Overview
overview
5Static
static
3cru-1.5.2.zip
windows7-x64
1cru-1.5.2.zip
windows10-2004-x64
1CRU.exe
windows7-x64
1CRU.exe
windows10-2004-x64
1Info.txt
windows7-x64
1Info.txt
windows10-2004-x64
1reset-all.exe
windows7-x64
1reset-all.exe
windows10-2004-x64
1restart.exe
windows7-x64
4restart.exe
windows10-2004-x64
5restart64.exe
windows7-x64
4restart64.exe
windows10-2004-x64
5Analysis
-
max time kernel
70s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 21:32
Static task
static1
Behavioral task
behavioral1
Sample
cru-1.5.2.zip
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
cru-1.5.2.zip
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
CRU.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
CRU.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Info.txt
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Info.txt
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
reset-all.exe
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
reset-all.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
restart.exe
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
restart.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
restart64.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
restart64.exe
Resource
win10v2004-20240508-en
General
-
Target
restart.exe
-
Size
63KB
-
MD5
8242ce426ad462eff02edae1487a6949
-
SHA1
9a4f382d427e0de729053535aaa3310cac5f087b
-
SHA256
b68ee265308dc9da7dbb521bb71238d27ac50a5ee816f21c13818393be982d7a
-
SHA512
aff43a78d29ede49eac386d9b0b44d0f37d5a20bdda8553369d68dec90bbc727c6dd8fe239987a9d2e3affaeff8b72b5023ed973d7aecfbb99de46dca8c99ef1
-
SSDEEP
768:xa+/MMnf2XivrjhmxEQSQIjDaGva2XaT+CSxKUAch9Itvo7vq2XFelWn2iED5Vx0:xa0wstmSpDaGS2RCSxK28otXFQwUx
Malware Config
Signatures
-
Drops file in System32 directory 16 IoCs
Processes:
WMIADAP.EXEdescription ioc process File created C:\Windows\system32\perfc00A.dat WMIADAP.EXE File created C:\Windows\system32\perfh00C.dat WMIADAP.EXE File created C:\Windows\system32\perfc010.dat WMIADAP.EXE File created C:\Windows\system32\perfh011.dat WMIADAP.EXE File opened for modification C:\Windows\system32\PerfStringBackup.INI WMIADAP.EXE File created C:\Windows\system32\perfh007.dat WMIADAP.EXE File created C:\Windows\system32\perfh009.dat WMIADAP.EXE File created C:\Windows\system32\perfh00A.dat WMIADAP.EXE File created C:\Windows\system32\perfc011.dat WMIADAP.EXE File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h WMIADAP.EXE File created C:\Windows\system32\perfh010.dat WMIADAP.EXE File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini WMIADAP.EXE File created C:\Windows\system32\perfc009.dat WMIADAP.EXE File created C:\Windows\system32\perfc00C.dat WMIADAP.EXE File created C:\Windows\system32\PerfStringBackup.TMP WMIADAP.EXE File created C:\Windows\system32\perfc007.dat WMIADAP.EXE -
Drops file in Windows directory 4 IoCs
Processes:
WMIADAP.EXEdescription ioc process File created C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini WMIADAP.EXE File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini WMIADAP.EXE -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
restart64.exepid process 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe 1584 restart64.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
restart64.exeAUDIODG.EXEdescription pid process Token: SeLoadDriverPrivilege 1584 restart64.exe Token: SeLoadDriverPrivilege 1584 restart64.exe Token: 33 2012 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2012 AUDIODG.EXE Token: SeLoadDriverPrivilege 1584 restart64.exe Token: SeLoadDriverPrivilege 1584 restart64.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
restart64.exepid process 1584 restart64.exe 1584 restart64.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
restart.exedescription pid process target process PID 1744 wrote to memory of 1584 1744 restart.exe restart64.exe PID 1744 wrote to memory of 1584 1744 restart.exe restart64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\restart.exe"C:\Users\Admin\AppData\Local\Temp\restart.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\restart64.exerestart64.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1584
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f0 0x4501⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /R /T1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1452
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD51bd26a75846ce780d72b93caffac89f6
SHA1ff89b7c5e8c46c6c2e52383849bbf008bd91d66e
SHA25655b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a
SHA5124f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e
-
Filesize
151KB
MD5126ba0794b2573b1d9ae9cec193619a5
SHA16a66c8959b7ad325461cab16ec264c21b0be92df
SHA256a41a8aa76a3f79903dc9a4c6615e0b41162bff792467411286f0fc458dc6837a
SHA512c755744868578f4060bd2e880bd0e36e75d4f673ddd47e1c4b1f9e4b6b4f9b12a98b5161e89442687400d08e266d05ab60ffacb1abadf9b8cf2d8f5c46ac2f3d
-
Filesize
145KB
MD5c1574b4b8802b26d287ea62d8c570cdd
SHA10a072e6cefadf908fdb05d843a917872e0045d90
SHA2564746cc05934f69596bda9cfa678b80e3311cfe21de4682120c6fff1b140fd893
SHA5121d5600cd2abd376e3feb5055c885fb066ce010efbe40e432f607b846890f92b2a38e027699658e4e4033fdb9ee80bcfbe4c23f6b47a5d6ffda09c4bd4526acb9
-
Filesize
142KB
MD5dd17fab2e74e18fa9a8dd7c2475de6fc
SHA10fb0656ebdacc28c2d056ceff2579a485507b3f9
SHA2563b56a360bf9cac36d8cdf9a76147c504490444e65c1435c188d0174e63da8a65
SHA5123ccc0f4e536649d88a524e0fc2a4036a2d3354d76a7b563733751ff70b8e4fa6603de61c3d065db28df8e27fab32fd7a83297b3d8decbd13433bcd3d221cbadf
-
Filesize
125KB
MD5eef14d868d4e0c2354c345abc4902445
SHA1173c39e29dbe6dfd5044f5f788fa4e7618d68d4d
SHA2569f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f
SHA512c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee
-
Filesize
710KB
MD582d7f8765db25b313ecf436572dbe840
SHA1da9ed48d5386a1133f878b3e00988cbf4cdebab8
SHA2563053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3
SHA51259766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8
-
Filesize
693KB
MD53071151784d57e71d79ba530a9cdb118
SHA1124c701e68f04bcba17c0d2cbcca31adc3a3eca2
SHA256dd7aa1c18ed73c796beb59078d146201a58f4124d7c744e0f7efe93283e32914
SHA512865b2f10a54088edb4a9ec58d6766e3e0a222a8e6d159ef5a7454776d94b0c65ff81c8e215b2c0e71877b7857f3c0135951c25364c4ccd6eaecf93c7b6128011
-
Filesize
767KB
MD5feb35e575911f5d568fbbfa7d0434412
SHA1e896dfc32b25633322d2e252cfa65520d30677a2
SHA256bf628d6ab769fc710e7eb097ca0132bd88cfbf63bd3aa08e24cd5820594fccf9
SHA512c9544c2cfed9fc11696896cd6d6184f9de0e8e26d3d61cf211449de77d9ec8cac000d3408ccac8baf078a82ed73f735e9f740a00af59a392f14673e2bae056b5
-
Filesize
771KB
MD5099a4cfda7f72958205e2dc897df9d70
SHA13acf3a8bc62f4acea89fcfc721d0c57822bad6cf
SHA256454dae9e37ca1458c67087f801a7a8a73d73f43c4efb57f64d624c5190662c40
SHA512a531d8767afc2ce8005c9433f430acb27011c7ff41db25a69e70f0433fe6224a8f42c7d95aa3a4680d60c4351f26014e05a7d79d9faba42817a3e700c385750f
-
Filesize
760KB
MD52b41db88b556a31593911ade702a8306
SHA19820c8ffef6b27fad15badab22408eaf52d58300
SHA25661a5192c872e646050ee10eaef95bbc313fb7ae639b43c1ed3d2040f50cc1186
SHA5120b0c6b8cae683aa645ea2e0285209ac6d82624bfdacdb4e0b92d8118c30fa2fa6def665150b548e4adbee399074f73a961217e6065b05e65919c198efeb424f6
-
Filesize
475KB
MD57f2b576ab40800aa5f1e3c163176c1c7
SHA17c24fd2342498e1095f58d264078988323834e20
SHA256f98dfd85751e15486b725d4f36f7ef3fa0d72b76dd48401ce93e68b19e486e60
SHA5126780454b0ca385ae18baae45ca37103aa69352ce5dcf1f16debe6a49923a4137e4e1471439853ca8a965c12a9a5498b5f634119a1d9daaf5301e43663da7db94
-
Filesize
3KB
MD5b133a676d139032a27de3d9619e70091
SHA11248aa89938a13640252a79113930ede2f26f1fa
SHA256ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5
-
Filesize
29KB
MD5ffdeea82ba4a5a65585103dd2a922dfe
SHA1094c3794503245cc7dfa9e222d3504f449a5400b
SHA256c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390
SHA5127570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a