Overview
overview
7Static
static
3Loader/Mon...RU.exe
windows7-x64
3Loader/Mon...RU.exe
windows10-2004-x64
3Loader/Mon...ll.exe
windows7-x64
3Loader/Mon...ll.exe
windows10-2004-x64
3Loader/Mon...rt.exe
windows7-x64
4Loader/Mon...rt.exe
windows10-2004-x64
5Loader/Mon...64.exe
windows7-x64
4Loader/Mon...64.exe
windows10-2004-x64
5Loader/RUN...SO.exe
windows7-x64
7Loader/RUN...SO.exe
windows10-2004-x64
7Loader/RUN...ST.exe
windows7-x64
7Loader/RUN...ST.exe
windows10-2004-x64
7Loader/Sec...64.dll
windows7-x64
1Loader/Sec...64.dll
windows10-2004-x64
1Loader/libcurl.dll
windows7-x64
1Loader/libcurl.dll
windows10-2004-x64
1Loader/spoofer.exe
windows7-x64
1Loader/spoofer.exe
windows10-2004-x64
7Loader/zlib1.dll
windows7-x64
1Loader/zlib1.dll
windows10-2004-x64
1Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-08-2024 00:37
Static task
static1
Behavioral task
behavioral1
Sample
Loader/Monitor Spoof/CRU.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Loader/Monitor Spoof/CRU.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Loader/Monitor Spoof/reset-all.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Loader/Monitor Spoof/reset-all.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Loader/Monitor Spoof/restart.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
Loader/Monitor Spoof/restart.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Loader/Monitor Spoof/restart64.exe
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
Loader/Monitor Spoof/restart64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
Loader/RUN ME ALSO.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
Loader/RUN ME ALSO.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
Loader/RUN ME FIRST.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
Loader/RUN ME FIRST.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Loader/SecureEngineSDK64.dll
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
Loader/SecureEngineSDK64.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
Loader/libcurl.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
Loader/libcurl.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
Loader/spoofer.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
Loader/spoofer.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
Loader/zlib1.dll
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
Loader/zlib1.dll
Resource
win10v2004-20240802-en
General
-
Target
Loader/Monitor Spoof/restart64.exe
-
Size
73KB
-
MD5
297aa19bade534a791d053ca190b74ad
-
SHA1
15cb6a33994f75fe9e30a2afbc8a7e4616b63962
-
SHA256
5f779bb822aedaf5bd11693cdf73f6c7c3342f37371a78c07c2aca1e15dbfd00
-
SHA512
df883950c598f31b81f22a68b2a9fed7459dcad5084ec6e39399658b0492bcc458d9fc5bb80fda6bc994bed3241f969fc67a0b8e021fb82b040455d64776c625
-
SSDEEP
1536:8vXMJl7uRupZzidl/T+Dnx86Rpy4roKsIrryeq3OTM:8vMJl6RAZu/T+7x8qpRM8rNcOTM
Malware Config
Signatures
-
Drops file in System32 directory 16 IoCs
description ioc Process File created C:\Windows\system32\perfh007.dat WMIADAP.EXE File created C:\Windows\system32\perfh009.dat WMIADAP.EXE File created C:\Windows\system32\perfh00C.dat WMIADAP.EXE File created C:\Windows\system32\PerfStringBackup.TMP WMIADAP.EXE File created C:\Windows\system32\perfc00A.dat WMIADAP.EXE File created C:\Windows\system32\perfh010.dat WMIADAP.EXE File created C:\Windows\system32\perfc011.dat WMIADAP.EXE File opened for modification C:\Windows\system32\PerfStringBackup.INI WMIADAP.EXE File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h WMIADAP.EXE File created C:\Windows\system32\perfc007.dat WMIADAP.EXE File created C:\Windows\system32\perfh00A.dat WMIADAP.EXE File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini WMIADAP.EXE File created C:\Windows\system32\perfc009.dat WMIADAP.EXE File created C:\Windows\system32\perfc00C.dat WMIADAP.EXE File created C:\Windows\system32\perfc010.dat WMIADAP.EXE File created C:\Windows\system32\perfh011.dat WMIADAP.EXE -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini WMIADAP.EXE File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini WMIADAP.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1128 restart64.exe 1128 restart64.exe 1128 restart64.exe 1128 restart64.exe 1128 restart64.exe 1128 restart64.exe 1128 restart64.exe 1128 restart64.exe 1128 restart64.exe 1128 restart64.exe 1128 restart64.exe 1128 restart64.exe 1128 restart64.exe 1128 restart64.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeLoadDriverPrivilege 1128 restart64.exe Token: SeLoadDriverPrivilege 1128 restart64.exe Token: 33 1956 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1956 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1128 restart64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader\Monitor Spoof\restart64.exe"C:\Users\Admin\AppData\Local\Temp\Loader\Monitor Spoof\restart64.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1128
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f4 0x4701⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /R /T1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1532
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD51bd26a75846ce780d72b93caffac89f6
SHA1ff89b7c5e8c46c6c2e52383849bbf008bd91d66e
SHA25655b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a
SHA5124f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e
-
Filesize
147KB
MD56d4b430c2abf0ec4ca1909e6e2f097db
SHA197c330923a6380fe8ea8e440ce2c568594d3fff7
SHA25644f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e
SHA512cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b
-
Filesize
141KB
MD56adbb878124fcd6561655718f12bff5f
SHA11711619dda04178fb47eea6658da6ad52f6cf660
SHA2560b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf
SHA51288ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006
-
Filesize
138KB
MD5c0a264734479700068f6e00ef4fd4aa7
SHA14e1a8c6a53ea9b54eb76f12d99b1327137a47ebd
SHA25671c5a18d082651484ae96e93f127bac9ac217513976b7e98eeb2b879d643b735
SHA51285ff44333fc4d47b02cdbc8c665c0bace22a19961e40419227976333ec1384ef8779232d241a9e3b54d988117b84c436f695f0be80dd109ede60fed919ee5fca
-
Filesize
125KB
MD5eef14d868d4e0c2354c345abc4902445
SHA1173c39e29dbe6dfd5044f5f788fa4e7618d68d4d
SHA2569f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f
SHA512c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee
-
Filesize
710KB
MD582d7f8765db25b313ecf436572dbe840
SHA1da9ed48d5386a1133f878b3e00988cbf4cdebab8
SHA2563053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3
SHA51259766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8
-
Filesize
680KB
MD5407f4fed9a4510646f33a2869a184de8
SHA1e2e622f36b28057bbfbaee754ab6abac2de04778
SHA25664a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615
SHA5121d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e
-
Filesize
767KB
MD5feb35e575911f5d568fbbfa7d0434412
SHA1e896dfc32b25633322d2e252cfa65520d30677a2
SHA256bf628d6ab769fc710e7eb097ca0132bd88cfbf63bd3aa08e24cd5820594fccf9
SHA512c9544c2cfed9fc11696896cd6d6184f9de0e8e26d3d61cf211449de77d9ec8cac000d3408ccac8baf078a82ed73f735e9f740a00af59a392f14673e2bae056b5
-
Filesize
771KB
MD5099a4cfda7f72958205e2dc897df9d70
SHA13acf3a8bc62f4acea89fcfc721d0c57822bad6cf
SHA256454dae9e37ca1458c67087f801a7a8a73d73f43c4efb57f64d624c5190662c40
SHA512a531d8767afc2ce8005c9433f430acb27011c7ff41db25a69e70f0433fe6224a8f42c7d95aa3a4680d60c4351f26014e05a7d79d9faba42817a3e700c385750f
-
Filesize
760KB
MD52b41db88b556a31593911ade702a8306
SHA19820c8ffef6b27fad15badab22408eaf52d58300
SHA25661a5192c872e646050ee10eaef95bbc313fb7ae639b43c1ed3d2040f50cc1186
SHA5120b0c6b8cae683aa645ea2e0285209ac6d82624bfdacdb4e0b92d8118c30fa2fa6def665150b548e4adbee399074f73a961217e6065b05e65919c198efeb424f6
-
Filesize
462KB
MD5a8bc9760fe491ad0305212839f5caaaf
SHA1e5aa69598284bc55ef94adcf3745053650179f42
SHA2566de2fdef2860e6e37cab23fa1785182c47955bc525c6e43f5b6887962ec7da8b
SHA5124e19385e847d0f2de2d66979272a32bdb159c34319f45e7a497672904f20e52fa288778a7a5d1500b43abaeaea5f9f3cfda805895cf94442e5bd4d92d8751f13
-
Filesize
3KB
MD5b133a676d139032a27de3d9619e70091
SHA11248aa89938a13640252a79113930ede2f26f1fa
SHA256ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5
-
Filesize
29KB
MD5ffdeea82ba4a5a65585103dd2a922dfe
SHA1094c3794503245cc7dfa9e222d3504f449a5400b
SHA256c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390
SHA5127570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a