2c6a1adc320f8512e7163ea1f624a248f323bd5d4c73eb14ba84f463b6b8f3e7

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Verse crack from feds and nex/Monitor Spoof/restart.exe
Size

63KB
MD5

8242ce426ad462eff02edae1487a6949
SHA1

9a4f382d427e0de729053535aaa3310cac5f087b
SHA256

b68ee265308dc9da7dbb521bb71238d27ac50a5ee816f21c13818393be982d7a
SHA512

aff43a78d29ede49eac386d9b0b44d0f37d5a20bdda8553369d68dec90bbc727c6dd8fe239987a9d2e3affaeff8b72b5023ed973d7aecfbb99de46dca8c99ef1
SSDEEP

768:xa+/MMnf2XivrjhmxEQSQIjDaGva2XaT+CSxKUAch9Itvo7vq2XFelWn2iED5Vx0:xa0wstmSpDaGS2RCSxK28otXFQwUx

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 16 IoCs

Processes:

WMIADAP.EXE

description	ioc	process
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00A.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File created	C:\Windows\system32\perfc010.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh010.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE

Drops file in Windows directory 4 IoCs

Processes:

WMIADAP.EXE

description	ioc	process
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

restart64.exe

pid	process
1896	restart64.exe
1896	restart64.exe
1896	restart64.exe
1896	restart64.exe
1896	restart64.exe
1896	restart64.exe
1896	restart64.exe
1896	restart64.exe
1896	restart64.exe
1896	restart64.exe
1896	restart64.exe
1896	restart64.exe
1896	restart64.exe
1896	restart64.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

restart64.exeAUDIODG.EXE

description	pid	process
Token: SeLoadDriverPrivilege	1896	restart64.exe
Token: 33	620	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	620	AUDIODG.EXE
Token: SeLoadDriverPrivilege	1896	restart64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

restart64.exe

pid process

1896 restart64.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

restart.exe

description	pid	process	target process
PID 1244 wrote to memory of 1896	1244	restart.exe	restart64.exe
PID 1244 wrote to memory of 1896	1244	restart.exe	restart64.exe

C:\Users\Admin\AppData\Local\Temp\Verse crack from feds and nex\Monitor Spoof\restart.exe
"C:\Users\Admin\AppData\Local\Temp\Verse crack from feds and nex\Monitor Spoof\restart.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\Verse crack from feds and nex\Monitor Spoof\restart64.exe
restart64.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1896

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x3ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /R /T
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\perfc007.dat
Filesize
142KB

MD5
1bd26a75846ce780d72b93caffac89f6

SHA1
ff89b7c5e8c46c6c2e52383849bbf008bd91d66e

SHA256
55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a

SHA512
4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e

Download Submit
C:\Windows\System32\perfc00A.dat
Filesize
147KB

MD5
6d4b430c2abf0ec4ca1909e6e2f097db

SHA1
97c330923a6380fe8ea8e440ce2c568594d3fff7

SHA256
44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e

SHA512
cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b

Download Submit
C:\Windows\System32\perfc00C.dat
Filesize
141KB

MD5
6adbb878124fcd6561655718f12bff5f

SHA1
1711619dda04178fb47eea6658da6ad52f6cf660

SHA256
0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf

SHA512
88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006

Download Submit
C:\Windows\System32\perfc010.dat
Filesize
138KB

MD5
c0a264734479700068f6e00ef4fd4aa7

SHA1
4e1a8c6a53ea9b54eb76f12d99b1327137a47ebd

SHA256
71c5a18d082651484ae96e93f127bac9ac217513976b7e98eeb2b879d643b735

SHA512
85ff44333fc4d47b02cdbc8c665c0bace22a19961e40419227976333ec1384ef8779232d241a9e3b54d988117b84c436f695f0be80dd109ede60fed919ee5fca

Download Submit
C:\Windows\System32\perfc011.dat
Filesize
125KB

MD5
eef14d868d4e0c2354c345abc4902445

SHA1
173c39e29dbe6dfd5044f5f788fa4e7618d68d4d

SHA256
9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f

SHA512
c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee

Download Submit
C:\Windows\System32\perfh007.dat
Filesize
710KB

MD5
82d7f8765db25b313ecf436572dbe840

SHA1
da9ed48d5386a1133f878b3e00988cbf4cdebab8

SHA256
3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3

SHA512
59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8

Download Submit
C:\Windows\System32\perfh009.dat
Filesize
693KB

MD5
7e95d75454f89e7f47d028b1c936a3f6

SHA1
fd096cf806fd8fe4d42c187c993af3bb037ac4a1

SHA256
41c46646ffbb3aaa58d13974f8a2c8b866a4f9d3e0dbe0f730ab52a4b9ab9053

SHA512
f3f599de58901ea053a0f8a7a197ccf2c2cd69f2666466f8d8e9745977c603a9549ddcfc21fdcaa2bfc41dc84eb251ebd8bc9b0a67f505d2982c424c7d3b5c79

Download Submit
C:\Windows\System32\perfh00A.dat
Filesize
767KB

MD5
feb35e575911f5d568fbbfa7d0434412

SHA1
e896dfc32b25633322d2e252cfa65520d30677a2

SHA256
bf628d6ab769fc710e7eb097ca0132bd88cfbf63bd3aa08e24cd5820594fccf9

SHA512
c9544c2cfed9fc11696896cd6d6184f9de0e8e26d3d61cf211449de77d9ec8cac000d3408ccac8baf078a82ed73f735e9f740a00af59a392f14673e2bae056b5

Download Submit
C:\Windows\System32\perfh00C.dat
Filesize
771KB

MD5
099a4cfda7f72958205e2dc897df9d70

SHA1
3acf3a8bc62f4acea89fcfc721d0c57822bad6cf

SHA256
454dae9e37ca1458c67087f801a7a8a73d73f43c4efb57f64d624c5190662c40

SHA512
a531d8767afc2ce8005c9433f430acb27011c7ff41db25a69e70f0433fe6224a8f42c7d95aa3a4680d60c4351f26014e05a7d79d9faba42817a3e700c385750f

Download Submit
C:\Windows\System32\perfh010.dat
Filesize
760KB

MD5
2b41db88b556a31593911ade702a8306

SHA1
9820c8ffef6b27fad15badab22408eaf52d58300

SHA256
61a5192c872e646050ee10eaef95bbc313fb7ae639b43c1ed3d2040f50cc1186

SHA512
0b0c6b8cae683aa645ea2e0285209ac6d82624bfdacdb4e0b92d8118c30fa2fa6def665150b548e4adbee399074f73a961217e6065b05e65919c198efeb424f6

Download Submit
C:\Windows\System32\perfh011.dat
Filesize
475KB

MD5
3a04e10b00e1cb1c612c6686d8fa6631

SHA1
02f2cadc867f6c8a0a0594af7fe7e22e6bfec6d8

SHA256
d6093bc48455d95997454eb9dfe4f8c8deca08153a44039d83d9efcd5ee8427c

SHA512
bef5c61f649219fccad730bc0a86cc6c16197f5487c787d5ee8e3fb259854ef7affefcbdf3c2b9646b2134770d5dbd621be9c14d8d4030663e6aa89c601312c4

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h
Filesize
3KB

MD5
b133a676d139032a27de3d9619e70091

SHA1
1248aa89938a13640252a79113930ede2f26f1fa

SHA256
ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

SHA512
c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
Filesize
29KB

MD5
ffdeea82ba4a5a65585103dd2a922dfe

SHA1
094c3794503245cc7dfa9e222d3504f449a5400b

SHA256
c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390

SHA512
7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a

Download Submit