Overview

overview

10

Static

static

10

Crocodile ...65.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    44s
  • max time network
    43s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 20:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Crocodile H New Vs 65.exe

  • Size

    8.1MB

  • MD5

    036c7fa8e5c2fd6fd96940cb00681cc4

  • SHA1

    2ba284973a9156e08c4269ba4836a3464c7d890f

  • SHA256

    8123553007e58a54ee4993af776c4db44aadc7ffe69236200a458f95829afed4

  • SHA512

    264dd6924c51e8ea9cf08cb4ac60a5512b9053a95b73a80beeb8efe5bbadb4535d329ca0d0ea57eebb55b62801c07f8d30a79437e46b7a9007e3916232201e93

  • SSDEEP

    196608:qS11aazz+XwPi5MIH/TStWGH/TStWu/1Y2S1lW:qS11aOwHnGHnu/S2wE

Score
8/10
discoveryevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 8 IoCs
  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Crocodile H New Vs 65.exe
    "C:\Users\Admin\AppData\Local\Temp\Crocodile H New Vs 65.exe"
    1⤵
    • Checks computer location settings
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4148
    • C:\Users\Admin\AppData\Local\Temp\CROCODILEJFDHJRTA.exe
      "C:\Users\Admin\AppData\Local\Temp\CROCODILEJFDHJRTA.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Users\Admin\AppData\Local\Temp\Gaming.exe
        "C:\Users\Admin\AppData\Local\Temp\Gaming.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3132
      • C:\Users\Admin\AppData\Local\Temp\GameHarroer.exe
        "C:\Users\Admin\AppData\Local\Temp\GameHarroer.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3444
        • C:\Users\Admin\AppData\Local\Temp\3.EXE
          "C:\Users\Admin\AppData\Local\Temp\3.EXE"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2876
          • C:\Users\Admin\AppData\Local\Temp\wincheon64.exe
            "C:\Users\Admin\AppData\Local\Temp\wincheon64.exe"
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1864
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\wincheon64.exe" "wincheon64.exe" ENABLE
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:720
        • C:\Users\Admin\AppData\Local\Temp\4.EXE
          "C:\Users\Admin\AppData\Local\Temp\4.EXE"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3616
          • C:\Users\Admin\AppData\Local\Temp\1.EXE
            "C:\Users\Admin\AppData\Local\Temp\1.EXE"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1372
            • C:\Users\Admin\AppData\Local\Temp\svchots.exe
              "C:\Users\Admin\AppData\Local\Temp\svchots.exe"
              6⤵
              • Drops startup file
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4360
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchots.exe" "svchots.exe" ENABLE
                7⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:3784
          • C:\Users\Admin\AppData\Local\Temp\2.EXE
            "C:\Users\Admin\AppData\Local\Temp\2.EXE"
            5⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1712
            • C:\Users\Admin\AppData\Local\Temp\Chrowin32.exe
              "C:\Users\Admin\AppData\Local\Temp\Chrowin32.exe"
              6⤵
              • Drops startup file
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2468
            • C:\Windows\SysWOW64\attrib.exe
              attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Chrowin32.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              • Views/modifies file attributes
              PID:1628
  • C:\Windows\system32\werfault.exe
    werfault.exe /h /shared Global\e3f4d13881504c79bc1108378a5406e9 /t 3552 /p 4148
    1⤵
      PID:4800

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1.EXE
      Filesize

      37KB

      MD5

      c6a973c4f6ea4969cae1c41d25c5d78c

      SHA1

      12efa1281e57437119df3c8488cd4daadabc80c3

      SHA256

      5a93d1082d4fa0b442f3bf42066a22cdba8f32f2d50dbc1dd9f4db81fa73b496

      SHA512

      4d03fb5bdf9cf340b0a6809858f8da2d0e834f58cfb2182828e16b9a5faae5aeae154c5f7643298e54b3f0e1b8f33265bad82191b9a58bc3dadf3d4f99adb25e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\2.EXE
      Filesize

      27KB

      MD5

      a5d943b57ae77aab0788d29333ab1227

      SHA1

      4d94e5d4ec4822f4562042216e614c3dddf447c1

      SHA256

      2b7eb9a069471b3547adbfcb21c0d76424ba07b5a556693e377bd72223447b6f

      SHA512

      d46dc2c74679c33d0a981b297e24a142393ce06e063cd2a859b375beb0d5b0fa134ca3241bdbc01f77f02ad85ac3cf697bed640cb708449051c855412b9fce0b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3.EXE
      Filesize

      32KB

      MD5

      4f5d50f723896266e70dbb5a0e72ff21

      SHA1

      d3b1fe30f1baaf9e1d34baeb3eaf75619129e490

      SHA256

      83ed6bee9f71403ad9f43b467b99205230e043833a3d014964e79e603613879d

      SHA512

      a8e7ae8aa0a03ccf82be1a58595a17642c8045cf9886266f74ca72b8a23485e9e011ec2018fc9ebd6a9f5c69c5583cc6951ef3320d87037d5f2a8ebc2e6a16e6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\4.EXE
      Filesize

      117KB

      MD5

      89514d6d4e78ab9f33f24f99ea3b1361

      SHA1

      5e055754b253e2814a1d081a66236b583d982a8b

      SHA256

      8da8b662e1e221793959653c7fb940e2313e5cab2325a3dd7392380924f6129a

      SHA512

      c81f102c4579ad0f27dfcb60aacd22f351f13f988e4a8080092edb64cef9b4006298e94ce55f6d5cff0aef07e5eb7fa2a6c981b8023f9f1827df387d497f7fb9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CROCODILEJFDHJRTA.exe
      Filesize

      2.1MB

      MD5

      149f649f898409182fcad1ef424ca4cf

      SHA1

      89098a69e94ed941385bc2ebf00cd8d3c4e47450

      SHA256

      f5df17fe1d42b1bcb04578bc05f1ae9787d12ebb5c18cf4df18c861120be0532

      SHA512

      3dbba29127add72bf5e4f3c7ef5e24d4f693d67b28b2650b0a2364a17274fc0967387ca860ec5d619e40c884b54af41fb9c54425e2aaaa4e3e7555d998ce9a06

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\GameHarroer.exe
      Filesize

      202KB

      MD5

      90de032c5bc78043531d08ed1bf8ec19

      SHA1

      edd41ecf58e32c3f57ba90ee2fcf3d0e4a9c2cf1

      SHA256

      98df5e2377549819b17759d05406f3c97711a76836aa2bf427ef08045b5ef80d

      SHA512

      5ec5e7a4c35312bf7be5a3353aab857e98c7c0d68188a0b488574027236d1c14118924d500d82d11814c59f85d572226da71620d818d1df49eac95dac080ed8c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Gaming.exe
      Filesize

      1.5MB

      MD5

      205604c1ca8e135124962cd5a04b3ca9

      SHA1

      1d4816032549ad0d2e64d95a873034a80ef3744b

      SHA256

      b95b972f8212de7598ec32e544b5689c6f9b4beef8c2fdc41b5ca5a7b11e3ce8

      SHA512

      69c189b597ce3ad37aad873f224faa439c085cb7af3594cedcdbe0100d41ec4f61c2eb161e698cacdacb5d198e388b1896a5f4b8250ee910690c6cc53f14cdf6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrowin3285550.lnk
      Filesize

      1KB

      MD5

      8b923937d1f15db15d9f5e42c44981c3

      SHA1

      5fb45e54abf04163530c4a5b9b4cc6ddf9acf2fb

      SHA256

      a36380b0e1564397600ac696765b448a3f1abde8f77e6527e361e54cc248d3c7

      SHA512

      055d4c377f12bdeb29df067c421416971e588e5229eebd02ce6de51fcb85001a0769e28bb0fedde39a4604a50961f162680a718741ca83a57ea9e98720f301df

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Chrowin3285550.lnk
      Filesize

      1KB

      MD5

      bebe54f3b334424772998875d368bf3e

      SHA1

      e8f24df92c8fe2ec2302ec59af1f3b9b97dc1892

      SHA256

      ca9495f90ab8f51e7c142e3de3571bf9e8335e463424bbde3047a5301cfe369d

      SHA512

      5a0195ed95b243f7dd11ba204bccd00c9c7c832095f76b3974d92ac4a0a4ad8e82d12ac28d913bcdf738d651b876a9d76f2330b94a32f584ef9f228fb209a233

      Download Submit

    • memory/3132-60-0x00000000052E0000-0x000000000537C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3132-68-0x0000000005930000-0x0000000005ED4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3132-96-0x00000000055D0000-0x0000000005626000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3132-81-0x0000000005380000-0x0000000005412000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3132-59-0x0000000000750000-0x00000000008D8000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3132-83-0x0000000005280000-0x000000000528A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3452-31-0x00000000746C2000-0x00000000746C3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3452-32-0x00000000746C0000-0x0000000074C71000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3452-58-0x00000000746C0000-0x0000000074C71000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3452-35-0x00000000746C0000-0x0000000074C71000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4148-9-0x00007FFB5BB30000-0x00007FFB5C4D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4148-38-0x00007FFB5BB30000-0x00007FFB5C4D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4148-33-0x00007FFB5BB30000-0x00007FFB5C4D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4148-34-0x00007FFB5BDE5000-0x00007FFB5BDE6000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4148-11-0x00007FFB5BB30000-0x00007FFB5C4D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4148-10-0x00007FFB5BB30000-0x00007FFB5C4D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4148-0-0x00007FFB5BDE5000-0x00007FFB5BDE6000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4148-8-0x00007FFB5BB30000-0x00007FFB5C4D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4148-7-0x000000001D530000-0x000000001D57C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4148-82-0x00007FFB5BB30000-0x00007FFB5C4D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4148-6-0x0000000002110000-0x0000000002118000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4148-5-0x000000001D280000-0x000000001D31C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4148-4-0x00007FFB5BB30000-0x00007FFB5C4D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4148-3-0x000000001CCC0000-0x000000001D18E000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4148-102-0x00007FFB5BB30000-0x00007FFB5C4D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4148-2-0x00007FFB5BB30000-0x00007FFB5C4D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4148-1-0x000000001C740000-0x000000001C7E6000-memory.dmp

      Filesize

      664KB

      Download