Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-08-2024 00:37

General

  • Target

    Loader/Monitor Spoof/restart64.exe

  • Size

    73KB

  • MD5

    297aa19bade534a791d053ca190b74ad

  • SHA1

    15cb6a33994f75fe9e30a2afbc8a7e4616b63962

  • SHA256

    5f779bb822aedaf5bd11693cdf73f6c7c3342f37371a78c07c2aca1e15dbfd00

  • SHA512

    df883950c598f31b81f22a68b2a9fed7459dcad5084ec6e39399658b0492bcc458d9fc5bb80fda6bc994bed3241f969fc67a0b8e021fb82b040455d64776c625

  • SSDEEP

    1536:8vXMJl7uRupZzidl/T+Dnx86Rpy4roKsIrryeq3OTM:8vMJl6RAZu/T+7x8qpRM8rNcOTM

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 16 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader\Monitor Spoof\restart64.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader\Monitor Spoof\restart64.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1128
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x2f4 0x470
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1956
  • C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /R /T
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    PID:1532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\perfc007.dat

    Filesize

    142KB

    MD5

    1bd26a75846ce780d72b93caffac89f6

    SHA1

    ff89b7c5e8c46c6c2e52383849bbf008bd91d66e

    SHA256

    55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a

    SHA512

    4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e

  • C:\Windows\System32\perfc00A.dat

    Filesize

    147KB

    MD5

    6d4b430c2abf0ec4ca1909e6e2f097db

    SHA1

    97c330923a6380fe8ea8e440ce2c568594d3fff7

    SHA256

    44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e

    SHA512

    cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b

  • C:\Windows\System32\perfc00C.dat

    Filesize

    141KB

    MD5

    6adbb878124fcd6561655718f12bff5f

    SHA1

    1711619dda04178fb47eea6658da6ad52f6cf660

    SHA256

    0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf

    SHA512

    88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006

  • C:\Windows\System32\perfc010.dat

    Filesize

    138KB

    MD5

    c0a264734479700068f6e00ef4fd4aa7

    SHA1

    4e1a8c6a53ea9b54eb76f12d99b1327137a47ebd

    SHA256

    71c5a18d082651484ae96e93f127bac9ac217513976b7e98eeb2b879d643b735

    SHA512

    85ff44333fc4d47b02cdbc8c665c0bace22a19961e40419227976333ec1384ef8779232d241a9e3b54d988117b84c436f695f0be80dd109ede60fed919ee5fca

  • C:\Windows\System32\perfc011.dat

    Filesize

    125KB

    MD5

    eef14d868d4e0c2354c345abc4902445

    SHA1

    173c39e29dbe6dfd5044f5f788fa4e7618d68d4d

    SHA256

    9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f

    SHA512

    c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee

  • C:\Windows\System32\perfh007.dat

    Filesize

    710KB

    MD5

    82d7f8765db25b313ecf436572dbe840

    SHA1

    da9ed48d5386a1133f878b3e00988cbf4cdebab8

    SHA256

    3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3

    SHA512

    59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8

  • C:\Windows\System32\perfh009.dat

    Filesize

    680KB

    MD5

    407f4fed9a4510646f33a2869a184de8

    SHA1

    e2e622f36b28057bbfbaee754ab6abac2de04778

    SHA256

    64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615

    SHA512

    1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e

  • C:\Windows\System32\perfh00A.dat

    Filesize

    767KB

    MD5

    feb35e575911f5d568fbbfa7d0434412

    SHA1

    e896dfc32b25633322d2e252cfa65520d30677a2

    SHA256

    bf628d6ab769fc710e7eb097ca0132bd88cfbf63bd3aa08e24cd5820594fccf9

    SHA512

    c9544c2cfed9fc11696896cd6d6184f9de0e8e26d3d61cf211449de77d9ec8cac000d3408ccac8baf078a82ed73f735e9f740a00af59a392f14673e2bae056b5

  • C:\Windows\System32\perfh00C.dat

    Filesize

    771KB

    MD5

    099a4cfda7f72958205e2dc897df9d70

    SHA1

    3acf3a8bc62f4acea89fcfc721d0c57822bad6cf

    SHA256

    454dae9e37ca1458c67087f801a7a8a73d73f43c4efb57f64d624c5190662c40

    SHA512

    a531d8767afc2ce8005c9433f430acb27011c7ff41db25a69e70f0433fe6224a8f42c7d95aa3a4680d60c4351f26014e05a7d79d9faba42817a3e700c385750f

  • C:\Windows\System32\perfh010.dat

    Filesize

    760KB

    MD5

    2b41db88b556a31593911ade702a8306

    SHA1

    9820c8ffef6b27fad15badab22408eaf52d58300

    SHA256

    61a5192c872e646050ee10eaef95bbc313fb7ae639b43c1ed3d2040f50cc1186

    SHA512

    0b0c6b8cae683aa645ea2e0285209ac6d82624bfdacdb4e0b92d8118c30fa2fa6def665150b548e4adbee399074f73a961217e6065b05e65919c198efeb424f6

  • C:\Windows\System32\perfh011.dat

    Filesize

    462KB

    MD5

    a8bc9760fe491ad0305212839f5caaaf

    SHA1

    e5aa69598284bc55ef94adcf3745053650179f42

    SHA256

    6de2fdef2860e6e37cab23fa1785182c47955bc525c6e43f5b6887962ec7da8b

    SHA512

    4e19385e847d0f2de2d66979272a32bdb159c34319f45e7a497672904f20e52fa288778a7a5d1500b43abaeaea5f9f3cfda805895cf94442e5bd4d92d8751f13

  • C:\Windows\System32\wbem\Performance\WmiApRpl.h

    Filesize

    3KB

    MD5

    b133a676d139032a27de3d9619e70091

    SHA1

    1248aa89938a13640252a79113930ede2f26f1fa

    SHA256

    ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

    SHA512

    c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

  • C:\Windows\System32\wbem\Performance\WmiApRpl.ini

    Filesize

    29KB

    MD5

    ffdeea82ba4a5a65585103dd2a922dfe

    SHA1

    094c3794503245cc7dfa9e222d3504f449a5400b

    SHA256

    c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390

    SHA512

    7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a