1b26b88aa9b53462243f8bb461e3f92e76b050ece49421a99f3824e51970e588

General

Target

Cleared Craxs Rat.zip
Size

221.2MB
MD5

2b25a0c4fe49210b4723e31a50eb16ab
SHA1

0aaf3598d2f12e4c1dc3da1df8514e4af6e3a6cc
SHA256

1b26b88aa9b53462243f8bb461e3f92e76b050ece49421a99f3824e51970e588
SHA512

af439e5d12476e412b41caa6964aa8a93c29cc20b76bee8124fba8b84fd36aae0fcef5163f17bb04748369c72bd01992a070a8fdd45f4bc0c6b8d8c50c92bf3e
SSDEEP

3145728:uaZURJoSObmC1a95aVNcsaIDWFCMG5wiZH3ijIECd4ItZT25OH5kN4NQ908t24lT:uNASD95fsa88CMGErUvvykkRm0yP8Skj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3960	bb2.exe
2964	bb2.exe
2696	bb2.exe
1352	bb2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	1260	7zFM.exe
Token: 35	1260	7zFM.exe
Token: SeSecurityPrivilege	1260	7zFM.exe
Token: SeDebugPrivilege	3988	taskmgr.exe
Token: SeSystemProfilePrivilege	3988	taskmgr.exe
Token: SeCreateGlobalPrivilege	3988	taskmgr.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
1260	7zFM.exe
1260	7zFM.exe
1260	7zFM.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe

Suspicious use of SendNotifyMessage 46 IoCs

pid	Process
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Cleared Craxs Rat.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2212

C:\Users\Admin\Desktop\Cleared Craxs Rat\bb2.exe
"C:\Users\Admin\Desktop\Cleared Craxs Rat\bb2.exe"
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3988

C:\Users\Admin\Desktop\Cleared Craxs Rat\bb2.exe
"C:\Users\Admin\Desktop\Cleared Craxs Rat\bb2.exe"
1⤵
- Executes dropped EXE
PID:2964

C:\Users\Admin\Desktop\Cleared Craxs Rat\bb2.exe
"C:\Users\Admin\Desktop\Cleared Craxs Rat\bb2.exe"
1⤵
- Executes dropped EXE
PID:2696

C:\Users\Admin\Desktop\Cleared Craxs Rat\bb2.exe
"C:\Users\Admin\Desktop\Cleared Craxs Rat\bb2.exe"
1⤵
- Executes dropped EXE
PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Cleared Craxs Rat\bb2.exe.config

Filesize
8KB

MD5
d1158d00747c63b29a91da068c16ac15

SHA1
540e2dec15f0735effa1288b9a57c56115dccc57

SHA256
633b6dc8625d1b14d46ddffc922f362fd668043e3aaab40193e61424e42a951a

SHA512
2966d1d3cc8d29ce964d71f7300e4c129b2ab2ef94fe4bdeab7fd3069cb4598a091682e08a1f060a0f958bfce7d12eb4ff3b67e1bd26e982169da6600359a74f

Download Submit
memory/3960-1013-0x00007FFC718E3000-0x00007FFC718E5000-memory.dmp

Filesize
8KB

Download
memory/3960-1014-0x0000028D04C90000-0x0000028D08C40000-memory.dmp

Filesize
63.7MB

Download
memory/3988-1017-0x000001E3EA0F0000-0x000001E3EA0F1000-memory.dmp

Filesize
4KB

Download
memory/3988-1016-0x000001E3EA0F0000-0x000001E3EA0F1000-memory.dmp

Filesize
4KB

Download
memory/3988-1015-0x000001E3EA0F0000-0x000001E3EA0F1000-memory.dmp

Filesize
4KB

Download
memory/3988-1023-0x000001E3EA0F0000-0x000001E3EA0F1000-memory.dmp

Filesize
4KB

Download
memory/3988-1022-0x000001E3EA0F0000-0x000001E3EA0F1000-memory.dmp

Filesize
4KB

Download
memory/3988-1021-0x000001E3EA0F0000-0x000001E3EA0F1000-memory.dmp

Filesize
4KB

Download
memory/3988-1024-0x000001E3EA0F0000-0x000001E3EA0F1000-memory.dmp

Filesize
4KB

Download
memory/3988-1027-0x000001E3EA0F0000-0x000001E3EA0F1000-memory.dmp

Filesize
4KB

Download
memory/3988-1026-0x000001E3EA0F0000-0x000001E3EA0F1000-memory.dmp

Filesize
4KB

Download
memory/3988-1025-0x000001E3EA0F0000-0x000001E3EA0F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing