Overview

overview

10

Static

static

10

crak.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    07-12-2024 01:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    crak.exe

  • Size

    785KB

  • MD5

    dfc6ae92052a49de0002b32f380c06cd

  • SHA1

    f8e70b1d068bba9897f5e6176a8b41317ee9291f

  • SHA256

    8700a1371346e810a89948dc80b65122bb1f677b9d88339785a066936e734e32

  • SHA512

    811699fb9598382b866cd12f8cb933ff000f1dc61d38a7c3b15306c14cc0e0a604f92f66792192507caa2fd868cb57e0adade5f4af4d53c9bfafbaf1fa548066

  • SSDEEP

    12288:GMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9CVAs:GnsJ39LyjbJkQFMhmC+6GD9Cd

Score
10/10
xredxwormbackdoordiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

youth-latex.gl.at.ply.gg:56149

Mutex

m78oMduNeAzz7M6C

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\crak.exe
    "C:\Users\Admin\AppData\Local\Temp\crak.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Users\Admin\AppData\Local\Temp\._cache_crak.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_crak.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3448
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_crak.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:468
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_crak.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4224
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boost'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4376
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boost'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4420
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boost" /tr "C:\Users\Admin\AppData\Roaming\boost"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2876
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "boost"
        3⤵
          PID:3480
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp33FC.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3592
          • C:\Windows\system32\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:2392
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4068
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4092

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Synaptics\Synaptics.exe
      Filesize

      744KB

      MD5

      0b69d6b81991e2bcc2ced1e66f5cd38a

      SHA1

      e03d8773a6946d5ef8275c29ebcd561f439a613a

      SHA256

      f6faf619046b3314e60a9fe2015a78533d7e82d850c0dc3993ea97488bae632e

      SHA512

      8b517cecb59c4f979807cb7b0bd4e9663aab1e111ea3823e1fc54c4086cc603440efd0e96672d32da950c1c67faf78260b914db7553ba0e3ad232fbcbbed604f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      0b8cf01605eeab6a2d2ad054db8a9b0a

      SHA1

      a59ede31be83b7096b8fe5cb9f91e9aa88017fc0

      SHA256

      bd0cd35ebfb6a65dc4363d958c7b48afcf1a290bbab8416f443d66099f2d7bf3

      SHA512

      e86324c7e6e3be16999bee30804981439107446c8c4acf5d5a004d835c5ccb6a17c55d1aaab889d7121c19cc83cc0190504d221cc2881444243dc680e0a0239e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      1ced9356586ace87eebc71d9f626cb66

      SHA1

      a02b5623969f19f2e485173916b9c495f2af6317

      SHA256

      b71eb4469230e163975d34711640cddc052983e855ec25e5282b03da45300694

      SHA512

      afc6308ac0016f5c08b42bfdf90c8130bbfc861b05e372464d0c94354bf65c88caf12047cb6ff59e973b61713623eadde568860e1633118846aac2b7973f6dca

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      85e8121ba94480e293a66423841d414c

      SHA1

      4b2ccb305a86cc40082aca8e87e8f205347a456e

      SHA256

      ed29479ad5ba86b59f0088cebdb845862ad4cffc96ece1f4ff7de8e511fc5c17

      SHA512

      c9922c941f26be1f63ccb00106cc8b3e2025fc176e7a4f099a008fe3f89afebd6a1e99b73b3dd322c3b26a0aece60091ea48e433a1df586aa4fcda5cf666b692

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      62d45f8f974817a53ad5c01f5250f3a2

      SHA1

      46f3003dc53f2bfe14452c163731fce0c8b956ab

      SHA256

      7ff14fc3d0747210aba09bc5fe6ed44deddc71eb27f8ffca6cb0037da1d8ba2b

      SHA512

      8e173951abbdf817bbced502f126d436bf9610e9250102a279a6434f0fc279928ef623f0aad88c6c712800d28b4d8c12611baf81281c0c43aaa3e267323de605

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\._cache_crak.exe
      Filesize

      40KB

      MD5

      0dc3261f2fd9b3e49149fb9a3cb95920

      SHA1

      5b7e1457c30d7e0571e54c962523db847995e198

      SHA256

      ddf493558334dac380b872a06a68490b4bbf9fc114a7b9f98f575d8abebed167

      SHA512

      5fd590c55e91ad90287d20ce2befa8521d4aa775e1aef6888a0739890969e7c7b8ef22f456e264dcbf29d5c059592aaca58688b7a51ff17af9e2f81bbd091ef1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\21A75E00
      Filesize

      24KB

      MD5

      decc20110228da18caacccedcd40a169

      SHA1

      c1c9bcadbc7434218b8a394ea1ccb8d72669f0e2

      SHA256

      0b5fc8b1bdd8c16d3435c31f60a429e1654cdd63ec87d522d9eeddbd86581b8a

      SHA512

      20c4bfb8b4c223037d83a65adec139cbd1f49ecbc7751c79d3ab235d4dc11910dea867274e08f92840fd87293671ba04c1e7647d89f2ff2878814ed49ee8f7e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yxhxvt0s.oeb.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp33FC.tmp.bat
      Filesize

      164B

      MD5

      89af21bdd3086bf7e5c2b2cda1516fbb

      SHA1

      a5aeb829ff8ee99bd90db36710d0bc8fb2782ee9

      SHA256

      7d285ff5d7e24e3b8691509575ff885768a2f3a391c88c237e6d443037f4505d

      SHA512

      6eae89cd1032848556de1f085b5ce8ca351ab441df4593c3e8f51c7024d505b9018d76a2641db8339e31991e18f562615ce0f54d328fa13c03caf9efc7a7cb0c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\xw7cjXDn.xlsm
      Filesize

      17KB

      MD5

      e566fc53051035e1e6fd0ed1823de0f9

      SHA1

      00bc96c48b98676ecd67e81a6f1d7754e4156044

      SHA256

      8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

      SHA512

      a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      Download Submit

    • memory/468-188-0x0000022AFABB0000-0x0000022AFABD2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3448-69-0x00000000006A0000-0x00000000006B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3448-67-0x00007FF98E193000-0x00007FF98E195000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3448-237-0x000000001B3F0000-0x000000001B3FC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3448-235-0x000000001B360000-0x000000001B370000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3448-229-0x00007FF98E193000-0x00007FF98E195000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3448-228-0x000000001B360000-0x000000001B370000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4068-270-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

      Download

    • memory/4068-231-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

      Download

    • memory/4068-230-0x0000000002000000-0x0000000002001000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4068-131-0x0000000002000000-0x0000000002001000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4092-133-0x00007FF96C4D0000-0x00007FF96C4E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4092-132-0x00007FF96C4D0000-0x00007FF96C4E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4092-134-0x00007FF96C4D0000-0x00007FF96C4E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4092-135-0x00007FF96C4D0000-0x00007FF96C4E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4092-138-0x00007FF969DF0000-0x00007FF969E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4092-137-0x00007FF969DF0000-0x00007FF969E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4092-136-0x00007FF96C4D0000-0x00007FF96C4E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4900-130-0x0000000000400000-0x00000000004CA000-memory.dmp

      Filesize

      808KB

      Download

    • memory/4900-0-0x00000000005E0000-0x00000000005E1000-memory.dmp

      Filesize

      4KB

      Download