Overview

overview

9

Static

static

9

tox tweaki...or.exe

windows11-21h2-x64

1

tox tweaki...or.exe

windows11-21h2-x64

1

tox tweaki...CK.exe

windows11-21h2-x64

9

tox tweaki...ew.exe

windows11-21h2-x64

6

tox tweaki...up.exe

windows11-21h2-x64

1

tox tweaki...8.appx

windows11-21h2-x64

1

Microsoft.UI.Xaml.dll

windows11-21h2-x64

1

Microsoft.UI.Xaml.dll

windows11-21h2-x64

1

tox tweaki...up.exe

windows11-21h2-x64

8

tox tweaki...LG.exe

windows11-21h2-x64

1

tox tweaki...el.exe

windows11-21h2-x64

1

tox tweaki...un.exe

windows11-21h2-x64

3

Export.bat

windows11-21h2-x64

1

Import.bat

windows11-21h2-x64

1

SCEWIN_64.exe

windows11-21h2-x64

1

amifldrv64.sys

windows11-21h2-x64

1

amigendrv64.sys

windows11-21h2-x64

1

tox tweaki...64.exe

windows11-21h2-x64

1

tox tweaki...CL.exe

windows11-21h2-x64

1

tox tweaki...64.exe

windows11-21h2-x64

7

tox tweaki...64.sys

windows11-21h2-x64

1

tox tweaki...64.sys

windows11-21h2-x64

1

tox tweaki...vc.exe

windows11-21h2-x64

1

CRU/CRU.exe

windows11-21h2-x64

3

CRU/reset-all.exe

windows11-21h2-x64

3

CRU/restart.exe

windows11-21h2-x64

5

CRU/restart64.exe

windows11-21h2-x64

5

tox tweaki...on.exe

windows11-21h2-x64

1

Export.bat

windows11-21h2-x64

3

tox tweaki...ll.exe

windows11-21h2-x64

7

tox tweaki...xp.exe

windows11-21h2-x64

8

tox tweaki...tr.exe

windows11-21h2-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-11-2024 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CRU/restart.exe

  • Size

    63KB

  • MD5

    8242ce426ad462eff02edae1487a6949

  • SHA1

    9a4f382d427e0de729053535aaa3310cac5f087b

  • SHA256

    b68ee265308dc9da7dbb521bb71238d27ac50a5ee816f21c13818393be982d7a

  • SHA512

    aff43a78d29ede49eac386d9b0b44d0f37d5a20bdda8553369d68dec90bbc727c6dd8fe239987a9d2e3affaeff8b72b5023ed973d7aecfbb99de46dca8c99ef1

  • SSDEEP

    768:xa+/MMnf2XivrjhmxEQSQIjDaGva2XaT+CSxKUAch9Itvo7vq2XFelWn2iED5Vx0:xa0wstmSpDaGS2RCSxK28otXFQwUx

Score
5/10
discovery

Malware Config

Signatures

  • Drops file in System32 directory 16 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CRU\restart.exe
    "C:\Users\Admin\AppData\Local\Temp\CRU\restart.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Users\Admin\AppData\Local\Temp\CRU\restart64.exe
      restart64.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:948
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004EC
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3908
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
    1⤵
      PID:5036
    • C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /R /T
      1⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:3308

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\System32\perfc007.dat
      Filesize

      148KB

      MD5

      6e71c59a539ba8c2d46c4c8f478edf8c

      SHA1

      868558341297d83b247f8be13b375541eb58b886

      SHA256

      4e4e1300a939cc5d58d0c6914410d5ad8eaf876571011fa1c6f0ce27bf59822d

      SHA512

      1a86ab970d99430334ba14cc14d75cb902f267e9e15019afcb64400ec6e4335adae3687a5916ccfec5fd0c82c89bfeeac2aed0c6aad693f35e7326f8fb158f9e

      Download Submit

    • C:\Windows\System32\perfc00A.dat
      Filesize

      153KB

      MD5

      6c65a113c1d1dcbc5f7603db0134dcb7

      SHA1

      1eb93cc7aeb12860b63129a69b812b694748a816

      SHA256

      53d617778c1ba174c22b47fd2d84035aa28c58bdcab6c3f3224f3777d1d8e7ee

      SHA512

      67c438c141f7d6509db1d0bb17b312b66be8947a623580cc49fcb3000f7e402dda856ab1d422a68bbb25392d00902fef2bd31ce9cc491769205cdd7b31edf605

      Download Submit

    • C:\Windows\System32\perfc00C.dat
      Filesize

      147KB

      MD5

      ae40b57742832ddaf4efe6bee70ecb10

      SHA1

      ebc87ac614bdf44249300e73018686da5c31d7e3

      SHA256

      af503f9b58bc5975fc609c95c2edad09adb32c5633859516350546031e05b0ca

      SHA512

      6c875bfabbe94359fe36eb144a5a9828d6c9d20c5999149df0aaacc4c9be748b5b6bab4639c7ef9d7bb4886073771d7b73ea1190dac61b5220c5f852ef101e3c

      Download Submit

    • C:\Windows\System32\perfc010.dat
      Filesize

      146KB

      MD5

      856012ea58e361f0f04f88e6fa29ae3a

      SHA1

      8866aca13626d450eb65b12a86fde1cf2ff6d94d

      SHA256

      ba0f96d41b93fc7eeda6bf74a24291d50281ea66c6c1af140c7c527911b2aff9

      SHA512

      8cc8831ef97f0e51dbf17c8f2c2fb74ef82f157fb1735fe1e76b35333d71bcd279394bdc249286a376281f4f5830a7bf92b405ac3dbb0762e84a0780526e9887

      Download Submit

    • C:\Windows\System32\perfc011.dat
      Filesize

      126KB

      MD5

      5afbd30597a275ad6d5e98187742c01b

      SHA1

      4e9a82a388532a0fcb3671047504384e040b48a1

      SHA256

      26ee1d72642d1d79b307581e6027a259696d5e3299d9d6685153a68b8c58b61b

      SHA512

      6d2514d6a12809a7db4901b586b57e03b6e5b0cc4ecd1baeb4f5188ca033773f7ca077fa8e8beadcf82724fd16d9136c0fc252a0163b71a0ff0eae3363f2c0cf

      Download Submit

    • C:\Windows\System32\perfh007.dat
      Filesize

      724KB

      MD5

      3bd8043ff69087c78cf81f0aa082664f

      SHA1

      c669871201f05f6153dfa3f6a78d4609d818568e

      SHA256

      d1b8be34dfdff53435bcd3f176f7aa9f17aa8f1145c42edee1ed1eec9faf02b2

      SHA512

      a51d2bb5641aaff1ab091a1c331b6e515bb333d2dfa9f09662d35b2315e6fbd14932102167075cd8bdacf7c8f57fe7313f7b1639090070851c2ecf7662384d6d

      Download Submit

    • C:\Windows\System32\perfh009.dat
      Filesize

      686KB

      MD5

      efeeda97e31eb12669293d78feaff451

      SHA1

      f3680730a9ed165f49be4a2b1be8477196f15afb

      SHA256

      a0ae9b96680526dd73b3469504eaeb3882c655e3f4557b9e120de1ddd8edb834

      SHA512

      452da0e9a2c17de87d5a0db150acf299310d684c50c4f16daa5f1c298267d76d990000a0bf4e5ffb2afe5769e74bfcdf351e8d68b933a432a9130cdcdd81f1b2

      Download Submit

    • C:\Windows\System32\perfh00A.dat
      Filesize

      770KB

      MD5

      89960dfe2687d730daf52de34d2eb15c

      SHA1

      12f26da7ede572765e1b26cd08753ed39cc62ca6

      SHA256

      26ff30f2296fe28893dbfae42c4a702f7c8935d04ff4a42fb96fc8a92c6f2e5d

      SHA512

      e9d6a576b8aa1eaefd4afff6ee417b0ba6aa58f8b133afe32738e23255bada5c163e2287ff1cef03fe1645088dcd4c2bd6b3bd2364772eec447554bf2072edb2

      Download Submit

    • C:\Windows\System32\perfh00C.dat
      Filesize

      772KB

      MD5

      4fa344b5f9b3efdf965f7d9f32abd9ee

      SHA1

      dd884d88f8b0310147a08f66b253d4bec8727c0f

      SHA256

      f7aed0dbe8b5a73416dca6b1cd1024ba31244bbabebe79a90edcda383cb8399d

      SHA512

      1a952aae612a9f72c252b870d121a0c9d52e66e509214ae03f560abacd6a02cc62e39c03753b25e017bdd65905b99f9f67e4e67bb49355dde9b45708324ddb33

      Download Submit

    • C:\Windows\System32\perfh010.dat
      Filesize

      772KB

      MD5

      a583c28c05f94a635bd67fee2d905a27

      SHA1

      a4af858c69297cb8a59cade7da6e5a36b43e7548

      SHA256

      c70b892d93e93c37c826ba97459e8fb724e6c5cf6dc2288613430fc59c0c1eb0

      SHA512

      06626f291b69e044e8e44fa46576c0287e4df434cd07b0bdb1b162fed25ddef652e5ad8d08d984f2d7d4c027c8ee032eef485f7269f0a83e11c1fa61f80a5d67

      Download Submit

    • C:\Windows\System32\perfh011.dat
      Filesize

      468KB

      MD5

      33cbb4d0e471fd527da2ded235fe9636

      SHA1

      aa9d9b062511eb38a1faf9a740f8fb709b02a7dd

      SHA256

      73174de99ccd45c2a8d818742ed313a55321186162005c0f2567e162954943a5

      SHA512

      a4c17182347bc3c5cce76562f26b27ac62e84c8589dd91d2840a452b6c593656f3d3a2fd5b7f207f32be0f5a0494bc44987fb70e6e8f3a756a0703df20baa93f

      Download Submit

    • C:\Windows\System32\wbem\Performance\WmiApRpl.h
      Filesize

      3KB

      MD5

      b133a676d139032a27de3d9619e70091

      SHA1

      1248aa89938a13640252a79113930ede2f26f1fa

      SHA256

      ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

      SHA512

      c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

      Download Submit

    • C:\Windows\System32\wbem\Performance\WmiApRpl.ini
      Filesize

      29KB

      MD5

      ffdeea82ba4a5a65585103dd2a922dfe

      SHA1

      094c3794503245cc7dfa9e222d3504f449a5400b

      SHA256

      c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390

      SHA512

      7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a

      Download Submit