Overview

overview

10

Static

static

10

HWID Bypas...er.url

windows11-21h2-x64

1

HWID Bypas...te.url

windows11-21h2-x64

1

HWID Bypas...or.lnk

windows11-21h2-x64

3

HWID Bypas...te.url

windows11-21h2-x64

1

HWID Bypas...PN.url

windows11-21h2-x64

1

HWID Bypas...Ds.cmd

windows11-21h2-x64

1

HWID Bypas...id.exe

windows11-21h2-x64

1

HWID Bypas...64.exe

windows11-21h2-x64

1

HWID Bypas...Ds.cmd

windows11-21h2-x64

1

HWID Bypas...64.exe

windows11-21h2-x64

1

HWID Bypas...pt.lnk

windows11-21h2-x64

3

HWID Bypas...64.sys

windows11-21h2-x64

1

HWID Bypas...up.exe

windows11-21h2-x64

7

HWID Bypas...2G.url

windows11-21h2-x64

1

HWID Bypas...GA.url

windows11-21h2-x64

1

HWID Bypas...AH.url

windows11-21h2-x64

1

HWID Bypas...RU.exe

windows11-21h2-x64

1

HWID Bypas...ll.exe

windows11-21h2-x64

1

HWID Bypas...rt.exe

windows11-21h2-x64

5

HWID Bypas...64.exe

windows11-21h2-x64

5

HWID Bypas...ew.chm

windows11-21h2-x64

1

HWID Bypas...ew.exe

windows11-21h2-x64

6

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13/06/2024, 00:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HWID Bypass/STEP 8 - Change Monitor HWID/restart.exe

  • Size

    63KB

  • MD5

    8242ce426ad462eff02edae1487a6949

  • SHA1

    9a4f382d427e0de729053535aaa3310cac5f087b

  • SHA256

    b68ee265308dc9da7dbb521bb71238d27ac50a5ee816f21c13818393be982d7a

  • SHA512

    aff43a78d29ede49eac386d9b0b44d0f37d5a20bdda8553369d68dec90bbc727c6dd8fe239987a9d2e3affaeff8b72b5023ed973d7aecfbb99de46dca8c99ef1

  • SSDEEP

    768:xa+/MMnf2XivrjhmxEQSQIjDaGva2XaT+CSxKUAch9Itvo7vq2XFelWn2iED5Vx0:xa0wstmSpDaGS2RCSxK28otXFQwUx

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HWID Bypass\STEP 8 - Change Monitor HWID\restart.exe
    "C:\Users\Admin\AppData\Local\Temp\HWID Bypass\STEP 8 - Change Monitor HWID\restart.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Users\Admin\AppData\Local\Temp\HWID Bypass\STEP 8 - Change Monitor HWID\restart64.exe
      restart64.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3608
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004EC
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4412
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
    1⤵
      PID:3356
    • C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /R /T
      1⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:1344

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\System32\perfc009.dat
      Filesize

      128KB

      MD5

      a9ae270f03cd818fc5ccb1fc114ed0f8

      SHA1

      57cfce4c18c0163fd41652ab89e4c51649eee492

      SHA256

      c08bb34abb284c2fb15d4372c2c3c2387f71ebeb920be89c9079e96c7a4ca3ec

      SHA512

      5fa35050038e187b0be9547ff86e49aa5272a273eefb83472758da5b818e4e86eba254422b4524fb7a4bd66bd5c3ae210162cab1247b601ea1a3fc6454703ef0

      Download Submit

    • C:\Windows\System32\perfh009.dat
      Filesize

      699KB

      MD5

      a89ae42f5a026c19299f9fa3278556cd

      SHA1

      ec0a61aa2b89c9f80c734006446f124530e0f66b

      SHA256

      94ddaf67c6973113ef2992feab11bd2147194541c8c8efc82f7b51e89fc08a25

      SHA512

      fad978dd060c6a507d8be487d8478f4f550c2e3fa440c8b3f90c19771f9e2b0d34ead3fad6f026ea233bbd5ec0f5274b7dc6bab4ea4d090322d4406edd3a836e

      Download Submit

    • C:\Windows\System32\wbem\Performance\WmiApRpl.h
      Filesize

      3KB

      MD5

      b133a676d139032a27de3d9619e70091

      SHA1

      1248aa89938a13640252a79113930ede2f26f1fa

      SHA256

      ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

      SHA512

      c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

      Download Submit

    • C:\Windows\System32\wbem\Performance\WmiApRpl.ini
      Filesize

      29KB

      MD5

      ffdeea82ba4a5a65585103dd2a922dfe

      SHA1

      094c3794503245cc7dfa9e222d3504f449a5400b

      SHA256

      c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390

      SHA512

      7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a

      Download Submit