Analysis
-
max time kernel
32s -
max time network
33s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
26/12/2024, 20:36
Static task
static1
Behavioral task
behavioral1
Sample
CraxsRat.exe
Resource
win10ltsc2021-20241211-en
General
-
Target
CraxsRat.exe
-
Size
74KB
-
MD5
4ede52da0203635e6710c5c2d342e9a2
-
SHA1
85543afb17c7b8d5372e37fe436f8f1713535496
-
SHA256
407811722d5d33124ac105789ae08fc00e50173292d90766b633babfa8243a05
-
SHA512
d01509d737f6b6d4af14747bb8dc58f7225b91b6ca94204b9cae6ec30f8d4b7cfb944702da622cb1e4ede7aca20cb9c3adccb73b46144abe7676ae370e944f1d
-
SSDEEP
768:CXnupU7ZFwUkBZq+OjCoPPupelf8/F1xlM5U+sarzcoODlXhwRyfIY63hGukQ7zp:8uBBZzOjOpGf893wE5h4yfIeYlww
Malware Config
Extracted
xworm
szqdzaa-22376.portmap.host:22376
-
Install_directory
%AppData%
-
install_file
SecurityHealthSystray.exe
-
telegram
https://api.telegram.org/bot6452802278:AAHjSHCysYxHacEO8AgYopBedWCYBDBhX5I/sendMessage?chat_id=5355197127
Extracted
gurcu
https://api.telegram.org/bot6452802278:AAHjSHCysYxHacEO8AgYopBedWCYBDBhX5I/sendMessage?chat_id=5355197127
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x00290000000460ed-6.dat family_xworm behavioral1/memory/2472-19-0x00000000001D0000-0x00000000001F4000-memory.dmp family_xworm -
Gurcu family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/2472-75-0x000000001F560000-0x000000001F680000-memory.dmp family_stormkitty -
Stormkitty family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2976 powershell.exe 3004 powershell.exe 2052 powershell.exe 3512 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation CraxsRat.exe Key value queried \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation SecurityHealthSystray.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk SecurityHealthSystray.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk SecurityHealthSystray.exe -
Executes dropped EXE 1 IoCs
pid Process 2472 SecurityHealthSystray.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthSystray.exe" SecurityHealthSystray.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 404 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 928 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2976 powershell.exe 2976 powershell.exe 3004 powershell.exe 3004 powershell.exe 2052 powershell.exe 2052 powershell.exe 3512 powershell.exe 3512 powershell.exe 2472 SecurityHealthSystray.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2472 SecurityHealthSystray.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeIncreaseQuotaPrivilege 2976 powershell.exe Token: SeSecurityPrivilege 2976 powershell.exe Token: SeTakeOwnershipPrivilege 2976 powershell.exe Token: SeLoadDriverPrivilege 2976 powershell.exe Token: SeSystemProfilePrivilege 2976 powershell.exe Token: SeSystemtimePrivilege 2976 powershell.exe Token: SeProfSingleProcessPrivilege 2976 powershell.exe Token: SeIncBasePriorityPrivilege 2976 powershell.exe Token: SeCreatePagefilePrivilege 2976 powershell.exe Token: SeBackupPrivilege 2976 powershell.exe Token: SeRestorePrivilege 2976 powershell.exe Token: SeShutdownPrivilege 2976 powershell.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeSystemEnvironmentPrivilege 2976 powershell.exe Token: SeRemoteShutdownPrivilege 2976 powershell.exe Token: SeUndockPrivilege 2976 powershell.exe Token: SeManageVolumePrivilege 2976 powershell.exe Token: 33 2976 powershell.exe Token: 34 2976 powershell.exe Token: 35 2976 powershell.exe Token: 36 2976 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeIncreaseQuotaPrivilege 3004 powershell.exe Token: SeSecurityPrivilege 3004 powershell.exe Token: SeTakeOwnershipPrivilege 3004 powershell.exe Token: SeLoadDriverPrivilege 3004 powershell.exe Token: SeSystemProfilePrivilege 3004 powershell.exe Token: SeSystemtimePrivilege 3004 powershell.exe Token: SeProfSingleProcessPrivilege 3004 powershell.exe Token: SeIncBasePriorityPrivilege 3004 powershell.exe Token: SeCreatePagefilePrivilege 3004 powershell.exe Token: SeBackupPrivilege 3004 powershell.exe Token: SeRestorePrivilege 3004 powershell.exe Token: SeShutdownPrivilege 3004 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeSystemEnvironmentPrivilege 3004 powershell.exe Token: SeRemoteShutdownPrivilege 3004 powershell.exe Token: SeUndockPrivilege 3004 powershell.exe Token: SeManageVolumePrivilege 3004 powershell.exe Token: 33 3004 powershell.exe Token: 34 3004 powershell.exe Token: 35 3004 powershell.exe Token: 36 3004 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeIncreaseQuotaPrivilege 2052 powershell.exe Token: SeSecurityPrivilege 2052 powershell.exe Token: SeTakeOwnershipPrivilege 2052 powershell.exe Token: SeLoadDriverPrivilege 2052 powershell.exe Token: SeSystemProfilePrivilege 2052 powershell.exe Token: SeSystemtimePrivilege 2052 powershell.exe Token: SeProfSingleProcessPrivilege 2052 powershell.exe Token: SeIncBasePriorityPrivilege 2052 powershell.exe Token: SeCreatePagefilePrivilege 2052 powershell.exe Token: SeBackupPrivilege 2052 powershell.exe Token: SeRestorePrivilege 2052 powershell.exe Token: SeShutdownPrivilege 2052 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeSystemEnvironmentPrivilege 2052 powershell.exe Token: SeRemoteShutdownPrivilege 2052 powershell.exe Token: SeUndockPrivilege 2052 powershell.exe Token: SeManageVolumePrivilege 2052 powershell.exe Token: 33 2052 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2472 SecurityHealthSystray.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2472 2012 CraxsRat.exe 82 PID 2012 wrote to memory of 2472 2012 CraxsRat.exe 82 PID 2472 wrote to memory of 2976 2472 SecurityHealthSystray.exe 87 PID 2472 wrote to memory of 2976 2472 SecurityHealthSystray.exe 87 PID 2472 wrote to memory of 3004 2472 SecurityHealthSystray.exe 90 PID 2472 wrote to memory of 3004 2472 SecurityHealthSystray.exe 90 PID 2472 wrote to memory of 2052 2472 SecurityHealthSystray.exe 93 PID 2472 wrote to memory of 2052 2472 SecurityHealthSystray.exe 93 PID 2472 wrote to memory of 3512 2472 SecurityHealthSystray.exe 95 PID 2472 wrote to memory of 3512 2472 SecurityHealthSystray.exe 95 PID 2472 wrote to memory of 928 2472 SecurityHealthSystray.exe 99 PID 2472 wrote to memory of 928 2472 SecurityHealthSystray.exe 99 PID 2472 wrote to memory of 2820 2472 SecurityHealthSystray.exe 103 PID 2472 wrote to memory of 2820 2472 SecurityHealthSystray.exe 103 PID 2472 wrote to memory of 920 2472 SecurityHealthSystray.exe 105 PID 2472 wrote to memory of 920 2472 SecurityHealthSystray.exe 105 PID 920 wrote to memory of 404 920 cmd.exe 107 PID 920 wrote to memory of 404 920 cmd.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3512
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:928
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "SecurityHealthSystray"3⤵PID:2820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFC2E.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:404
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD526c94c408a5a2e1e04f1191fc2902d3e
SHA1ce50b153be03511bd62a477abf71a7e9f94e68a5
SHA25686ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec
SHA51270e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586
-
Filesize
1KB
MD5bcabe17a89aa6ba8c6453492a18ebd87
SHA17ef451befe7725e4476a19c1c94c4cf0c5fdbbad
SHA256a8adf95d6bbc7e540ea0110f42e557c52953f6c71539ebc2a9b1cd156c140392
SHA5125fd2c8f64eaf801f193c1a04deceb200b01e4a4b6140e8fde9d14cc57299c8eb983e165888f9251e1ebbb8b28b1c6636b709b935af61015deef69693347d6301
-
Filesize
1KB
MD572877eafebfbc7315b765f6fa4e29418
SHA17e7469f485925677b3d5b6b972506a5eb06445b5
SHA256d4a7ff06b8e271dfc46a8466514453c457d3a0142d8b222808a4467aa44ca688
SHA5121b91f2dd9118b6232dcd346b35e24928a0577edbd956c7f285b5835d8fd9fb15dc5412d8db14e780f0af03bd679d3cc2658ac27c14654f5eeb0e5dc8897ae559
-
Filesize
119KB
MD5d29f0ca8cb7a02d19f9d12043f09f7b5
SHA10e3bfab1566563249259229c03f62fa47d8936c3
SHA256c6d3b827fa2a9bb3d320be67fd67947dca186b59f8a28dfa4f138e98f31533d1
SHA5125b23ebaa1813571b0e57375ef94957c9c8ccd04e8549581424de7d11a7cf434e75a8a59e7d9141a6f09463d6185f5979ce3860d9f97c1e546f88120f83f3062d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
173B
MD5460d70c4ef5c4deaa19e8b263f155361
SHA1b020e85ceba0ef171ef088764d49e24c855fed11
SHA25633c5e393387530778524da51e6bfc8ce843a095cc5fa47bbebb539129aa8680c
SHA512f85affa39e537677538a6ebfd1e3ec640ff86608a030a1ca375e274b68b17563c8ea994fa2672bbaf14be4c2e166947e5280a9261a1aa0620aec07c389316631