Malware Analysis Report

2024-10-16 06:54

Sample ID 240616-vnjfbszfrf
Target Velocc Permanent Spoofer v5.rar
SHA256 c6fb597368ddc8bbd2f5190499e4af824b050c2a1665a35327c6c1f968826df6
Tags
discovery themida persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c6fb597368ddc8bbd2f5190499e4af824b050c2a1665a35327c6c1f968826df6

Threat Level: Shows suspicious behavior

The file Velocc Permanent Spoofer v5.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery themida persistence

Executes dropped EXE

Themida packer

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 17:08

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win7-20240611-en

Max time kernel

117s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\reset-all.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\reset-all.exe

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\reset-all.exe"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\reset-all.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\reset-all.exe

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\reset-all.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 215.169.36.23.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.186.138:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 138.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\PerfStringBackup.TMP C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\system32\PerfStringBackup.INI C:\Windows\system32\wbem\WMIADAP.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x8c 0x3fc

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /R /T

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 215.169.36.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Windows\System32\perfc011.dat

MD5 eef14d868d4e0c2354c345abc4902445
SHA1 173c39e29dbe6dfd5044f5f788fa4e7618d68d4d
SHA256 9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f
SHA512 c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee

C:\Windows\System32\wbem\Performance\WmiApRpl.h

MD5 b133a676d139032a27de3d9619e70091
SHA1 1248aa89938a13640252a79113930ede2f26f1fa
SHA256 ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512 c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

C:\Windows\System32\wbem\Performance\WmiApRpl.ini

MD5 ffdeea82ba4a5a65585103dd2a922dfe
SHA1 094c3794503245cc7dfa9e222d3504f449a5400b
SHA256 c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390
SHA512 7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a

C:\Windows\System32\perfh007.dat

MD5 82d7f8765db25b313ecf436572dbe840
SHA1 da9ed48d5386a1133f878b3e00988cbf4cdebab8
SHA256 3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3
SHA512 59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8

C:\Windows\System32\perfc007.dat

MD5 1bd26a75846ce780d72b93caffac89f6
SHA1 ff89b7c5e8c46c6c2e52383849bbf008bd91d66e
SHA256 55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a
SHA512 4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e

C:\Windows\System32\perfh00C.dat

MD5 099a4cfda7f72958205e2dc897df9d70
SHA1 3acf3a8bc62f4acea89fcfc721d0c57822bad6cf
SHA256 454dae9e37ca1458c67087f801a7a8a73d73f43c4efb57f64d624c5190662c40
SHA512 a531d8767afc2ce8005c9433f430acb27011c7ff41db25a69e70f0433fe6224a8f42c7d95aa3a4680d60c4351f26014e05a7d79d9faba42817a3e700c385750f

C:\Windows\System32\perfc00C.dat

MD5 6adbb878124fcd6561655718f12bff5f
SHA1 1711619dda04178fb47eea6658da6ad52f6cf660
SHA256 0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf
SHA512 88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006

C:\Windows\System32\perfh011.dat

MD5 7f2b576ab40800aa5f1e3c163176c1c7
SHA1 7c24fd2342498e1095f58d264078988323834e20
SHA256 f98dfd85751e15486b725d4f36f7ef3fa0d72b76dd48401ce93e68b19e486e60
SHA512 6780454b0ca385ae18baae45ca37103aa69352ce5dcf1f16debe6a49923a4137e4e1471439853ca8a965c12a9a5498b5f634119a1d9daaf5301e43663da7db94

C:\Windows\System32\perfh010.dat

MD5 2b41db88b556a31593911ade702a8306
SHA1 9820c8ffef6b27fad15badab22408eaf52d58300
SHA256 61a5192c872e646050ee10eaef95bbc313fb7ae639b43c1ed3d2040f50cc1186
SHA512 0b0c6b8cae683aa645ea2e0285209ac6d82624bfdacdb4e0b92d8118c30fa2fa6def665150b548e4adbee399074f73a961217e6065b05e65919c198efeb424f6

C:\Windows\System32\perfc010.dat

MD5 dd17fab2e74e18fa9a8dd7c2475de6fc
SHA1 0fb0656ebdacc28c2d056ceff2579a485507b3f9
SHA256 3b56a360bf9cac36d8cdf9a76147c504490444e65c1435c188d0174e63da8a65
SHA512 3ccc0f4e536649d88a524e0fc2a4036a2d3354d76a7b563733751ff70b8e4fa6603de61c3d065db28df8e27fab32fd7a83297b3d8decbd13433bcd3d221cbadf

C:\Windows\System32\perfh00A.dat

MD5 feb35e575911f5d568fbbfa7d0434412
SHA1 e896dfc32b25633322d2e252cfa65520d30677a2
SHA256 bf628d6ab769fc710e7eb097ca0132bd88cfbf63bd3aa08e24cd5820594fccf9
SHA512 c9544c2cfed9fc11696896cd6d6184f9de0e8e26d3d61cf211449de77d9ec8cac000d3408ccac8baf078a82ed73f735e9f740a00af59a392f14673e2bae056b5

C:\Windows\System32\perfc00A.dat

MD5 6d4b430c2abf0ec4ca1909e6e2f097db
SHA1 97c330923a6380fe8ea8e440ce2c568594d3fff7
SHA256 44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e
SHA512 cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b

C:\Windows\System32\perfh009.dat

MD5 407f4fed9a4510646f33a2869a184de8
SHA1 e2e622f36b28057bbfbaee754ab6abac2de04778
SHA256 64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615
SHA512 1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win7-20240611-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{6DA2AF65-CA5A-491D-9B72-D94B704F86A4}\.cr\RUN ME FIRST.exe N/A

Checks installed software on the system

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe"

C:\Windows\Temp\{6DA2AF65-CA5A-491D-9B72-D94B704F86A4}\.cr\RUN ME FIRST.exe

"C:\Windows\Temp\{6DA2AF65-CA5A-491D-9B72-D94B704F86A4}\.cr\RUN ME FIRST.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188

Network

N/A

Files

\Windows\Temp\{6DA2AF65-CA5A-491D-9B72-D94B704F86A4}\.cr\RUN ME FIRST.exe

MD5 53e9222bc438cbd8b7320f800bef2e78
SHA1 c4f295d8855b4b16c7450a4a9150eb95046f6390
SHA256 0e49026767420229afd23b1352cf9f97f24e0768c3d527000d449ffdb4ca6888
SHA512 7533f9791e1807072a4dbb6ca03c696b12dfa5337678fab53aceea0e4b7e5ffefb90c9b450ac80878e1e9a4bce549f619da4cd2d06eb2554c9add5b4ec838b4a

\Windows\Temp\{A53D535B-1BEC-43B5-BAF5-4A1730102169}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{A53D535B-1BEC-43B5-BAF5-4A1730102169}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win7-20240611-en

Max time kernel

119s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Velo.cc Spoofer_protected.exe"

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Velo.cc Spoofer_protected.exe

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Velo.cc Spoofer_protected.exe"

Network

N/A

Files

memory/2248-1-0x0000000140000000-0x0000000140CA5000-memory.dmp

memory/2248-0-0x0000000140000000-0x0000000140CA5000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win7-20240220-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\zlib1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 764 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 764 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\zlib1.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 764 -s 80

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win7-20240611-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\CRU.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\CRU.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\CRU.exe

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\CRU.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

memory/2984-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2984-1-0x0000000000400000-0x0000000000552000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET589F.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET589F.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET58B0.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET58B0.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DirectX.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.227:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 227.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

MD5 ac3a5f7be8cd13a863b50ab5fe00b71c
SHA1 eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9
SHA256 8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da
SHA512 c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

MD5 ad8982eaa02c7ad4d7cdcbc248caa941
SHA1 4ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256 d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA512 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

MD5 984cad22fa542a08c5d22941b888d8dc
SHA1 3e3522e7f3af329f2235b0f0850d664d5377b3cd
SHA256 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308
SHA512 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

MD5 a5412a144f63d639b47fcc1ba68cb029
SHA1 81bd5f1c99b22c0266f3f59959dfb4ea023be47e
SHA256 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6
SHA512 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe"

C:\Windows\Temp\{0FC6536C-CC63-4CD1-829C-E541F98C1369}\.cr\RUN ME FIRST.exe

"C:\Windows\Temp\{0FC6536C-CC63-4CD1-829C-E541F98C1369}\.cr\RUN ME FIRST.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe" -burn.filehandle.attached=528 -burn.filehandle.self=696

Network

Files

C:\Windows\Temp\{0FC6536C-CC63-4CD1-829C-E541F98C1369}\.cr\RUN ME FIRST.exe

MD5 53e9222bc438cbd8b7320f800bef2e78
SHA1 c4f295d8855b4b16c7450a4a9150eb95046f6390
SHA256 0e49026767420229afd23b1352cf9f97f24e0768c3d527000d449ffdb4ca6888
SHA512 7533f9791e1807072a4dbb6ca03c696b12dfa5337678fab53aceea0e4b7e5ffefb90c9b450ac80878e1e9a4bce549f619da4cd2d06eb2554c9add5b4ec838b4a

C:\Windows\Temp\{4EEDA182-F10A-4E75-9E39-B9F33E5373E7}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{4EEDA182-F10A-4E75-9E39-B9F33E5373E7}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Wifi & Bluetooth disabler\Disabler_Run_Admin.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Wifi & Bluetooth disabler\Disabler_Run_Admin.bat"

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Velo.cc Spoofer_protected.exe"

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Velo.cc Spoofer_protected.exe

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Velo.cc Spoofer_protected.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4596 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 215.169.36.23.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.73.50.20.in-addr.arpa udp

Files

memory/1432-0-0x0000000140000000-0x0000000140CA5000-memory.dmp

memory/1432-1-0x0000000140000000-0x0000000140CA5000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\libcurl.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\libcurl.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\zlib1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\zlib1.dll,#1

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\CRU.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\CRU.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\CRU.exe

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\CRU.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 200.79.70.13.in-addr.arpa udp

Files

memory/1300-0-0x00000000007C0000-0x00000000007C1000-memory.dmp

memory/1300-1-0x0000000000400000-0x0000000000552000-memory.dmp

memory/1300-2-0x0000000000400000-0x0000000000552000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe N/A
File opened for modification C:\Windows\setupact.log C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe N/A
File opened for modification C:\Windows\setuperr.log C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe"

C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe

restart64.exe

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\system32\PerfStringBackup.INI C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\PerfStringBackup.TMP C:\Windows\system32\wbem\WMIADAP.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe"

C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe

restart64.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x46c 0x2d4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4208,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /R /T

Network

Country Destination Domain Proto
US 184.30.249.239:80 tcp
NL 52.142.223.178:80 tcp

Files

C:\Windows\System32\wbem\Performance\WmiApRpl.ini

MD5 ffdeea82ba4a5a65585103dd2a922dfe
SHA1 094c3794503245cc7dfa9e222d3504f449a5400b
SHA256 c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390
SHA512 7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a

C:\Windows\System32\perfc011.dat

MD5 eef14d868d4e0c2354c345abc4902445
SHA1 173c39e29dbe6dfd5044f5f788fa4e7618d68d4d
SHA256 9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f
SHA512 c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee

C:\Windows\System32\wbem\Performance\WmiApRpl.h

MD5 b133a676d139032a27de3d9619e70091
SHA1 1248aa89938a13640252a79113930ede2f26f1fa
SHA256 ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512 c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

C:\Windows\System32\perfh00A.dat

MD5 4e62108a0d4a00aa39624f4f941d2595
SHA1 7fbff1d3ac293c715a303ac37da0ceb12591028b
SHA256 3df3adaa8bd1ec4dd99bf304c7a1b0d513097fbeb8648efad4b127c5522c3263
SHA512 c79a483e4012d8c97f4a2188fdc27ea04bae24993b12487551872f1413a1a0884197dc71d13ba1dfd32c9b2c93089761f6f3ec37f0bb19e209dbf19283462126

C:\Windows\System32\perfc00A.dat

MD5 6d4b430c2abf0ec4ca1909e6e2f097db
SHA1 97c330923a6380fe8ea8e440ce2c568594d3fff7
SHA256 44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e
SHA512 cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b

C:\Windows\System32\perfh009.dat

MD5 407f4fed9a4510646f33a2869a184de8
SHA1 e2e622f36b28057bbfbaee754ab6abac2de04778
SHA256 64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615
SHA512 1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e

C:\Windows\System32\perfh007.dat

MD5 82d7f8765db25b313ecf436572dbe840
SHA1 da9ed48d5386a1133f878b3e00988cbf4cdebab8
SHA256 3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3
SHA512 59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8

C:\Windows\System32\perfc007.dat

MD5 1bd26a75846ce780d72b93caffac89f6
SHA1 ff89b7c5e8c46c6c2e52383849bbf008bd91d66e
SHA256 55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a
SHA512 4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e

C:\Windows\System32\perfh00C.dat

MD5 b87c7ea0e738fc61eb32a94fbd6c6775
SHA1 0e730aa70900f623205b93cb1d6e11be4c0d51b5
SHA256 6cd8b09f644b22c39e02af26b57580baa0fbed01b682d158b29c676d17dac5c0
SHA512 4bad64af992b17a5700cf25ccfa299b2db5be846b8bc28233fa6987964994a34694eb53329ede8d04092298e4b16f06563e459692c210111e0420ee34468f23d

C:\Windows\System32\perfc00C.dat

MD5 6adbb878124fcd6561655718f12bff5f
SHA1 1711619dda04178fb47eea6658da6ad52f6cf660
SHA256 0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf
SHA512 88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006

C:\Windows\System32\perfh010.dat

MD5 77a299c7d27f4e4372cd6c1de0781586
SHA1 bb6bf16619da6d0acc30797cd10978bde64892fd
SHA256 6699946552b9d5ebe64d6854228984a773e413a345816a5597b7d7035d4c09bf
SHA512 21fa8fd59e56018a3d888aed054e4117b246a5ea4568c2df93334d7565d50a512b5fc2c66c09572f7d1363e5b65ddb34d0c072267be78b15681076d2380cf98b

C:\Windows\System32\perfc010.dat

MD5 c0a264734479700068f6e00ef4fd4aa7
SHA1 4e1a8c6a53ea9b54eb76f12d99b1327137a47ebd
SHA256 71c5a18d082651484ae96e93f127bac9ac217513976b7e98eeb2b879d643b735
SHA512 85ff44333fc4d47b02cdbc8c665c0bace22a19961e40419227976333ec1384ef8779232d241a9e3b54d988117b84c436f695f0be80dd109ede60fed919ee5fca

C:\Windows\System32\perfh011.dat

MD5 a8bc9760fe491ad0305212839f5caaaf
SHA1 e5aa69598284bc55ef94adcf3745053650179f42
SHA256 6de2fdef2860e6e37cab23fa1785182c47955bc525c6e43f5b6887962ec7da8b
SHA512 4e19385e847d0f2de2d66979272a32bdb159c34319f45e7a497672904f20e52fa288778a7a5d1500b43abaeaea5f9f3cfda805895cf94442e5bd4d92d8751f13

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win7-20240220-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe N/A
File opened for modification C:\Windows\setupact.log C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe N/A
File opened for modification C:\Windows\setuperr.log C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe"

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win7-20240611-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET23E5.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET23E5.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET23F6.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET23F6.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\security\logs\scecomp.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\Logs\DirectX.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe

"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

MD5 ac3a5f7be8cd13a863b50ab5fe00b71c
SHA1 eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9
SHA256 8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da
SHA512 c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

MD5 ad8982eaa02c7ad4d7cdcbc248caa941
SHA1 4ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256 d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA512 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

MD5 984cad22fa542a08c5d22941b888d8dc
SHA1 3e3522e7f3af329f2235b0f0850d664d5377b3cd
SHA256 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308
SHA512 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

MD5 a5412a144f63d639b47fcc1ba68cb029
SHA1 81bd5f1c99b22c0266f3f59959dfb4ea023be47e
SHA256 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6
SHA512 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

95s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Wifi & Bluetooth disabler\Disabler_Run_Admin.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Wifi & Bluetooth disabler\Disabler_Run_Admin.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-16 17:08

Reported

2024-06-16 17:11

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\libcurl.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\libcurl.dll,#1

Network

N/A

Files

N/A