2c6a1adc320f8512e7163ea1f624a248f323bd5d4c73eb14ba84f463b6b8f3e7

Analysis

max time kernel
88s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
20-04-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Verse crack from feds and nex/Monitor Spoof/restart.exe
Size

63KB
MD5

8242ce426ad462eff02edae1487a6949
SHA1

9a4f382d427e0de729053535aaa3310cac5f087b
SHA256

b68ee265308dc9da7dbb521bb71238d27ac50a5ee816f21c13818393be982d7a
SHA512

aff43a78d29ede49eac386d9b0b44d0f37d5a20bdda8553369d68dec90bbc727c6dd8fe239987a9d2e3affaeff8b72b5023ed973d7aecfbb99de46dca8c99ef1
SSDEEP

768:xa+/MMnf2XivrjhmxEQSQIjDaGva2XaT+CSxKUAch9Itvo7vq2XFelWn2iED5Vx0:xa0wstmSpDaGS2RCSxK28otXFQwUx

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 6 IoCs

Processes:

WMIADAP.EXE

description	ioc	process
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE

Drops file in Windows directory 4 IoCs

Processes:

WMIADAP.EXE

description	ioc	process
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

restart64.exe

pid	process
3456	restart64.exe
3456	restart64.exe
3456	restart64.exe
3456	restart64.exe
3456	restart64.exe
3456	restart64.exe
3456	restart64.exe
3456	restart64.exe
3456	restart64.exe
3456	restart64.exe
3456	restart64.exe
3456	restart64.exe
3456	restart64.exe
3456	restart64.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

restart64.exeAUDIODG.EXE

description	pid	process
Token: SeLoadDriverPrivilege	3456	restart64.exe
Token: 33	760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	760	AUDIODG.EXE
Token: SeLoadDriverPrivilege	3456	restart64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

restart64.exe

pid process

3456 restart64.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

restart.exe

description	pid	process	target process
PID 5060 wrote to memory of 3456	5060	restart.exe	restart64.exe
PID 5060 wrote to memory of 3456	5060	restart.exe	restart64.exe

C:\Users\Admin\AppData\Local\Temp\Verse crack from feds and nex\Monitor Spoof\restart.exe
"C:\Users\Admin\AppData\Local\Temp\Verse crack from feds and nex\Monitor Spoof\restart.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\Users\Admin\AppData\Local\Temp\Verse crack from feds and nex\Monitor Spoof\restart64.exe
restart64.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3456

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x000000000000047C
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3288

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /R /T
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:3480

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\perfc009.dat
Filesize
128KB

MD5
a9ae270f03cd818fc5ccb1fc114ed0f8

SHA1
57cfce4c18c0163fd41652ab89e4c51649eee492

SHA256
c08bb34abb284c2fb15d4372c2c3c2387f71ebeb920be89c9079e96c7a4ca3ec

SHA512
5fa35050038e187b0be9547ff86e49aa5272a273eefb83472758da5b818e4e86eba254422b4524fb7a4bd66bd5c3ae210162cab1247b601ea1a3fc6454703ef0

Download Submit
C:\Windows\System32\perfh009.dat
Filesize
699KB

MD5
a89ae42f5a026c19299f9fa3278556cd

SHA1
ec0a61aa2b89c9f80c734006446f124530e0f66b

SHA256
94ddaf67c6973113ef2992feab11bd2147194541c8c8efc82f7b51e89fc08a25

SHA512
fad978dd060c6a507d8be487d8478f4f550c2e3fa440c8b3f90c19771f9e2b0d34ead3fad6f026ea233bbd5ec0f5274b7dc6bab4ea4d090322d4406edd3a836e

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h
Filesize
3KB

MD5
b133a676d139032a27de3d9619e70091

SHA1
1248aa89938a13640252a79113930ede2f26f1fa

SHA256
ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

SHA512
c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
Filesize
29KB

MD5
ffdeea82ba4a5a65585103dd2a922dfe

SHA1
094c3794503245cc7dfa9e222d3504f449a5400b

SHA256
c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390

SHA512
7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads