Analysis

  • max time kernel
    70s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 21:32

General

  • Target

    restart.exe

  • Size

    63KB

  • MD5

    8242ce426ad462eff02edae1487a6949

  • SHA1

    9a4f382d427e0de729053535aaa3310cac5f087b

  • SHA256

    b68ee265308dc9da7dbb521bb71238d27ac50a5ee816f21c13818393be982d7a

  • SHA512

    aff43a78d29ede49eac386d9b0b44d0f37d5a20bdda8553369d68dec90bbc727c6dd8fe239987a9d2e3affaeff8b72b5023ed973d7aecfbb99de46dca8c99ef1

  • SSDEEP

    768:xa+/MMnf2XivrjhmxEQSQIjDaGva2XaT+CSxKUAch9Itvo7vq2XFelWn2iED5Vx0:xa0wstmSpDaGS2RCSxK28otXFQwUx

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 16 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\restart.exe
    "C:\Users\Admin\AppData\Local\Temp\restart.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Users\Admin\AppData\Local\Temp\restart64.exe
      restart64.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1584
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x2f0 0x450
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2012
  • C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /R /T
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    PID:1452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\perfc007.dat

    Filesize

    142KB

    MD5

    1bd26a75846ce780d72b93caffac89f6

    SHA1

    ff89b7c5e8c46c6c2e52383849bbf008bd91d66e

    SHA256

    55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a

    SHA512

    4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e

  • C:\Windows\System32\perfc00A.dat

    Filesize

    151KB

    MD5

    126ba0794b2573b1d9ae9cec193619a5

    SHA1

    6a66c8959b7ad325461cab16ec264c21b0be92df

    SHA256

    a41a8aa76a3f79903dc9a4c6615e0b41162bff792467411286f0fc458dc6837a

    SHA512

    c755744868578f4060bd2e880bd0e36e75d4f673ddd47e1c4b1f9e4b6b4f9b12a98b5161e89442687400d08e266d05ab60ffacb1abadf9b8cf2d8f5c46ac2f3d

  • C:\Windows\System32\perfc00C.dat

    Filesize

    145KB

    MD5

    c1574b4b8802b26d287ea62d8c570cdd

    SHA1

    0a072e6cefadf908fdb05d843a917872e0045d90

    SHA256

    4746cc05934f69596bda9cfa678b80e3311cfe21de4682120c6fff1b140fd893

    SHA512

    1d5600cd2abd376e3feb5055c885fb066ce010efbe40e432f607b846890f92b2a38e027699658e4e4033fdb9ee80bcfbe4c23f6b47a5d6ffda09c4bd4526acb9

  • C:\Windows\System32\perfc010.dat

    Filesize

    142KB

    MD5

    dd17fab2e74e18fa9a8dd7c2475de6fc

    SHA1

    0fb0656ebdacc28c2d056ceff2579a485507b3f9

    SHA256

    3b56a360bf9cac36d8cdf9a76147c504490444e65c1435c188d0174e63da8a65

    SHA512

    3ccc0f4e536649d88a524e0fc2a4036a2d3354d76a7b563733751ff70b8e4fa6603de61c3d065db28df8e27fab32fd7a83297b3d8decbd13433bcd3d221cbadf

  • C:\Windows\System32\perfc011.dat

    Filesize

    125KB

    MD5

    eef14d868d4e0c2354c345abc4902445

    SHA1

    173c39e29dbe6dfd5044f5f788fa4e7618d68d4d

    SHA256

    9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f

    SHA512

    c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee

  • C:\Windows\System32\perfh007.dat

    Filesize

    710KB

    MD5

    82d7f8765db25b313ecf436572dbe840

    SHA1

    da9ed48d5386a1133f878b3e00988cbf4cdebab8

    SHA256

    3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3

    SHA512

    59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8

  • C:\Windows\System32\perfh009.dat

    Filesize

    693KB

    MD5

    3071151784d57e71d79ba530a9cdb118

    SHA1

    124c701e68f04bcba17c0d2cbcca31adc3a3eca2

    SHA256

    dd7aa1c18ed73c796beb59078d146201a58f4124d7c744e0f7efe93283e32914

    SHA512

    865b2f10a54088edb4a9ec58d6766e3e0a222a8e6d159ef5a7454776d94b0c65ff81c8e215b2c0e71877b7857f3c0135951c25364c4ccd6eaecf93c7b6128011

  • C:\Windows\System32\perfh00A.dat

    Filesize

    767KB

    MD5

    feb35e575911f5d568fbbfa7d0434412

    SHA1

    e896dfc32b25633322d2e252cfa65520d30677a2

    SHA256

    bf628d6ab769fc710e7eb097ca0132bd88cfbf63bd3aa08e24cd5820594fccf9

    SHA512

    c9544c2cfed9fc11696896cd6d6184f9de0e8e26d3d61cf211449de77d9ec8cac000d3408ccac8baf078a82ed73f735e9f740a00af59a392f14673e2bae056b5

  • C:\Windows\System32\perfh00C.dat

    Filesize

    771KB

    MD5

    099a4cfda7f72958205e2dc897df9d70

    SHA1

    3acf3a8bc62f4acea89fcfc721d0c57822bad6cf

    SHA256

    454dae9e37ca1458c67087f801a7a8a73d73f43c4efb57f64d624c5190662c40

    SHA512

    a531d8767afc2ce8005c9433f430acb27011c7ff41db25a69e70f0433fe6224a8f42c7d95aa3a4680d60c4351f26014e05a7d79d9faba42817a3e700c385750f

  • C:\Windows\System32\perfh010.dat

    Filesize

    760KB

    MD5

    2b41db88b556a31593911ade702a8306

    SHA1

    9820c8ffef6b27fad15badab22408eaf52d58300

    SHA256

    61a5192c872e646050ee10eaef95bbc313fb7ae639b43c1ed3d2040f50cc1186

    SHA512

    0b0c6b8cae683aa645ea2e0285209ac6d82624bfdacdb4e0b92d8118c30fa2fa6def665150b548e4adbee399074f73a961217e6065b05e65919c198efeb424f6

  • C:\Windows\System32\perfh011.dat

    Filesize

    475KB

    MD5

    7f2b576ab40800aa5f1e3c163176c1c7

    SHA1

    7c24fd2342498e1095f58d264078988323834e20

    SHA256

    f98dfd85751e15486b725d4f36f7ef3fa0d72b76dd48401ce93e68b19e486e60

    SHA512

    6780454b0ca385ae18baae45ca37103aa69352ce5dcf1f16debe6a49923a4137e4e1471439853ca8a965c12a9a5498b5f634119a1d9daaf5301e43663da7db94

  • C:\Windows\System32\wbem\Performance\WmiApRpl.h

    Filesize

    3KB

    MD5

    b133a676d139032a27de3d9619e70091

    SHA1

    1248aa89938a13640252a79113930ede2f26f1fa

    SHA256

    ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

    SHA512

    c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

  • C:\Windows\System32\wbem\Performance\WmiApRpl.ini

    Filesize

    29KB

    MD5

    ffdeea82ba4a5a65585103dd2a922dfe

    SHA1

    094c3794503245cc7dfa9e222d3504f449a5400b

    SHA256

    c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390

    SHA512

    7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a