Analysis Overview
SHA256
c92e4255a897d6d97295724e5934a5315238a63bb8e0b8b320c5f9b21eb0f531
Threat Level: Likely benign
The file cru-1.5.2.zip was found to be: Likely benign.
Malicious Activity Summary
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Suspicious use of SetWindowsHookEx
Opens file in notepad (likely ransom note)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-13 21:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 21:32
Reported
2024-06-13 21:34
Platform
win7-20240419-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CRU.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CRU.exe
"C:\Users\Admin\AppData\Local\Temp\CRU.exe"
Network
Files
memory/2936-0-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2936-1-0x0000000000400000-0x0000000000552000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-13 21:32
Reported
2024-06-13 21:34
Platform
win10v2004-20240226-en
Max time kernel
137s
Max time network
146s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Info.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5164 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-13 21:32
Reported
2024-06-13 21:34
Platform
win7-20240611-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\reset-all.exe
"C:\Users\Admin\AppData\Local\Temp\reset-all.exe"
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-13 21:32
Reported
2024-06-13 21:34
Platform
win7-20240508-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| File opened for modification | C:\Windows\setupact.log | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| File opened for modification | C:\Windows\setuperr.log | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1688 wrote to memory of 2984 | N/A | C:\Users\Admin\AppData\Local\Temp\restart.exe | C:\Users\Admin\AppData\Local\Temp\restart64.exe |
| PID 1688 wrote to memory of 2984 | N/A | C:\Users\Admin\AppData\Local\Temp\restart.exe | C:\Users\Admin\AppData\Local\Temp\restart64.exe |
| PID 1688 wrote to memory of 2984 | N/A | C:\Users\Admin\AppData\Local\Temp\restart.exe | C:\Users\Admin\AppData\Local\Temp\restart64.exe |
| PID 1688 wrote to memory of 2984 | N/A | C:\Users\Admin\AppData\Local\Temp\restart.exe | C:\Users\Admin\AppData\Local\Temp\restart64.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\restart.exe
"C:\Users\Admin\AppData\Local\Temp\restart.exe"
C:\Users\Admin\AppData\Local\Temp\restart64.exe
restart64.exe
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-13 21:32
Reported
2024-06-13 21:34
Platform
win10v2004-20240508-en
Max time kernel
70s
Max time network
54s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\system32\PerfStringBackup.INI | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\PerfStringBackup.TMP | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1744 wrote to memory of 1584 | N/A | C:\Users\Admin\AppData\Local\Temp\restart.exe | C:\Users\Admin\AppData\Local\Temp\restart64.exe |
| PID 1744 wrote to memory of 1584 | N/A | C:\Users\Admin\AppData\Local\Temp\restart.exe | C:\Users\Admin\AppData\Local\Temp\restart64.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\restart.exe
"C:\Users\Admin\AppData\Local\Temp\restart.exe"
C:\Users\Admin\AppData\Local\Temp\restart64.exe
restart64.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0 0x450
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /R /T
Network
Files
C:\Windows\System32\perfc011.dat
| MD5 | eef14d868d4e0c2354c345abc4902445 |
| SHA1 | 173c39e29dbe6dfd5044f5f788fa4e7618d68d4d |
| SHA256 | 9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f |
| SHA512 | c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee |
C:\Windows\System32\wbem\Performance\WmiApRpl.h
| MD5 | b133a676d139032a27de3d9619e70091 |
| SHA1 | 1248aa89938a13640252a79113930ede2f26f1fa |
| SHA256 | ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15 |
| SHA512 | c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5 |
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
| MD5 | ffdeea82ba4a5a65585103dd2a922dfe |
| SHA1 | 094c3794503245cc7dfa9e222d3504f449a5400b |
| SHA256 | c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390 |
| SHA512 | 7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a |
C:\Windows\System32\perfh009.dat
| MD5 | 3071151784d57e71d79ba530a9cdb118 |
| SHA1 | 124c701e68f04bcba17c0d2cbcca31adc3a3eca2 |
| SHA256 | dd7aa1c18ed73c796beb59078d146201a58f4124d7c744e0f7efe93283e32914 |
| SHA512 | 865b2f10a54088edb4a9ec58d6766e3e0a222a8e6d159ef5a7454776d94b0c65ff81c8e215b2c0e71877b7857f3c0135951c25364c4ccd6eaecf93c7b6128011 |
C:\Windows\System32\perfh00C.dat
| MD5 | 099a4cfda7f72958205e2dc897df9d70 |
| SHA1 | 3acf3a8bc62f4acea89fcfc721d0c57822bad6cf |
| SHA256 | 454dae9e37ca1458c67087f801a7a8a73d73f43c4efb57f64d624c5190662c40 |
| SHA512 | a531d8767afc2ce8005c9433f430acb27011c7ff41db25a69e70f0433fe6224a8f42c7d95aa3a4680d60c4351f26014e05a7d79d9faba42817a3e700c385750f |
C:\Windows\System32\perfh011.dat
| MD5 | 7f2b576ab40800aa5f1e3c163176c1c7 |
| SHA1 | 7c24fd2342498e1095f58d264078988323834e20 |
| SHA256 | f98dfd85751e15486b725d4f36f7ef3fa0d72b76dd48401ce93e68b19e486e60 |
| SHA512 | 6780454b0ca385ae18baae45ca37103aa69352ce5dcf1f16debe6a49923a4137e4e1471439853ca8a965c12a9a5498b5f634119a1d9daaf5301e43663da7db94 |
C:\Windows\System32\perfh010.dat
| MD5 | 2b41db88b556a31593911ade702a8306 |
| SHA1 | 9820c8ffef6b27fad15badab22408eaf52d58300 |
| SHA256 | 61a5192c872e646050ee10eaef95bbc313fb7ae639b43c1ed3d2040f50cc1186 |
| SHA512 | 0b0c6b8cae683aa645ea2e0285209ac6d82624bfdacdb4e0b92d8118c30fa2fa6def665150b548e4adbee399074f73a961217e6065b05e65919c198efeb424f6 |
C:\Windows\System32\perfc010.dat
| MD5 | dd17fab2e74e18fa9a8dd7c2475de6fc |
| SHA1 | 0fb0656ebdacc28c2d056ceff2579a485507b3f9 |
| SHA256 | 3b56a360bf9cac36d8cdf9a76147c504490444e65c1435c188d0174e63da8a65 |
| SHA512 | 3ccc0f4e536649d88a524e0fc2a4036a2d3354d76a7b563733751ff70b8e4fa6603de61c3d065db28df8e27fab32fd7a83297b3d8decbd13433bcd3d221cbadf |
C:\Windows\System32\perfc00C.dat
| MD5 | c1574b4b8802b26d287ea62d8c570cdd |
| SHA1 | 0a072e6cefadf908fdb05d843a917872e0045d90 |
| SHA256 | 4746cc05934f69596bda9cfa678b80e3311cfe21de4682120c6fff1b140fd893 |
| SHA512 | 1d5600cd2abd376e3feb5055c885fb066ce010efbe40e432f607b846890f92b2a38e027699658e4e4033fdb9ee80bcfbe4c23f6b47a5d6ffda09c4bd4526acb9 |
C:\Windows\System32\perfh00A.dat
| MD5 | feb35e575911f5d568fbbfa7d0434412 |
| SHA1 | e896dfc32b25633322d2e252cfa65520d30677a2 |
| SHA256 | bf628d6ab769fc710e7eb097ca0132bd88cfbf63bd3aa08e24cd5820594fccf9 |
| SHA512 | c9544c2cfed9fc11696896cd6d6184f9de0e8e26d3d61cf211449de77d9ec8cac000d3408ccac8baf078a82ed73f735e9f740a00af59a392f14673e2bae056b5 |
C:\Windows\System32\perfc00A.dat
| MD5 | 126ba0794b2573b1d9ae9cec193619a5 |
| SHA1 | 6a66c8959b7ad325461cab16ec264c21b0be92df |
| SHA256 | a41a8aa76a3f79903dc9a4c6615e0b41162bff792467411286f0fc458dc6837a |
| SHA512 | c755744868578f4060bd2e880bd0e36e75d4f673ddd47e1c4b1f9e4b6b4f9b12a98b5161e89442687400d08e266d05ab60ffacb1abadf9b8cf2d8f5c46ac2f3d |
C:\Windows\System32\perfh007.dat
| MD5 | 82d7f8765db25b313ecf436572dbe840 |
| SHA1 | da9ed48d5386a1133f878b3e00988cbf4cdebab8 |
| SHA256 | 3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3 |
| SHA512 | 59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8 |
C:\Windows\System32\perfc007.dat
| MD5 | 1bd26a75846ce780d72b93caffac89f6 |
| SHA1 | ff89b7c5e8c46c6c2e52383849bbf008bd91d66e |
| SHA256 | 55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a |
| SHA512 | 4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-13 21:32
Reported
2024-06-13 21:34
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\setuperr.log | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| File opened for modification | C:\Windows\setupact.log | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\restart64.exe
"C:\Users\Admin\AppData\Local\Temp\restart64.exe"
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-13 21:32
Reported
2024-06-13 21:34
Platform
win10v2004-20240508-en
Max time kernel
70s
Max time network
56s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\PerfStringBackup.TMP | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\system32\PerfStringBackup.INI | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restart64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\restart64.exe
"C:\Users\Admin\AppData\Local\Temp\restart64.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x498
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /R /T
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
| MD5 | ffdeea82ba4a5a65585103dd2a922dfe |
| SHA1 | 094c3794503245cc7dfa9e222d3504f449a5400b |
| SHA256 | c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390 |
| SHA512 | 7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a |
C:\Windows\System32\perfc011.dat
| MD5 | eef14d868d4e0c2354c345abc4902445 |
| SHA1 | 173c39e29dbe6dfd5044f5f788fa4e7618d68d4d |
| SHA256 | 9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f |
| SHA512 | c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee |
C:\Windows\System32\wbem\Performance\WmiApRpl.h
| MD5 | b133a676d139032a27de3d9619e70091 |
| SHA1 | 1248aa89938a13640252a79113930ede2f26f1fa |
| SHA256 | ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15 |
| SHA512 | c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5 |
C:\Windows\System32\perfh007.dat
| MD5 | 82d7f8765db25b313ecf436572dbe840 |
| SHA1 | da9ed48d5386a1133f878b3e00988cbf4cdebab8 |
| SHA256 | 3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3 |
| SHA512 | 59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8 |
C:\Windows\System32\perfc007.dat
| MD5 | 1bd26a75846ce780d72b93caffac89f6 |
| SHA1 | ff89b7c5e8c46c6c2e52383849bbf008bd91d66e |
| SHA256 | 55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a |
| SHA512 | 4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e |
C:\Windows\System32\perfh00A.dat
| MD5 | feb35e575911f5d568fbbfa7d0434412 |
| SHA1 | e896dfc32b25633322d2e252cfa65520d30677a2 |
| SHA256 | bf628d6ab769fc710e7eb097ca0132bd88cfbf63bd3aa08e24cd5820594fccf9 |
| SHA512 | c9544c2cfed9fc11696896cd6d6184f9de0e8e26d3d61cf211449de77d9ec8cac000d3408ccac8baf078a82ed73f735e9f740a00af59a392f14673e2bae056b5 |
C:\Windows\System32\perfc00A.dat
| MD5 | 6d4b430c2abf0ec4ca1909e6e2f097db |
| SHA1 | 97c330923a6380fe8ea8e440ce2c568594d3fff7 |
| SHA256 | 44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e |
| SHA512 | cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b |
C:\Windows\System32\perfh009.dat
| MD5 | 407f4fed9a4510646f33a2869a184de8 |
| SHA1 | e2e622f36b28057bbfbaee754ab6abac2de04778 |
| SHA256 | 64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615 |
| SHA512 | 1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e |
C:\Windows\System32\perfh011.dat
| MD5 | 7f2b576ab40800aa5f1e3c163176c1c7 |
| SHA1 | 7c24fd2342498e1095f58d264078988323834e20 |
| SHA256 | f98dfd85751e15486b725d4f36f7ef3fa0d72b76dd48401ce93e68b19e486e60 |
| SHA512 | 6780454b0ca385ae18baae45ca37103aa69352ce5dcf1f16debe6a49923a4137e4e1471439853ca8a965c12a9a5498b5f634119a1d9daaf5301e43663da7db94 |
C:\Windows\System32\perfh010.dat
| MD5 | 2b41db88b556a31593911ade702a8306 |
| SHA1 | 9820c8ffef6b27fad15badab22408eaf52d58300 |
| SHA256 | 61a5192c872e646050ee10eaef95bbc313fb7ae639b43c1ed3d2040f50cc1186 |
| SHA512 | 0b0c6b8cae683aa645ea2e0285209ac6d82624bfdacdb4e0b92d8118c30fa2fa6def665150b548e4adbee399074f73a961217e6065b05e65919c198efeb424f6 |
C:\Windows\System32\perfc010.dat
| MD5 | dd17fab2e74e18fa9a8dd7c2475de6fc |
| SHA1 | 0fb0656ebdacc28c2d056ceff2579a485507b3f9 |
| SHA256 | 3b56a360bf9cac36d8cdf9a76147c504490444e65c1435c188d0174e63da8a65 |
| SHA512 | 3ccc0f4e536649d88a524e0fc2a4036a2d3354d76a7b563733751ff70b8e4fa6603de61c3d065db28df8e27fab32fd7a83297b3d8decbd13433bcd3d221cbadf |
C:\Windows\System32\perfh00C.dat
| MD5 | 099a4cfda7f72958205e2dc897df9d70 |
| SHA1 | 3acf3a8bc62f4acea89fcfc721d0c57822bad6cf |
| SHA256 | 454dae9e37ca1458c67087f801a7a8a73d73f43c4efb57f64d624c5190662c40 |
| SHA512 | a531d8767afc2ce8005c9433f430acb27011c7ff41db25a69e70f0433fe6224a8f42c7d95aa3a4680d60c4351f26014e05a7d79d9faba42817a3e700c385750f |
C:\Windows\System32\perfc00C.dat
| MD5 | c1574b4b8802b26d287ea62d8c570cdd |
| SHA1 | 0a072e6cefadf908fdb05d843a917872e0045d90 |
| SHA256 | 4746cc05934f69596bda9cfa678b80e3311cfe21de4682120c6fff1b140fd893 |
| SHA512 | 1d5600cd2abd376e3feb5055c885fb066ce010efbe40e432f607b846890f92b2a38e027699658e4e4033fdb9ee80bcfbe4c23f6b47a5d6ffda09c4bd4526acb9 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 21:32
Reported
2024-06-13 21:34
Platform
win7-20240611-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\cru-1.5.2.zip
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 21:32
Reported
2024-06-13 21:34
Platform
win10v2004-20240611-en
Max time kernel
115s
Max time network
141s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\cru-1.5.2.zip
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1424,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=4192 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 52.123.242.9:443 | tcp | |
| GB | 52.123.242.49:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 21:32
Reported
2024-06-13 21:34
Platform
win10v2004-20240508-en
Max time kernel
79s
Max time network
106s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CRU.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CRU.exe
"C:\Users\Admin\AppData\Local\Temp\CRU.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp |
Files
memory/1604-0-0x0000000002450000-0x0000000002451000-memory.dmp
memory/1604-1-0x0000000000400000-0x0000000000552000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-13 21:32
Reported
2024-06-13 21:34
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Info.txt
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-13 21:32
Reported
2024-06-13 21:34
Platform
win10v2004-20240611-en
Max time kernel
125s
Max time network
130s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\reset-all.exe
"C:\Users\Admin\AppData\Local\Temp\reset-all.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |