Overview
overview
9Static
static
7Verse crac...or.exe
windows11-21h2-x64
1Verse crac...RU.exe
windows11-21h2-x64
1Verse crac...ll.exe
windows11-21h2-x64
1Verse crac...rt.exe
windows11-21h2-x64
5Verse crac...64.exe
windows11-21h2-x64
5Verse crac...er.bat
windows11-21h2-x64
1Verse crac...er.exe
windows11-21h2-x64
9Verse crac...er.exe
windows11-21h2-x64
7Verse crac...n].bat
windows11-21h2-x64
1Verse crac...15.exe
windows11-21h2-x64
9Verse crac...ip.dll
windows11-21h2-x64
1Analysis
-
max time kernel
88s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-04-2024 03:36
Behavioral task
behavioral1
Sample
Verse crack from feds and nex/Injector.exe
Resource
win11-20240412-en
Behavioral task
behavioral2
Sample
Verse crack from feds and nex/Monitor Spoof/CRU.exe
Resource
win11-20240412-en
Behavioral task
behavioral3
Sample
Verse crack from feds and nex/Monitor Spoof/reset-all.exe
Resource
win11-20240412-en
Behavioral task
behavioral4
Sample
Verse crack from feds and nex/Monitor Spoof/restart.exe
Resource
win11-20240412-en
Behavioral task
behavioral5
Sample
Verse crack from feds and nex/Monitor Spoof/restart64.exe
Resource
win11-20240412-en
Behavioral task
behavioral6
Sample
Verse crack from feds and nex/Serialcheckers/Backup serialchecker/Serialchecker.bat
Resource
win11-20240412-en
Behavioral task
behavioral7
Sample
Verse crack from feds and nex/Serialcheckers/Mac-checker.exe
Resource
win11-20240412-en
Behavioral task
behavioral8
Sample
Verse crack from feds and nex/Serialcheckers/Serialchecker.exe
Resource
win11-20240412-en
Behavioral task
behavioral9
Sample
Verse crack from feds and nex/Serialcheckers/Wifi & Bluetooth disabler/Disabler [Run Admin].bat
Resource
win11-20240412-en
Behavioral task
behavioral10
Sample
Verse crack from feds and nex/Verse V4.15.exe
Resource
win11-20240412-en
Behavioral task
behavioral11
Sample
Verse crack from feds and nex/rip.dll
Resource
win11-20240412-en
General
-
Target
Verse crack from feds and nex/Monitor Spoof/restart.exe
-
Size
63KB
-
MD5
8242ce426ad462eff02edae1487a6949
-
SHA1
9a4f382d427e0de729053535aaa3310cac5f087b
-
SHA256
b68ee265308dc9da7dbb521bb71238d27ac50a5ee816f21c13818393be982d7a
-
SHA512
aff43a78d29ede49eac386d9b0b44d0f37d5a20bdda8553369d68dec90bbc727c6dd8fe239987a9d2e3affaeff8b72b5023ed973d7aecfbb99de46dca8c99ef1
-
SSDEEP
768:xa+/MMnf2XivrjhmxEQSQIjDaGva2XaT+CSxKUAch9Itvo7vq2XFelWn2iED5Vx0:xa0wstmSpDaGS2RCSxK28otXFQwUx
Malware Config
Signatures
-
Drops file in System32 directory 6 IoCs
Processes:
WMIADAP.EXEdescription ioc process File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h WMIADAP.EXE File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini WMIADAP.EXE File created C:\Windows\system32\perfc009.dat WMIADAP.EXE File created C:\Windows\system32\perfh009.dat WMIADAP.EXE File created C:\Windows\system32\PerfStringBackup.TMP WMIADAP.EXE File opened for modification C:\Windows\system32\PerfStringBackup.INI WMIADAP.EXE -
Drops file in Windows directory 4 IoCs
Processes:
WMIADAP.EXEdescription ioc process File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini WMIADAP.EXE File created C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini WMIADAP.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
restart64.exepid process 3456 restart64.exe 3456 restart64.exe 3456 restart64.exe 3456 restart64.exe 3456 restart64.exe 3456 restart64.exe 3456 restart64.exe 3456 restart64.exe 3456 restart64.exe 3456 restart64.exe 3456 restart64.exe 3456 restart64.exe 3456 restart64.exe 3456 restart64.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
restart64.exeAUDIODG.EXEdescription pid process Token: SeLoadDriverPrivilege 3456 restart64.exe Token: 33 760 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 760 AUDIODG.EXE Token: SeLoadDriverPrivilege 3456 restart64.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
restart64.exepid process 3456 restart64.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
restart.exedescription pid process target process PID 5060 wrote to memory of 3456 5060 restart.exe restart64.exe PID 5060 wrote to memory of 3456 5060 restart.exe restart64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Verse crack from feds and nex\Monitor Spoof\restart.exe"C:\Users\Admin\AppData\Local\Temp\Verse crack from feds and nex\Monitor Spoof\restart.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Verse crack from feds and nex\Monitor Spoof\restart64.exerestart64.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x000000000000047C1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /R /T1⤵
- Drops file in System32 directory
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\perfc009.datFilesize
128KB
MD5a9ae270f03cd818fc5ccb1fc114ed0f8
SHA157cfce4c18c0163fd41652ab89e4c51649eee492
SHA256c08bb34abb284c2fb15d4372c2c3c2387f71ebeb920be89c9079e96c7a4ca3ec
SHA5125fa35050038e187b0be9547ff86e49aa5272a273eefb83472758da5b818e4e86eba254422b4524fb7a4bd66bd5c3ae210162cab1247b601ea1a3fc6454703ef0
-
C:\Windows\System32\perfh009.datFilesize
699KB
MD5a89ae42f5a026c19299f9fa3278556cd
SHA1ec0a61aa2b89c9f80c734006446f124530e0f66b
SHA25694ddaf67c6973113ef2992feab11bd2147194541c8c8efc82f7b51e89fc08a25
SHA512fad978dd060c6a507d8be487d8478f4f550c2e3fa440c8b3f90c19771f9e2b0d34ead3fad6f026ea233bbd5ec0f5274b7dc6bab4ea4d090322d4406edd3a836e
-
C:\Windows\System32\wbem\Performance\WmiApRpl.hFilesize
3KB
MD5b133a676d139032a27de3d9619e70091
SHA11248aa89938a13640252a79113930ede2f26f1fa
SHA256ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5
-
C:\Windows\System32\wbem\Performance\WmiApRpl.iniFilesize
29KB
MD5ffdeea82ba4a5a65585103dd2a922dfe
SHA1094c3794503245cc7dfa9e222d3504f449a5400b
SHA256c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390
SHA5127570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a