Overview
overview
7Static
static
7velocityty...RU.exe
windows7-x64
1velocityty...RU.exe
windows10-2004-x64
1velocityty...ll.exe
windows7-x64
1velocityty...ll.exe
windows10-2004-x64
1velocityty...rt.exe
windows7-x64
4velocityty...rt.exe
windows10-2004-x64
5velocityty...64.exe
windows7-x64
4velocityty...64.exe
windows10-2004-x64
5velocityty...SO.exe
windows7-x64
7velocityty...SO.exe
windows10-2004-x64
7velocityty...ST.exe
windows7-x64
7velocityty...ST.exe
windows10-2004-x64
7velocityty...ed.exe
windows7-x64
7velocityty...ed.exe
windows10-2004-x64
7velocityty...in.bat
windows7-x64
1velocityty...in.bat
windows10-2004-x64
1velocityty...rl.dll
windows7-x64
1velocityty...rl.dll
windows10-2004-x64
1velocityty...b1.dll
windows7-x64
1velocityty...b1.dll
windows10-2004-x64
1Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 17:08
Behavioral task
behavioral1
Sample
velocitytytytyt/Monitor Spoof/CRU.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
velocitytytytyt/Monitor Spoof/CRU.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
velocitytytytyt/Monitor Spoof/reset-all.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
velocitytytytyt/Monitor Spoof/reset-all.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
velocitytytytyt/Monitor Spoof/restart.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
velocitytytytyt/Monitor Spoof/restart.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
velocitytytytyt/Monitor Spoof/restart64.exe
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
velocitytytytyt/Monitor Spoof/restart64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
velocitytytytyt/RUN ME ALSO.exe
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
velocitytytytyt/RUN ME ALSO.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
velocitytytytyt/RUN ME FIRST.exe
Resource
win7-20240611-en
Behavioral task
behavioral12
Sample
velocitytytytyt/RUN ME FIRST.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
velocitytytytyt/Velo.cc Spoofer_protected.exe
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
velocitytytytyt/Velo.cc Spoofer_protected.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
velocitytytytyt/Wifi & Bluetooth disabler/Disabler_Run_Admin.bat
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
velocitytytytyt/Wifi & Bluetooth disabler/Disabler_Run_Admin.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
velocitytytytyt/libcurl.dll
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
velocitytytytyt/libcurl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
velocitytytytyt/zlib1.dll
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
velocitytytytyt/zlib1.dll
Resource
win10v2004-20240508-en
General
-
Target
velocitytytytyt/Monitor Spoof/restart.exe
-
Size
63KB
-
MD5
8242ce426ad462eff02edae1487a6949
-
SHA1
9a4f382d427e0de729053535aaa3310cac5f087b
-
SHA256
b68ee265308dc9da7dbb521bb71238d27ac50a5ee816f21c13818393be982d7a
-
SHA512
aff43a78d29ede49eac386d9b0b44d0f37d5a20bdda8553369d68dec90bbc727c6dd8fe239987a9d2e3affaeff8b72b5023ed973d7aecfbb99de46dca8c99ef1
-
SSDEEP
768:xa+/MMnf2XivrjhmxEQSQIjDaGva2XaT+CSxKUAch9Itvo7vq2XFelWn2iED5Vx0:xa0wstmSpDaGS2RCSxK28otXFQwUx
Malware Config
Signatures
-
Drops file in System32 directory 16 IoCs
Processes:
WMIADAP.EXEdescription ioc process File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h WMIADAP.EXE File created C:\Windows\system32\perfc00C.dat WMIADAP.EXE File created C:\Windows\system32\perfh010.dat WMIADAP.EXE File opened for modification C:\Windows\system32\PerfStringBackup.INI WMIADAP.EXE File created C:\Windows\system32\perfc007.dat WMIADAP.EXE File created C:\Windows\system32\perfh007.dat WMIADAP.EXE File created C:\Windows\system32\perfc009.dat WMIADAP.EXE File created C:\Windows\system32\perfc010.dat WMIADAP.EXE File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini WMIADAP.EXE File created C:\Windows\system32\perfc00A.dat WMIADAP.EXE File created C:\Windows\system32\perfh011.dat WMIADAP.EXE File created C:\Windows\system32\perfh009.dat WMIADAP.EXE File created C:\Windows\system32\perfh00A.dat WMIADAP.EXE File created C:\Windows\system32\perfh00C.dat WMIADAP.EXE File created C:\Windows\system32\perfc011.dat WMIADAP.EXE File created C:\Windows\system32\PerfStringBackup.TMP WMIADAP.EXE -
Drops file in Windows directory 4 IoCs
Processes:
WMIADAP.EXEdescription ioc process File created C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini WMIADAP.EXE File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini WMIADAP.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
restart64.exepid process 4796 restart64.exe 4796 restart64.exe 4796 restart64.exe 4796 restart64.exe 4796 restart64.exe 4796 restart64.exe 4796 restart64.exe 4796 restart64.exe 4796 restart64.exe 4796 restart64.exe 4796 restart64.exe 4796 restart64.exe 4796 restart64.exe 4796 restart64.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
restart64.exeAUDIODG.EXEdescription pid process Token: SeLoadDriverPrivilege 4796 restart64.exe Token: SeLoadDriverPrivilege 4796 restart64.exe Token: 33 4092 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4092 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
restart64.exepid process 4796 restart64.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
restart.exedescription pid process target process PID 1196 wrote to memory of 4796 1196 restart.exe restart64.exe PID 1196 wrote to memory of 4796 1196 restart.exe restart64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exerestart64.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4796
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x46c 0x2d41⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4208,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:81⤵PID:4720
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /R /T1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:3964
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD51bd26a75846ce780d72b93caffac89f6
SHA1ff89b7c5e8c46c6c2e52383849bbf008bd91d66e
SHA25655b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a
SHA5124f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e
-
Filesize
147KB
MD56d4b430c2abf0ec4ca1909e6e2f097db
SHA197c330923a6380fe8ea8e440ce2c568594d3fff7
SHA25644f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e
SHA512cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b
-
Filesize
141KB
MD56adbb878124fcd6561655718f12bff5f
SHA11711619dda04178fb47eea6658da6ad52f6cf660
SHA2560b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf
SHA51288ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006
-
Filesize
138KB
MD5c0a264734479700068f6e00ef4fd4aa7
SHA14e1a8c6a53ea9b54eb76f12d99b1327137a47ebd
SHA25671c5a18d082651484ae96e93f127bac9ac217513976b7e98eeb2b879d643b735
SHA51285ff44333fc4d47b02cdbc8c665c0bace22a19961e40419227976333ec1384ef8779232d241a9e3b54d988117b84c436f695f0be80dd109ede60fed919ee5fca
-
Filesize
125KB
MD5eef14d868d4e0c2354c345abc4902445
SHA1173c39e29dbe6dfd5044f5f788fa4e7618d68d4d
SHA2569f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f
SHA512c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee
-
Filesize
710KB
MD582d7f8765db25b313ecf436572dbe840
SHA1da9ed48d5386a1133f878b3e00988cbf4cdebab8
SHA2563053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3
SHA51259766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8
-
Filesize
680KB
MD5407f4fed9a4510646f33a2869a184de8
SHA1e2e622f36b28057bbfbaee754ab6abac2de04778
SHA25664a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615
SHA5121d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e
-
Filesize
754KB
MD54e62108a0d4a00aa39624f4f941d2595
SHA17fbff1d3ac293c715a303ac37da0ceb12591028b
SHA2563df3adaa8bd1ec4dd99bf304c7a1b0d513097fbeb8648efad4b127c5522c3263
SHA512c79a483e4012d8c97f4a2188fdc27ea04bae24993b12487551872f1413a1a0884197dc71d13ba1dfd32c9b2c93089761f6f3ec37f0bb19e209dbf19283462126
-
Filesize
758KB
MD5b87c7ea0e738fc61eb32a94fbd6c6775
SHA10e730aa70900f623205b93cb1d6e11be4c0d51b5
SHA2566cd8b09f644b22c39e02af26b57580baa0fbed01b682d158b29c676d17dac5c0
SHA5124bad64af992b17a5700cf25ccfa299b2db5be846b8bc28233fa6987964994a34694eb53329ede8d04092298e4b16f06563e459692c210111e0420ee34468f23d
-
Filesize
747KB
MD577a299c7d27f4e4372cd6c1de0781586
SHA1bb6bf16619da6d0acc30797cd10978bde64892fd
SHA2566699946552b9d5ebe64d6854228984a773e413a345816a5597b7d7035d4c09bf
SHA51221fa8fd59e56018a3d888aed054e4117b246a5ea4568c2df93334d7565d50a512b5fc2c66c09572f7d1363e5b65ddb34d0c072267be78b15681076d2380cf98b
-
Filesize
462KB
MD5a8bc9760fe491ad0305212839f5caaaf
SHA1e5aa69598284bc55ef94adcf3745053650179f42
SHA2566de2fdef2860e6e37cab23fa1785182c47955bc525c6e43f5b6887962ec7da8b
SHA5124e19385e847d0f2de2d66979272a32bdb159c34319f45e7a497672904f20e52fa288778a7a5d1500b43abaeaea5f9f3cfda805895cf94442e5bd4d92d8751f13
-
Filesize
3KB
MD5b133a676d139032a27de3d9619e70091
SHA11248aa89938a13640252a79113930ede2f26f1fa
SHA256ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5
-
Filesize
29KB
MD5ffdeea82ba4a5a65585103dd2a922dfe
SHA1094c3794503245cc7dfa9e222d3504f449a5400b
SHA256c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390
SHA5127570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a