Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-06-2024 17:08

General

  • Target

    velocitytytytyt/Monitor Spoof/restart.exe

  • Size

    63KB

  • MD5

    8242ce426ad462eff02edae1487a6949

  • SHA1

    9a4f382d427e0de729053535aaa3310cac5f087b

  • SHA256

    b68ee265308dc9da7dbb521bb71238d27ac50a5ee816f21c13818393be982d7a

  • SHA512

    aff43a78d29ede49eac386d9b0b44d0f37d5a20bdda8553369d68dec90bbc727c6dd8fe239987a9d2e3affaeff8b72b5023ed973d7aecfbb99de46dca8c99ef1

  • SSDEEP

    768:xa+/MMnf2XivrjhmxEQSQIjDaGva2XaT+CSxKUAch9Itvo7vq2XFelWn2iED5Vx0:xa0wstmSpDaGS2RCSxK28otXFQwUx

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 16 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe
    "C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe
      restart64.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4796
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x46c 0x2d4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4092
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4208,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8
    1⤵
      PID:4720
    • C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /R /T
      1⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:3964

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\System32\perfc007.dat

      Filesize

      142KB

      MD5

      1bd26a75846ce780d72b93caffac89f6

      SHA1

      ff89b7c5e8c46c6c2e52383849bbf008bd91d66e

      SHA256

      55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a

      SHA512

      4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e

    • C:\Windows\System32\perfc00A.dat

      Filesize

      147KB

      MD5

      6d4b430c2abf0ec4ca1909e6e2f097db

      SHA1

      97c330923a6380fe8ea8e440ce2c568594d3fff7

      SHA256

      44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e

      SHA512

      cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b

    • C:\Windows\System32\perfc00C.dat

      Filesize

      141KB

      MD5

      6adbb878124fcd6561655718f12bff5f

      SHA1

      1711619dda04178fb47eea6658da6ad52f6cf660

      SHA256

      0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf

      SHA512

      88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006

    • C:\Windows\System32\perfc010.dat

      Filesize

      138KB

      MD5

      c0a264734479700068f6e00ef4fd4aa7

      SHA1

      4e1a8c6a53ea9b54eb76f12d99b1327137a47ebd

      SHA256

      71c5a18d082651484ae96e93f127bac9ac217513976b7e98eeb2b879d643b735

      SHA512

      85ff44333fc4d47b02cdbc8c665c0bace22a19961e40419227976333ec1384ef8779232d241a9e3b54d988117b84c436f695f0be80dd109ede60fed919ee5fca

    • C:\Windows\System32\perfc011.dat

      Filesize

      125KB

      MD5

      eef14d868d4e0c2354c345abc4902445

      SHA1

      173c39e29dbe6dfd5044f5f788fa4e7618d68d4d

      SHA256

      9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f

      SHA512

      c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee

    • C:\Windows\System32\perfh007.dat

      Filesize

      710KB

      MD5

      82d7f8765db25b313ecf436572dbe840

      SHA1

      da9ed48d5386a1133f878b3e00988cbf4cdebab8

      SHA256

      3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3

      SHA512

      59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8

    • C:\Windows\System32\perfh009.dat

      Filesize

      680KB

      MD5

      407f4fed9a4510646f33a2869a184de8

      SHA1

      e2e622f36b28057bbfbaee754ab6abac2de04778

      SHA256

      64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615

      SHA512

      1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e

    • C:\Windows\System32\perfh00A.dat

      Filesize

      754KB

      MD5

      4e62108a0d4a00aa39624f4f941d2595

      SHA1

      7fbff1d3ac293c715a303ac37da0ceb12591028b

      SHA256

      3df3adaa8bd1ec4dd99bf304c7a1b0d513097fbeb8648efad4b127c5522c3263

      SHA512

      c79a483e4012d8c97f4a2188fdc27ea04bae24993b12487551872f1413a1a0884197dc71d13ba1dfd32c9b2c93089761f6f3ec37f0bb19e209dbf19283462126

    • C:\Windows\System32\perfh00C.dat

      Filesize

      758KB

      MD5

      b87c7ea0e738fc61eb32a94fbd6c6775

      SHA1

      0e730aa70900f623205b93cb1d6e11be4c0d51b5

      SHA256

      6cd8b09f644b22c39e02af26b57580baa0fbed01b682d158b29c676d17dac5c0

      SHA512

      4bad64af992b17a5700cf25ccfa299b2db5be846b8bc28233fa6987964994a34694eb53329ede8d04092298e4b16f06563e459692c210111e0420ee34468f23d

    • C:\Windows\System32\perfh010.dat

      Filesize

      747KB

      MD5

      77a299c7d27f4e4372cd6c1de0781586

      SHA1

      bb6bf16619da6d0acc30797cd10978bde64892fd

      SHA256

      6699946552b9d5ebe64d6854228984a773e413a345816a5597b7d7035d4c09bf

      SHA512

      21fa8fd59e56018a3d888aed054e4117b246a5ea4568c2df93334d7565d50a512b5fc2c66c09572f7d1363e5b65ddb34d0c072267be78b15681076d2380cf98b

    • C:\Windows\System32\perfh011.dat

      Filesize

      462KB

      MD5

      a8bc9760fe491ad0305212839f5caaaf

      SHA1

      e5aa69598284bc55ef94adcf3745053650179f42

      SHA256

      6de2fdef2860e6e37cab23fa1785182c47955bc525c6e43f5b6887962ec7da8b

      SHA512

      4e19385e847d0f2de2d66979272a32bdb159c34319f45e7a497672904f20e52fa288778a7a5d1500b43abaeaea5f9f3cfda805895cf94442e5bd4d92d8751f13

    • C:\Windows\System32\wbem\Performance\WmiApRpl.h

      Filesize

      3KB

      MD5

      b133a676d139032a27de3d9619e70091

      SHA1

      1248aa89938a13640252a79113930ede2f26f1fa

      SHA256

      ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

      SHA512

      c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

    • C:\Windows\System32\wbem\Performance\WmiApRpl.ini

      Filesize

      29KB

      MD5

      ffdeea82ba4a5a65585103dd2a922dfe

      SHA1

      094c3794503245cc7dfa9e222d3504f449a5400b

      SHA256

      c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390

      SHA512

      7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a