Malware Analysis Report

2024-10-19 09:36

Sample ID 240613-1dm9esvbqr
Target cru-1.5.2.zip
SHA256 c92e4255a897d6d97295724e5934a5315238a63bb8e0b8b320c5f9b21eb0f531
Tags
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

c92e4255a897d6d97295724e5934a5315238a63bb8e0b8b320c5f9b21eb0f531

Threat Level: Likely benign

The file cru-1.5.2.zip was found to be: Likely benign.

Malicious Activity Summary


Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 21:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 21:32

Reported

2024-06-13 21:34

Platform

win7-20240419-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CRU.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CRU.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CRU.exe

"C:\Users\Admin\AppData\Local\Temp\CRU.exe"

Network

N/A

Files

memory/2936-0-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2936-1-0x0000000000400000-0x0000000000552000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 21:32

Reported

2024-06-13 21:34

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

146s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Info.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Info.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5164 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-13 21:32

Reported

2024-06-13 21:34

Platform

win7-20240611-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\reset-all.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\reset-all.exe

"C:\Users\Admin\AppData\Local\Temp\reset-all.exe"

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-13 21:32

Reported

2024-06-13 21:34

Platform

win7-20240508-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\restart.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
File opened for modification C:\Windows\setupact.log C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
File opened for modification C:\Windows\setuperr.log C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\restart.exe

"C:\Users\Admin\AppData\Local\Temp\restart.exe"

C:\Users\Admin\AppData\Local\Temp\restart64.exe

restart64.exe

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-13 21:32

Reported

2024-06-13 21:34

Platform

win10v2004-20240508-en

Max time kernel

70s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\restart.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\system32\PerfStringBackup.INI C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\PerfStringBackup.TMP C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\restart.exe C:\Users\Admin\AppData\Local\Temp\restart64.exe
PID 1744 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\restart.exe C:\Users\Admin\AppData\Local\Temp\restart64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\restart.exe

"C:\Users\Admin\AppData\Local\Temp\restart.exe"

C:\Users\Admin\AppData\Local\Temp\restart64.exe

restart64.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2f0 0x450

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /R /T

Network

Files

C:\Windows\System32\perfc011.dat

MD5 eef14d868d4e0c2354c345abc4902445
SHA1 173c39e29dbe6dfd5044f5f788fa4e7618d68d4d
SHA256 9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f
SHA512 c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee

C:\Windows\System32\wbem\Performance\WmiApRpl.h

MD5 b133a676d139032a27de3d9619e70091
SHA1 1248aa89938a13640252a79113930ede2f26f1fa
SHA256 ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512 c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

C:\Windows\System32\wbem\Performance\WmiApRpl.ini

MD5 ffdeea82ba4a5a65585103dd2a922dfe
SHA1 094c3794503245cc7dfa9e222d3504f449a5400b
SHA256 c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390
SHA512 7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a

C:\Windows\System32\perfh009.dat

MD5 3071151784d57e71d79ba530a9cdb118
SHA1 124c701e68f04bcba17c0d2cbcca31adc3a3eca2
SHA256 dd7aa1c18ed73c796beb59078d146201a58f4124d7c744e0f7efe93283e32914
SHA512 865b2f10a54088edb4a9ec58d6766e3e0a222a8e6d159ef5a7454776d94b0c65ff81c8e215b2c0e71877b7857f3c0135951c25364c4ccd6eaecf93c7b6128011

C:\Windows\System32\perfh00C.dat

MD5 099a4cfda7f72958205e2dc897df9d70
SHA1 3acf3a8bc62f4acea89fcfc721d0c57822bad6cf
SHA256 454dae9e37ca1458c67087f801a7a8a73d73f43c4efb57f64d624c5190662c40
SHA512 a531d8767afc2ce8005c9433f430acb27011c7ff41db25a69e70f0433fe6224a8f42c7d95aa3a4680d60c4351f26014e05a7d79d9faba42817a3e700c385750f

C:\Windows\System32\perfh011.dat

MD5 7f2b576ab40800aa5f1e3c163176c1c7
SHA1 7c24fd2342498e1095f58d264078988323834e20
SHA256 f98dfd85751e15486b725d4f36f7ef3fa0d72b76dd48401ce93e68b19e486e60
SHA512 6780454b0ca385ae18baae45ca37103aa69352ce5dcf1f16debe6a49923a4137e4e1471439853ca8a965c12a9a5498b5f634119a1d9daaf5301e43663da7db94

C:\Windows\System32\perfh010.dat

MD5 2b41db88b556a31593911ade702a8306
SHA1 9820c8ffef6b27fad15badab22408eaf52d58300
SHA256 61a5192c872e646050ee10eaef95bbc313fb7ae639b43c1ed3d2040f50cc1186
SHA512 0b0c6b8cae683aa645ea2e0285209ac6d82624bfdacdb4e0b92d8118c30fa2fa6def665150b548e4adbee399074f73a961217e6065b05e65919c198efeb424f6

C:\Windows\System32\perfc010.dat

MD5 dd17fab2e74e18fa9a8dd7c2475de6fc
SHA1 0fb0656ebdacc28c2d056ceff2579a485507b3f9
SHA256 3b56a360bf9cac36d8cdf9a76147c504490444e65c1435c188d0174e63da8a65
SHA512 3ccc0f4e536649d88a524e0fc2a4036a2d3354d76a7b563733751ff70b8e4fa6603de61c3d065db28df8e27fab32fd7a83297b3d8decbd13433bcd3d221cbadf

C:\Windows\System32\perfc00C.dat

MD5 c1574b4b8802b26d287ea62d8c570cdd
SHA1 0a072e6cefadf908fdb05d843a917872e0045d90
SHA256 4746cc05934f69596bda9cfa678b80e3311cfe21de4682120c6fff1b140fd893
SHA512 1d5600cd2abd376e3feb5055c885fb066ce010efbe40e432f607b846890f92b2a38e027699658e4e4033fdb9ee80bcfbe4c23f6b47a5d6ffda09c4bd4526acb9

C:\Windows\System32\perfh00A.dat

MD5 feb35e575911f5d568fbbfa7d0434412
SHA1 e896dfc32b25633322d2e252cfa65520d30677a2
SHA256 bf628d6ab769fc710e7eb097ca0132bd88cfbf63bd3aa08e24cd5820594fccf9
SHA512 c9544c2cfed9fc11696896cd6d6184f9de0e8e26d3d61cf211449de77d9ec8cac000d3408ccac8baf078a82ed73f735e9f740a00af59a392f14673e2bae056b5

C:\Windows\System32\perfc00A.dat

MD5 126ba0794b2573b1d9ae9cec193619a5
SHA1 6a66c8959b7ad325461cab16ec264c21b0be92df
SHA256 a41a8aa76a3f79903dc9a4c6615e0b41162bff792467411286f0fc458dc6837a
SHA512 c755744868578f4060bd2e880bd0e36e75d4f673ddd47e1c4b1f9e4b6b4f9b12a98b5161e89442687400d08e266d05ab60ffacb1abadf9b8cf2d8f5c46ac2f3d

C:\Windows\System32\perfh007.dat

MD5 82d7f8765db25b313ecf436572dbe840
SHA1 da9ed48d5386a1133f878b3e00988cbf4cdebab8
SHA256 3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3
SHA512 59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8

C:\Windows\System32\perfc007.dat

MD5 1bd26a75846ce780d72b93caffac89f6
SHA1 ff89b7c5e8c46c6c2e52383849bbf008bd91d66e
SHA256 55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a
SHA512 4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-13 21:32

Reported

2024-06-13 21:34

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\restart64.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\setuperr.log C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
File opened for modification C:\Windows\setupact.log C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\restart64.exe

"C:\Users\Admin\AppData\Local\Temp\restart64.exe"

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-13 21:32

Reported

2024-06-13 21:34

Platform

win10v2004-20240508-en

Max time kernel

70s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\restart64.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\PerfStringBackup.TMP C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\system32\PerfStringBackup.INI C:\Windows\system32\wbem\WMIADAP.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WMIADAP.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\restart64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\restart64.exe

"C:\Users\Admin\AppData\Local\Temp\restart64.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x300 0x498

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /R /T

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Windows\System32\wbem\Performance\WmiApRpl.ini

MD5 ffdeea82ba4a5a65585103dd2a922dfe
SHA1 094c3794503245cc7dfa9e222d3504f449a5400b
SHA256 c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390
SHA512 7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a

C:\Windows\System32\perfc011.dat

MD5 eef14d868d4e0c2354c345abc4902445
SHA1 173c39e29dbe6dfd5044f5f788fa4e7618d68d4d
SHA256 9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f
SHA512 c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee

C:\Windows\System32\wbem\Performance\WmiApRpl.h

MD5 b133a676d139032a27de3d9619e70091
SHA1 1248aa89938a13640252a79113930ede2f26f1fa
SHA256 ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512 c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

C:\Windows\System32\perfh007.dat

MD5 82d7f8765db25b313ecf436572dbe840
SHA1 da9ed48d5386a1133f878b3e00988cbf4cdebab8
SHA256 3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3
SHA512 59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8

C:\Windows\System32\perfc007.dat

MD5 1bd26a75846ce780d72b93caffac89f6
SHA1 ff89b7c5e8c46c6c2e52383849bbf008bd91d66e
SHA256 55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a
SHA512 4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e

C:\Windows\System32\perfh00A.dat

MD5 feb35e575911f5d568fbbfa7d0434412
SHA1 e896dfc32b25633322d2e252cfa65520d30677a2
SHA256 bf628d6ab769fc710e7eb097ca0132bd88cfbf63bd3aa08e24cd5820594fccf9
SHA512 c9544c2cfed9fc11696896cd6d6184f9de0e8e26d3d61cf211449de77d9ec8cac000d3408ccac8baf078a82ed73f735e9f740a00af59a392f14673e2bae056b5

C:\Windows\System32\perfc00A.dat

MD5 6d4b430c2abf0ec4ca1909e6e2f097db
SHA1 97c330923a6380fe8ea8e440ce2c568594d3fff7
SHA256 44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e
SHA512 cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b

C:\Windows\System32\perfh009.dat

MD5 407f4fed9a4510646f33a2869a184de8
SHA1 e2e622f36b28057bbfbaee754ab6abac2de04778
SHA256 64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615
SHA512 1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e

C:\Windows\System32\perfh011.dat

MD5 7f2b576ab40800aa5f1e3c163176c1c7
SHA1 7c24fd2342498e1095f58d264078988323834e20
SHA256 f98dfd85751e15486b725d4f36f7ef3fa0d72b76dd48401ce93e68b19e486e60
SHA512 6780454b0ca385ae18baae45ca37103aa69352ce5dcf1f16debe6a49923a4137e4e1471439853ca8a965c12a9a5498b5f634119a1d9daaf5301e43663da7db94

C:\Windows\System32\perfh010.dat

MD5 2b41db88b556a31593911ade702a8306
SHA1 9820c8ffef6b27fad15badab22408eaf52d58300
SHA256 61a5192c872e646050ee10eaef95bbc313fb7ae639b43c1ed3d2040f50cc1186
SHA512 0b0c6b8cae683aa645ea2e0285209ac6d82624bfdacdb4e0b92d8118c30fa2fa6def665150b548e4adbee399074f73a961217e6065b05e65919c198efeb424f6

C:\Windows\System32\perfc010.dat

MD5 dd17fab2e74e18fa9a8dd7c2475de6fc
SHA1 0fb0656ebdacc28c2d056ceff2579a485507b3f9
SHA256 3b56a360bf9cac36d8cdf9a76147c504490444e65c1435c188d0174e63da8a65
SHA512 3ccc0f4e536649d88a524e0fc2a4036a2d3354d76a7b563733751ff70b8e4fa6603de61c3d065db28df8e27fab32fd7a83297b3d8decbd13433bcd3d221cbadf

C:\Windows\System32\perfh00C.dat

MD5 099a4cfda7f72958205e2dc897df9d70
SHA1 3acf3a8bc62f4acea89fcfc721d0c57822bad6cf
SHA256 454dae9e37ca1458c67087f801a7a8a73d73f43c4efb57f64d624c5190662c40
SHA512 a531d8767afc2ce8005c9433f430acb27011c7ff41db25a69e70f0433fe6224a8f42c7d95aa3a4680d60c4351f26014e05a7d79d9faba42817a3e700c385750f

C:\Windows\System32\perfc00C.dat

MD5 c1574b4b8802b26d287ea62d8c570cdd
SHA1 0a072e6cefadf908fdb05d843a917872e0045d90
SHA256 4746cc05934f69596bda9cfa678b80e3311cfe21de4682120c6fff1b140fd893
SHA512 1d5600cd2abd376e3feb5055c885fb066ce010efbe40e432f607b846890f92b2a38e027699658e4e4033fdb9ee80bcfbe4c23f6b47a5d6ffda09c4bd4526acb9

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 21:32

Reported

2024-06-13 21:34

Platform

win7-20240611-en

Max time kernel

122s

Max time network

123s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\cru-1.5.2.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\cru-1.5.2.zip

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 21:32

Reported

2024-06-13 21:34

Platform

win10v2004-20240611-en

Max time kernel

115s

Max time network

141s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\cru-1.5.2.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\cru-1.5.2.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1424,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=4192 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 52.123.242.9:443 tcp
GB 52.123.242.49:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 21:32

Reported

2024-06-13 21:34

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CRU.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CRU.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CRU.exe

"C:\Users\Admin\AppData\Local\Temp\CRU.exe"

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp

Files

memory/1604-0-0x0000000002450000-0x0000000002451000-memory.dmp

memory/1604-1-0x0000000000400000-0x0000000000552000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 21:32

Reported

2024-06-13 21:34

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Info.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Info.txt

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-13 21:32

Reported

2024-06-13 21:34

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\reset-all.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\reset-all.exe

"C:\Users\Admin\AppData\Local\Temp\reset-all.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

N/A