Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08/11/2024, 14:57

General

  • Target

    CRU/restart.exe

  • Size

    63KB

  • MD5

    8242ce426ad462eff02edae1487a6949

  • SHA1

    9a4f382d427e0de729053535aaa3310cac5f087b

  • SHA256

    b68ee265308dc9da7dbb521bb71238d27ac50a5ee816f21c13818393be982d7a

  • SHA512

    aff43a78d29ede49eac386d9b0b44d0f37d5a20bdda8553369d68dec90bbc727c6dd8fe239987a9d2e3affaeff8b72b5023ed973d7aecfbb99de46dca8c99ef1

  • SSDEEP

    768:xa+/MMnf2XivrjhmxEQSQIjDaGva2XaT+CSxKUAch9Itvo7vq2XFelWn2iED5Vx0:xa0wstmSpDaGS2RCSxK28otXFQwUx

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 16 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CRU\restart.exe
    "C:\Users\Admin\AppData\Local\Temp\CRU\restart.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Users\Admin\AppData\Local\Temp\CRU\restart64.exe
      restart64.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:948
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004EC
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3908
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
    1⤵
      PID:5036
    • C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /R /T
      1⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:3308

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\System32\perfc007.dat

            Filesize

            148KB

            MD5

            6e71c59a539ba8c2d46c4c8f478edf8c

            SHA1

            868558341297d83b247f8be13b375541eb58b886

            SHA256

            4e4e1300a939cc5d58d0c6914410d5ad8eaf876571011fa1c6f0ce27bf59822d

            SHA512

            1a86ab970d99430334ba14cc14d75cb902f267e9e15019afcb64400ec6e4335adae3687a5916ccfec5fd0c82c89bfeeac2aed0c6aad693f35e7326f8fb158f9e

          • C:\Windows\System32\perfc00A.dat

            Filesize

            153KB

            MD5

            6c65a113c1d1dcbc5f7603db0134dcb7

            SHA1

            1eb93cc7aeb12860b63129a69b812b694748a816

            SHA256

            53d617778c1ba174c22b47fd2d84035aa28c58bdcab6c3f3224f3777d1d8e7ee

            SHA512

            67c438c141f7d6509db1d0bb17b312b66be8947a623580cc49fcb3000f7e402dda856ab1d422a68bbb25392d00902fef2bd31ce9cc491769205cdd7b31edf605

          • C:\Windows\System32\perfc00C.dat

            Filesize

            147KB

            MD5

            ae40b57742832ddaf4efe6bee70ecb10

            SHA1

            ebc87ac614bdf44249300e73018686da5c31d7e3

            SHA256

            af503f9b58bc5975fc609c95c2edad09adb32c5633859516350546031e05b0ca

            SHA512

            6c875bfabbe94359fe36eb144a5a9828d6c9d20c5999149df0aaacc4c9be748b5b6bab4639c7ef9d7bb4886073771d7b73ea1190dac61b5220c5f852ef101e3c

          • C:\Windows\System32\perfc010.dat

            Filesize

            146KB

            MD5

            856012ea58e361f0f04f88e6fa29ae3a

            SHA1

            8866aca13626d450eb65b12a86fde1cf2ff6d94d

            SHA256

            ba0f96d41b93fc7eeda6bf74a24291d50281ea66c6c1af140c7c527911b2aff9

            SHA512

            8cc8831ef97f0e51dbf17c8f2c2fb74ef82f157fb1735fe1e76b35333d71bcd279394bdc249286a376281f4f5830a7bf92b405ac3dbb0762e84a0780526e9887

          • C:\Windows\System32\perfc011.dat

            Filesize

            126KB

            MD5

            5afbd30597a275ad6d5e98187742c01b

            SHA1

            4e9a82a388532a0fcb3671047504384e040b48a1

            SHA256

            26ee1d72642d1d79b307581e6027a259696d5e3299d9d6685153a68b8c58b61b

            SHA512

            6d2514d6a12809a7db4901b586b57e03b6e5b0cc4ecd1baeb4f5188ca033773f7ca077fa8e8beadcf82724fd16d9136c0fc252a0163b71a0ff0eae3363f2c0cf

          • C:\Windows\System32\perfh007.dat

            Filesize

            724KB

            MD5

            3bd8043ff69087c78cf81f0aa082664f

            SHA1

            c669871201f05f6153dfa3f6a78d4609d818568e

            SHA256

            d1b8be34dfdff53435bcd3f176f7aa9f17aa8f1145c42edee1ed1eec9faf02b2

            SHA512

            a51d2bb5641aaff1ab091a1c331b6e515bb333d2dfa9f09662d35b2315e6fbd14932102167075cd8bdacf7c8f57fe7313f7b1639090070851c2ecf7662384d6d

          • C:\Windows\System32\perfh009.dat

            Filesize

            686KB

            MD5

            efeeda97e31eb12669293d78feaff451

            SHA1

            f3680730a9ed165f49be4a2b1be8477196f15afb

            SHA256

            a0ae9b96680526dd73b3469504eaeb3882c655e3f4557b9e120de1ddd8edb834

            SHA512

            452da0e9a2c17de87d5a0db150acf299310d684c50c4f16daa5f1c298267d76d990000a0bf4e5ffb2afe5769e74bfcdf351e8d68b933a432a9130cdcdd81f1b2

          • C:\Windows\System32\perfh00A.dat

            Filesize

            770KB

            MD5

            89960dfe2687d730daf52de34d2eb15c

            SHA1

            12f26da7ede572765e1b26cd08753ed39cc62ca6

            SHA256

            26ff30f2296fe28893dbfae42c4a702f7c8935d04ff4a42fb96fc8a92c6f2e5d

            SHA512

            e9d6a576b8aa1eaefd4afff6ee417b0ba6aa58f8b133afe32738e23255bada5c163e2287ff1cef03fe1645088dcd4c2bd6b3bd2364772eec447554bf2072edb2

          • C:\Windows\System32\perfh00C.dat

            Filesize

            772KB

            MD5

            4fa344b5f9b3efdf965f7d9f32abd9ee

            SHA1

            dd884d88f8b0310147a08f66b253d4bec8727c0f

            SHA256

            f7aed0dbe8b5a73416dca6b1cd1024ba31244bbabebe79a90edcda383cb8399d

            SHA512

            1a952aae612a9f72c252b870d121a0c9d52e66e509214ae03f560abacd6a02cc62e39c03753b25e017bdd65905b99f9f67e4e67bb49355dde9b45708324ddb33

          • C:\Windows\System32\perfh010.dat

            Filesize

            772KB

            MD5

            a583c28c05f94a635bd67fee2d905a27

            SHA1

            a4af858c69297cb8a59cade7da6e5a36b43e7548

            SHA256

            c70b892d93e93c37c826ba97459e8fb724e6c5cf6dc2288613430fc59c0c1eb0

            SHA512

            06626f291b69e044e8e44fa46576c0287e4df434cd07b0bdb1b162fed25ddef652e5ad8d08d984f2d7d4c027c8ee032eef485f7269f0a83e11c1fa61f80a5d67

          • C:\Windows\System32\perfh011.dat

            Filesize

            468KB

            MD5

            33cbb4d0e471fd527da2ded235fe9636

            SHA1

            aa9d9b062511eb38a1faf9a740f8fb709b02a7dd

            SHA256

            73174de99ccd45c2a8d818742ed313a55321186162005c0f2567e162954943a5

            SHA512

            a4c17182347bc3c5cce76562f26b27ac62e84c8589dd91d2840a452b6c593656f3d3a2fd5b7f207f32be0f5a0494bc44987fb70e6e8f3a756a0703df20baa93f

          • C:\Windows\System32\wbem\Performance\WmiApRpl.h

            Filesize

            3KB

            MD5

            b133a676d139032a27de3d9619e70091

            SHA1

            1248aa89938a13640252a79113930ede2f26f1fa

            SHA256

            ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

            SHA512

            c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

          • C:\Windows\System32\wbem\Performance\WmiApRpl.ini

            Filesize

            29KB

            MD5

            ffdeea82ba4a5a65585103dd2a922dfe

            SHA1

            094c3794503245cc7dfa9e222d3504f449a5400b

            SHA256

            c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390

            SHA512

            7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a