsRat.exe"

Network

N/A

Files

memory/2756-0-0x0000000000400000-0x00000000047F6000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:37

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\CraxsRat.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\CraxsRat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\CraxsRat.exe

"C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\CraxsRat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/2180-0-0x0000000000400000-0x00000000047F6000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win7-20240708-en

Max time kernel

121s

Max time network

133s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\GeoIPCitys.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\GeoIPCitys.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:39

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

164s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.WinForms.pdb"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.WinForms.pdb"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

165s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\DrakeUI.Framework.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\DrakeUI.Framework.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:39

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

164s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\GeoIPCitys.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\GeoIPCitys.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:39

Platform

win7-20240704-en

Max time kernel

122s

Max time network

138s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\HVMRuntm.dll",#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\HVMRuntm.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\HVMRuntm.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-09-01 16:31

Reported

2024-09-01 16:38

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

162s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.WinForms.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\CraxsRat V7\LiveCharts.WinForms.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4216-0-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

memory/4216-1-0x00007FF88C26D000-0x00007FF88C26E000-memory.dmp

memory/4216-2-0x00007FF88C1D0000-0x00007FF88C3C5000-memory.dmp

memory/4216-3-0x00007FF88C1D0000-0x00007FF88C3C5000-memory.dmp

memory/4216-4-0x00007FF88C1D0000-0x00007FF88C3C5000-memory.dmp