Overview
overview
7Static
static
7CrazySploit.zip
windows7-x64
7CrazySploit.zip
windows10-2004-x64
1CrazySploi...it.exe
windows7-x64
1CrazySploi...it.exe
windows10-2004-x64
1CrazySploi...ox.dll
windows7-x64
1CrazySploi...ox.dll
windows10-2004-x64
1CrazySploi...pi.dll
windows7-x64
1CrazySploi...pi.dll
windows10-2004-x64
1CrazySploi...ct.dll
windows7-x64
1CrazySploi...ct.dll
windows10-2004-x64
7CrazySploi...re.dll
windows7-x64
1CrazySploi...re.dll
windows10-2004-x64
1CrazySploi...ms.dll
windows7-x64
1CrazySploi...ms.dll
windows10-2004-x64
1CrazySploi...pf.dll
windows7-x64
1CrazySploi...pf.dll
windows10-2004-x64
1CrazySploi...x.html
windows7-x64
3CrazySploi...x.html
windows10-2004-x64
3CrazySploi...ain.js
windows7-x64
3CrazySploi...ain.js
windows10-2004-x64
3CrazySploi...bat.js
windows7-x64
3CrazySploi...bat.js
windows10-2004-x64
3CrazySploi...fee.js
windows7-x64
3CrazySploi...fee.js
windows10-2004-x64
3CrazySploi...cpp.js
windows7-x64
3CrazySploi...cpp.js
windows10-2004-x64
3CrazySploi...arp.js
windows7-x64
3CrazySploi...arp.js
windows10-2004-x64
3CrazySploi...csp.js
windows7-x64
3CrazySploi...csp.js
windows10-2004-x64
3CrazySploi...css.js
windows7-x64
3CrazySploi...css.js
windows10-2004-x64
3Analysis
-
max time kernel
21s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 19:22
Behavioral task
behavioral1
Sample
CrazySploit.zip
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
CrazySploit.zip
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
CrazySploit/CrazySploit.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral4
Sample
CrazySploit/CrazySploit.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
CrazySploit/FastColoredTextBox.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
CrazySploit/FastColoredTextBox.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
CrazySploit/ForlornApi.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
CrazySploit/ForlornApi.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
CrazySploit/ForlornInject.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral10
Sample
CrazySploit/ForlornInject.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
CrazySploit/Microsoft.Web.WebView2.Core.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
CrazySploit/Microsoft.Web.WebView2.Core.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
CrazySploit/Microsoft.Web.WebView2.WinForms.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
CrazySploit/Microsoft.Web.WebView2.WinForms.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
CrazySploit/Microsoft.Web.WebView2.Wpf.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
CrazySploit/Microsoft.Web.WebView2.Wpf.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
CrazySploit/Monaco/index.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
CrazySploit/Monaco/index.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
CrazySploit/Monaco/vs/base/worker/workerMain.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
CrazySploit/Monaco/vs/base/worker/workerMain.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
CrazySploit/Monaco/vs/basic-languages/bat/bat.js
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral22
Sample
CrazySploit/Monaco/vs/basic-languages/bat/bat.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
CrazySploit/Monaco/vs/basic-languages/coffee/coffee.js
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral24
Sample
CrazySploit/Monaco/vs/basic-languages/coffee/coffee.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
CrazySploit/Monaco/vs/basic-languages/cpp/cpp.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
CrazySploit/Monaco/vs/basic-languages/cpp/cpp.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
CrazySploit/Monaco/vs/basic-languages/csharp/csharp.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral28
Sample
CrazySploit/Monaco/vs/basic-languages/csharp/csharp.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
CrazySploit/Monaco/vs/basic-languages/csp/csp.js
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral30
Sample
CrazySploit/Monaco/vs/basic-languages/csp/csp.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
CrazySploit/Monaco/vs/basic-languages/css/css.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
CrazySploit/Monaco/vs/basic-languages/css/css.js
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
CrazySploit.zip
-
Size
8.2MB
-
MD5
6851b0717dfdac6d04d5fd2acc026092
-
SHA1
88da1a3ae244d261959aa239de99ee39c4c96482
-
SHA256
3c328e9f25a277e022237b0d45d18479fa5db72c4031cc0135cb33f57e3121b2
-
SHA512
69f604f87080eb2407d7b6b628191005ed0ad17fd4dd769367ebb9170dd4bf1e3da5f1b8ced31919df628e10f66e2056fd57404f9926dfd0d822c7e2d630802d
-
SSDEEP
196608:DqSM6An/yKmxkGXMcmzlf1DplqChiHbdkdVt:DqZhayGX4fdC5kt
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1728 CrazySploit.exe 2616 CrazySploit.exe -
Loads dropped DLL 12 IoCs
pid Process 2496 7zFM.exe 1044 WerFault.exe 1044 WerFault.exe 1044 WerFault.exe 1044 WerFault.exe 1044 WerFault.exe 2496 7zFM.exe 484 WerFault.exe 484 WerFault.exe 484 WerFault.exe 484 WerFault.exe 484 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2496 7zFM.exe 2496 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2496 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 2496 7zFM.exe Token: 35 2496 7zFM.exe Token: SeSecurityPrivilege 2496 7zFM.exe Token: SeSecurityPrivilege 2496 7zFM.exe Token: SeSecurityPrivilege 2496 7zFM.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2496 7zFM.exe 2496 7zFM.exe 2496 7zFM.exe 2496 7zFM.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2496 wrote to memory of 1728 2496 7zFM.exe 30 PID 2496 wrote to memory of 1728 2496 7zFM.exe 30 PID 2496 wrote to memory of 1728 2496 7zFM.exe 30 PID 1728 wrote to memory of 1044 1728 CrazySploit.exe 31 PID 1728 wrote to memory of 1044 1728 CrazySploit.exe 31 PID 1728 wrote to memory of 1044 1728 CrazySploit.exe 31 PID 2496 wrote to memory of 2616 2496 7zFM.exe 33 PID 2496 wrote to memory of 2616 2496 7zFM.exe 33 PID 2496 wrote to memory of 2616 2496 7zFM.exe 33 PID 2616 wrote to memory of 484 2616 CrazySploit.exe 34 PID 2616 wrote to memory of 484 2616 CrazySploit.exe 34 PID 2616 wrote to memory of 484 2616 CrazySploit.exe 34
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\CrazySploit.zip"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\7zO0C98E296\CrazySploit.exe"C:\Users\Admin\AppData\Local\Temp\7zO0C98E296\CrazySploit.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1728 -s 6043⤵
- Loads dropped DLL
PID:1044
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO0C9F86F6\CrazySploit.exe"C:\Users\Admin\AppData\Local\Temp\7zO0C9F86F6\CrazySploit.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2616 -s 6043⤵
- Loads dropped DLL
PID:484
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD5fac0416670ee810931a717d98e1fbba1
SHA1610329b747fed064e226a09f853a4d98d2fc3b7a
SHA2561c00136793f09fd4b75b5ae077bcf4e220873cbbc1a650cf4eb88f9f2da0f2f8
SHA5122110468425f9488fd276aab48960dd7746c95b0b8ee47db29ec6c975f1b9cfdde5c19e80dd69c6d9f8039bae1f1eaeb1794e69600d9ddbd43b8fb934dab0e364