Analysis

  • max time kernel
    32s
  • max time network
    33s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    26/12/2024, 20:36

General

  • Target

    CraxsRat.exe

  • Size

    74KB

  • MD5

    4ede52da0203635e6710c5c2d342e9a2

  • SHA1

    85543afb17c7b8d5372e37fe436f8f1713535496

  • SHA256

    407811722d5d33124ac105789ae08fc00e50173292d90766b633babfa8243a05

  • SHA512

    d01509d737f6b6d4af14747bb8dc58f7225b91b6ca94204b9cae6ec30f8d4b7cfb944702da622cb1e4ede7aca20cb9c3adccb73b46144abe7676ae370e944f1d

  • SSDEEP

    768:CXnupU7ZFwUkBZq+OjCoPPupelf8/F1xlM5U+sarzcoODlXhwRyfIY63hGukQ7zp:8uBBZzOjOpGf893wE5h4yfIeYlww

Malware Config

Extracted

Family

xworm

C2

szqdzaa-22376.portmap.host:22376

Attributes
  • Install_directory

    %AppData%

  • install_file

    SecurityHealthSystray.exe

  • telegram

    https://api.telegram.org/bot6452802278:AAHjSHCysYxHacEO8AgYopBedWCYBDBhX5I/sendMessage?chat_id=5355197127

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6452802278:AAHjSHCysYxHacEO8AgYopBedWCYBDBhX5I/sendMessage?chat_id=5355197127

Signatures

  • Detect Xworm Payload 2 IoCs
  • Gurcu family
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Stormkitty family
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\CraxsRat.exe
    "C:\Users\Admin\AppData\Local\Temp\CraxsRat.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
      "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2976
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3004
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:3512
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:928
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "SecurityHealthSystray"
        3⤵
          PID:2820
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFC2E.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:920
          • C:\Windows\system32\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:404

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      3KB

      MD5

      3eb3833f769dd890afc295b977eab4b4

      SHA1

      e857649b037939602c72ad003e5d3698695f436f

      SHA256

      c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

      SHA512

      c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      26c94c408a5a2e1e04f1191fc2902d3e

      SHA1

      ce50b153be03511bd62a477abf71a7e9f94e68a5

      SHA256

      86ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec

      SHA512

      70e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      bcabe17a89aa6ba8c6453492a18ebd87

      SHA1

      7ef451befe7725e4476a19c1c94c4cf0c5fdbbad

      SHA256

      a8adf95d6bbc7e540ea0110f42e557c52953f6c71539ebc2a9b1cd156c140392

      SHA512

      5fd2c8f64eaf801f193c1a04deceb200b01e4a4b6140e8fde9d14cc57299c8eb983e165888f9251e1ebbb8b28b1c6636b709b935af61015deef69693347d6301

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      72877eafebfbc7315b765f6fa4e29418

      SHA1

      7e7469f485925677b3d5b6b972506a5eb06445b5

      SHA256

      d4a7ff06b8e271dfc46a8466514453c457d3a0142d8b222808a4467aa44ca688

      SHA512

      1b91f2dd9118b6232dcd346b35e24928a0577edbd956c7f285b5835d8fd9fb15dc5412d8db14e780f0af03bd679d3cc2658ac27c14654f5eeb0e5dc8897ae559

    • C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe

      Filesize

      119KB

      MD5

      d29f0ca8cb7a02d19f9d12043f09f7b5

      SHA1

      0e3bfab1566563249259229c03f62fa47d8936c3

      SHA256

      c6d3b827fa2a9bb3d320be67fd67947dca186b59f8a28dfa4f138e98f31533d1

      SHA512

      5b23ebaa1813571b0e57375ef94957c9c8ccd04e8549581424de7d11a7cf434e75a8a59e7d9141a6f09463d6185f5979ce3860d9f97c1e546f88120f83f3062d

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qb5ap4l2.4hn.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\tmpFC2E.tmp.bat

      Filesize

      173B

      MD5

      460d70c4ef5c4deaa19e8b263f155361

      SHA1

      b020e85ceba0ef171ef088764d49e24c855fed11

      SHA256

      33c5e393387530778524da51e6bfc8ce843a095cc5fa47bbebb539129aa8680c

      SHA512

      f85affa39e537677538a6ebfd1e3ec640ff86608a030a1ca375e274b68b17563c8ea994fa2672bbaf14be4c2e166947e5280a9261a1aa0620aec07c389316631

    • memory/2012-18-0x00007FFC990A0000-0x00007FFC99B62000-memory.dmp

      Filesize

      10.8MB

    • memory/2012-0-0x00007FFC990A3000-0x00007FFC990A5000-memory.dmp

      Filesize

      8KB

    • memory/2012-13-0x00007FFC990A0000-0x00007FFC99B62000-memory.dmp

      Filesize

      10.8MB

    • memory/2012-1-0x0000000000870000-0x0000000000888000-memory.dmp

      Filesize

      96KB

    • memory/2472-20-0x00007FFC990A0000-0x00007FFC99B62000-memory.dmp

      Filesize

      10.8MB

    • memory/2472-19-0x00000000001D0000-0x00000000001F4000-memory.dmp

      Filesize

      144KB

    • memory/2472-71-0x00007FFC990A0000-0x00007FFC99B62000-memory.dmp

      Filesize

      10.8MB

    • memory/2472-72-0x00007FFC990A0000-0x00007FFC99B62000-memory.dmp

      Filesize

      10.8MB

    • memory/2472-73-0x00007FFC990A0000-0x00007FFC99B62000-memory.dmp

      Filesize

      10.8MB

    • memory/2472-74-0x000000001AFA0000-0x000000001AFAC000-memory.dmp

      Filesize

      48KB

    • memory/2472-75-0x000000001F560000-0x000000001F680000-memory.dmp

      Filesize

      1.1MB

    • memory/2472-83-0x00007FFC990A0000-0x00007FFC99B62000-memory.dmp

      Filesize

      10.8MB

    • memory/2976-21-0x000001E5CBF60000-0x000001E5CBF82000-memory.dmp

      Filesize

      136KB