Overview
overview
9Static
static
7Verse crac...or.exe
windows7-x64
1Verse crac...or.exe
windows10-2004-x64
1Verse crac...RU.exe
windows7-x64
1Verse crac...RU.exe
windows10-2004-x64
1Verse crac...ll.exe
windows7-x64
1Verse crac...ll.exe
windows10-2004-x64
1Verse crac...rt.exe
windows7-x64
4Verse crac...rt.exe
windows10-2004-x64
5Verse crac...64.exe
windows7-x64
4Verse crac...64.exe
windows10-2004-x64
5Verse crac...er.bat
windows7-x64
1Verse crac...er.bat
windows10-2004-x64
1Verse crac...er.exe
windows7-x64
9Verse crac...er.exe
windows10-2004-x64
9Verse crac...er.exe
windows7-x64
7Verse crac...er.exe
windows10-2004-x64
7Verse crac...n].bat
windows7-x64
1Verse crac...n].bat
windows10-2004-x64
1Verse crac...15.exe
windows7-x64
9Verse crac...15.exe
windows10-2004-x64
9Verse crac...ip.dll
windows7-x64
1Verse crac...ip.dll
windows10-2004-x64
1Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 03:30
Behavioral task
behavioral1
Sample
Verse crack from feds and nex/Injector.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Verse crack from feds and nex/Injector.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
Verse crack from feds and nex/Monitor Spoof/CRU.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Verse crack from feds and nex/Monitor Spoof/CRU.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
Verse crack from feds and nex/Monitor Spoof/reset-all.exe
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
Verse crack from feds and nex/Monitor Spoof/reset-all.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Verse crack from feds and nex/Monitor Spoof/restart.exe
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
Verse crack from feds and nex/Monitor Spoof/restart.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
Verse crack from feds and nex/Monitor Spoof/restart64.exe
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
Verse crack from feds and nex/Monitor Spoof/restart64.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
Verse crack from feds and nex/Serialcheckers/Backup serialchecker/Serialchecker.bat
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Verse crack from feds and nex/Serialcheckers/Backup serialchecker/Serialchecker.bat
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
Verse crack from feds and nex/Serialcheckers/Mac-checker.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
Verse crack from feds and nex/Serialcheckers/Mac-checker.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Verse crack from feds and nex/Serialcheckers/Serialchecker.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Verse crack from feds and nex/Serialcheckers/Serialchecker.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral17
Sample
Verse crack from feds and nex/Serialcheckers/Wifi & Bluetooth disabler/Disabler [Run Admin].bat
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Verse crack from feds and nex/Serialcheckers/Wifi & Bluetooth disabler/Disabler [Run Admin].bat
Resource
win10v2004-20240412-en
Behavioral task
behavioral19
Sample
Verse crack from feds and nex/Verse V4.15.exe
Resource
win7-20231129-en
Behavioral task
behavioral20
Sample
Verse crack from feds and nex/Verse V4.15.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral21
Sample
Verse crack from feds and nex/rip.dll
Resource
win7-20240215-en
Behavioral task
behavioral22
Sample
Verse crack from feds and nex/rip.dll
Resource
win10v2004-20240226-en
General
-
Target
Verse crack from feds and nex/Monitor Spoof/restart.exe
-
Size
63KB
-
MD5
8242ce426ad462eff02edae1487a6949
-
SHA1
9a4f382d427e0de729053535aaa3310cac5f087b
-
SHA256
b68ee265308dc9da7dbb521bb71238d27ac50a5ee816f21c13818393be982d7a
-
SHA512
aff43a78d29ede49eac386d9b0b44d0f37d5a20bdda8553369d68dec90bbc727c6dd8fe239987a9d2e3affaeff8b72b5023ed973d7aecfbb99de46dca8c99ef1
-
SSDEEP
768:xa+/MMnf2XivrjhmxEQSQIjDaGva2XaT+CSxKUAch9Itvo7vq2XFelWn2iED5Vx0:xa0wstmSpDaGS2RCSxK28otXFQwUx
Malware Config
Signatures
-
Drops file in System32 directory 16 IoCs
Processes:
WMIADAP.EXEdescription ioc process File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h WMIADAP.EXE File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini WMIADAP.EXE File created C:\Windows\system32\perfh011.dat WMIADAP.EXE File created C:\Windows\system32\PerfStringBackup.TMP WMIADAP.EXE File created C:\Windows\system32\perfc009.dat WMIADAP.EXE File created C:\Windows\system32\perfc00A.dat WMIADAP.EXE File opened for modification C:\Windows\system32\PerfStringBackup.INI WMIADAP.EXE File created C:\Windows\system32\perfc010.dat WMIADAP.EXE File created C:\Windows\system32\perfc007.dat WMIADAP.EXE File created C:\Windows\system32\perfh007.dat WMIADAP.EXE File created C:\Windows\system32\perfh009.dat WMIADAP.EXE File created C:\Windows\system32\perfh00C.dat WMIADAP.EXE File created C:\Windows\system32\perfh00A.dat WMIADAP.EXE File created C:\Windows\system32\perfc00C.dat WMIADAP.EXE File created C:\Windows\system32\perfh010.dat WMIADAP.EXE File created C:\Windows\system32\perfc011.dat WMIADAP.EXE -
Drops file in Windows directory 4 IoCs
Processes:
WMIADAP.EXEdescription ioc process File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini WMIADAP.EXE File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini WMIADAP.EXE File created C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
restart64.exepid process 1896 restart64.exe 1896 restart64.exe 1896 restart64.exe 1896 restart64.exe 1896 restart64.exe 1896 restart64.exe 1896 restart64.exe 1896 restart64.exe 1896 restart64.exe 1896 restart64.exe 1896 restart64.exe 1896 restart64.exe 1896 restart64.exe 1896 restart64.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
restart64.exeAUDIODG.EXEdescription pid process Token: SeLoadDriverPrivilege 1896 restart64.exe Token: 33 620 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 620 AUDIODG.EXE Token: SeLoadDriverPrivilege 1896 restart64.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
restart64.exepid process 1896 restart64.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
restart.exedescription pid process target process PID 1244 wrote to memory of 1896 1244 restart.exe restart64.exe PID 1244 wrote to memory of 1896 1244 restart.exe restart64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Verse crack from feds and nex\Monitor Spoof\restart.exe"C:\Users\Admin\AppData\Local\Temp\Verse crack from feds and nex\Monitor Spoof\restart.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Verse crack from feds and nex\Monitor Spoof\restart64.exerestart64.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f4 0x3ec1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /R /T1⤵
- Drops file in System32 directory
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\perfc007.datFilesize
142KB
MD51bd26a75846ce780d72b93caffac89f6
SHA1ff89b7c5e8c46c6c2e52383849bbf008bd91d66e
SHA25655b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a
SHA5124f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e
-
C:\Windows\System32\perfc00A.datFilesize
147KB
MD56d4b430c2abf0ec4ca1909e6e2f097db
SHA197c330923a6380fe8ea8e440ce2c568594d3fff7
SHA25644f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e
SHA512cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b
-
C:\Windows\System32\perfc00C.datFilesize
141KB
MD56adbb878124fcd6561655718f12bff5f
SHA11711619dda04178fb47eea6658da6ad52f6cf660
SHA2560b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf
SHA51288ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006
-
C:\Windows\System32\perfc010.datFilesize
138KB
MD5c0a264734479700068f6e00ef4fd4aa7
SHA14e1a8c6a53ea9b54eb76f12d99b1327137a47ebd
SHA25671c5a18d082651484ae96e93f127bac9ac217513976b7e98eeb2b879d643b735
SHA51285ff44333fc4d47b02cdbc8c665c0bace22a19961e40419227976333ec1384ef8779232d241a9e3b54d988117b84c436f695f0be80dd109ede60fed919ee5fca
-
C:\Windows\System32\perfc011.datFilesize
125KB
MD5eef14d868d4e0c2354c345abc4902445
SHA1173c39e29dbe6dfd5044f5f788fa4e7618d68d4d
SHA2569f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f
SHA512c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee
-
C:\Windows\System32\perfh007.datFilesize
710KB
MD582d7f8765db25b313ecf436572dbe840
SHA1da9ed48d5386a1133f878b3e00988cbf4cdebab8
SHA2563053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3
SHA51259766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8
-
C:\Windows\System32\perfh009.datFilesize
693KB
MD57e95d75454f89e7f47d028b1c936a3f6
SHA1fd096cf806fd8fe4d42c187c993af3bb037ac4a1
SHA25641c46646ffbb3aaa58d13974f8a2c8b866a4f9d3e0dbe0f730ab52a4b9ab9053
SHA512f3f599de58901ea053a0f8a7a197ccf2c2cd69f2666466f8d8e9745977c603a9549ddcfc21fdcaa2bfc41dc84eb251ebd8bc9b0a67f505d2982c424c7d3b5c79
-
C:\Windows\System32\perfh00A.datFilesize
767KB
MD5feb35e575911f5d568fbbfa7d0434412
SHA1e896dfc32b25633322d2e252cfa65520d30677a2
SHA256bf628d6ab769fc710e7eb097ca0132bd88cfbf63bd3aa08e24cd5820594fccf9
SHA512c9544c2cfed9fc11696896cd6d6184f9de0e8e26d3d61cf211449de77d9ec8cac000d3408ccac8baf078a82ed73f735e9f740a00af59a392f14673e2bae056b5
-
C:\Windows\System32\perfh00C.datFilesize
771KB
MD5099a4cfda7f72958205e2dc897df9d70
SHA13acf3a8bc62f4acea89fcfc721d0c57822bad6cf
SHA256454dae9e37ca1458c67087f801a7a8a73d73f43c4efb57f64d624c5190662c40
SHA512a531d8767afc2ce8005c9433f430acb27011c7ff41db25a69e70f0433fe6224a8f42c7d95aa3a4680d60c4351f26014e05a7d79d9faba42817a3e700c385750f
-
C:\Windows\System32\perfh010.datFilesize
760KB
MD52b41db88b556a31593911ade702a8306
SHA19820c8ffef6b27fad15badab22408eaf52d58300
SHA25661a5192c872e646050ee10eaef95bbc313fb7ae639b43c1ed3d2040f50cc1186
SHA5120b0c6b8cae683aa645ea2e0285209ac6d82624bfdacdb4e0b92d8118c30fa2fa6def665150b548e4adbee399074f73a961217e6065b05e65919c198efeb424f6
-
C:\Windows\System32\perfh011.datFilesize
475KB
MD53a04e10b00e1cb1c612c6686d8fa6631
SHA102f2cadc867f6c8a0a0594af7fe7e22e6bfec6d8
SHA256d6093bc48455d95997454eb9dfe4f8c8deca08153a44039d83d9efcd5ee8427c
SHA512bef5c61f649219fccad730bc0a86cc6c16197f5487c787d5ee8e3fb259854ef7affefcbdf3c2b9646b2134770d5dbd621be9c14d8d4030663e6aa89c601312c4
-
C:\Windows\System32\wbem\Performance\WmiApRpl.hFilesize
3KB
MD5b133a676d139032a27de3d9619e70091
SHA11248aa89938a13640252a79113930ede2f26f1fa
SHA256ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5
-
C:\Windows\System32\wbem\Performance\WmiApRpl.iniFilesize
29KB
MD5ffdeea82ba4a5a65585103dd2a922dfe
SHA1094c3794503245cc7dfa9e222d3504f449a5400b
SHA256c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390
SHA5127570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a