1e1b584f956cf2f5c45fae6d859a15e874b75ff0bb37ed8c5185af09287e5980

Analysis

max time kernel
134s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2022, 23:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1e1b584f956cf2f5c45fae6d859a15e874b75ff0bb37ed8c5185af09287e5980.exe
Size

1.9MB
MD5

982069735abf3a43795391dbff28a48e
SHA1

bbc9467c17b5dabfd96e01384ec6b27ef04cbb07
SHA256

1e1b584f956cf2f5c45fae6d859a15e874b75ff0bb37ed8c5185af09287e5980
SHA512

c4aada82ec6ecc5b59029709fbda8b205e1243737eeab38683e74252bae345c30b23acdb14fa622c500c113c0483075078295b3b28298965a76281d42e0ac5d8
SSDEEP

49152:d9AtclN1BETpmlo+P/ytSHDbfyr4h++f7g0rqRtq9aI+/wO:d9At6Na8ljHDbKchd7guqjIewO

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1140	DiskInfo64.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1496-132-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1496-147-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1e1b584f956cf2f5c45fae6d859a15e874b75ff0bb37ed8c5185af09287e5980.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	DiskInfo64.exe
File opened (read-only)	\??\Q:	DiskInfo64.exe
File opened (read-only)	\??\R:	DiskInfo64.exe
File opened (read-only)	\??\Y:	DiskInfo64.exe
File opened (read-only)	\??\Z:	DiskInfo64.exe
File opened (read-only)	\??\F:	DiskInfo64.exe
File opened (read-only)	\??\K:	DiskInfo64.exe
File opened (read-only)	\??\L:	DiskInfo64.exe
File opened (read-only)	\??\P:	DiskInfo64.exe
File opened (read-only)	\??\E:	DiskInfo64.exe
File opened (read-only)	\??\H:	DiskInfo64.exe
File opened (read-only)	\??\I:	DiskInfo64.exe
File opened (read-only)	\??\U:	DiskInfo64.exe
File opened (read-only)	\??\V:	DiskInfo64.exe
File opened (read-only)	\??\W:	DiskInfo64.exe
File opened (read-only)	\??\X:	DiskInfo64.exe
File opened (read-only)	\??\N:	DiskInfo64.exe
File opened (read-only)	\??\S:	DiskInfo64.exe
File opened (read-only)	\??\T:	DiskInfo64.exe
File opened (read-only)	\??\J:	DiskInfo64.exe
File opened (read-only)	\??\M:	DiskInfo64.exe
File opened (read-only)	\??\A:	DiskInfo64.exe
File opened (read-only)	\??\B:	DiskInfo64.exe
File opened (read-only)	\??\G:	DiskInfo64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	DiskInfo64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1140	DiskInfo64.exe
1140	DiskInfo64.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1140	1496	1e1b584f956cf2f5c45fae6d859a15e874b75ff0bb37ed8c5185af09287e5980.exe	78
PID 1496 wrote to memory of 1140	1496	1e1b584f956cf2f5c45fae6d859a15e874b75ff0bb37ed8c5185af09287e5980.exe	78

C:\Users\Admin\AppData\Local\Temp\1e1b584f956cf2f5c45fae6d859a15e874b75ff0bb37ed8c5185af09287e5980.exe
"C:\Users\Admin\AppData\Local\Temp\1e1b584f956cf2f5c45fae6d859a15e874b75ff0bb37ed8c5185af09287e5980.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\DiskInfo64.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\DiskInfo64.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\dialog\Graph.html

Filesize
8KB

MD5
1f2f281f50cdefb6794c9c87133b89fb

SHA1
6aaf495b5eba156f3b6d69395a022251f54e8460

SHA256
00ceba3cca57b7ae140f077d6aebb88e172f69b4cc0c8879c5be7f2734a989f8

SHA512
c1d8d99104f0dfc0f3417c6c0a2519ab9508aadecc573b6c338614237d6d91ce03825b4b978a3a9a03272759d7d566d1bc7c60b7742b4f83a8ad1b9d943e906b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\language\English.lang

Filesize
79KB

MD5
094e471e82d830d87fa943ef5ad998f5

SHA1
dfc2679d67623e49ddd1b7e545098e37a1ea23b2

SHA256
c74f644c0fb2ad41b2fc8b9909e7585f7d72cd60d7897ad6dc21044f9581259b

SHA512
9108ba04977cc45b5c947ce58ea9eb8e60c38ba46321c42c4eb69ab3131f5b00c5efd02e5165dcd9ca91e19347fe70b91cf369aa8f6904cf054c6c1056a6d6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\language\Simplified Chinese.lang

Filesize
47KB

MD5
22f6f72de1f229e3d93966e3cf73e276

SHA1
ddf19f25c679c1a1c00d3c078507a457b8752515

SHA256
1db33a25f3b35158dfd0700633bbaf26b63c46d7831c74830a9d2fceadbfc000

SHA512
37c2af7a11056463868fa99a5eea8a20c90ee38077cdf8e1458227ef99d33408d79237b9a003d59546cc266daf3e595f0123f1527e2b8aa40b14196ffd163ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\Background-300.png

Filesize
859B

MD5
6e1b248aadf999ed859629a33e396050

SHA1
a5aad24c174b5b427f8813ede9791ceaa4644f90

SHA256
2711e84f951b486c5dfc718e716f4f0bf80c1dd08260b4b49d77f800770e1171

SHA512
1b38a67ff13c7d03bddca5640143314ffadb65955d51e30ad251718d7d8ad32f99a6a9d49b1eedb6298c6d22a66f18cb324b7fcfd3f7437f2580b441420915cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\diskGood-100.png

Filesize
1KB

MD5
c0e81a6dd776dcedbe2107bcad87bdcd

SHA1
1d1bbc27de9329d287179b36cdcaad1083359ea3

SHA256
41e8e14948103b7ba676fceaccef1f6b4fb08b70ea6f207f4d6fb6aef3f1e71f

SHA512
38b57f9cee97ac10b61a2fe9222c0085b0e6ffe18ac6457963a5a5e21ff5b602350204675f1ff9606c384d5b8484e4588ad9bac9208aeaf0008215c6fae678b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\diskStatusGood-100.png

Filesize
665B

MD5
0abfaef38bc9e297cd79be0f2e691cdd

SHA1
bdf71d8a6d227d1fc858c047855ed3df841e11d4

SHA256
45e84adbec967aa386d4c94c3a33421fff02baaa59ad0c6e5f3ed842efb5abae

SHA512
4fa815d590a6415a03a432da28632063c96620bc0b657c770825759e26a6b11039c2136fe19f96b81b22be54a2e5dc1a880d7ee525cb91abe7e770a033fcf897

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\nextDisk-100.png

Filesize
1KB

MD5
dc3be62f884c9b96af9a3d5b2a937cb6

SHA1
7a06d204ea1bb9130845305face66d7f74efa2e5

SHA256
cb9099db8ccb5d69db902858ebdd0657667fdc4c2ac1b8211b0d2503be18639a

SHA512
2b8163d191793ddda76ce36c08d87b343dd528ca042cfb795a816b96c8d7be90d584a34e4734d217a24ed54db1ce11332108540bd34baa64778f785c0bcd4a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\noDisk-100.png

Filesize
137B

MD5
aca9c4d69b8c4779167452f77f415a9a

SHA1
d40806f8ef1a7cb989dfbe9cfb4b3be717a47292

SHA256
0229291a30857f8ce7499e7f9a6ac30be452419bd5327b98468deba097ae76ee

SHA512
91652e2bdb710a11c25e78a8192c0da52538690e2743ba2f228e29279e0175d02e30ee01e4213b866552c4cf4e8c18ce687da13bd64d4ee554054f2efbc2df8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\preDisk-100.png

Filesize
1KB

MD5
b49a97118724c54530d4c4eaefd729c8

SHA1
102187b9534a2c6359d37b68f9509e0fd227b473

SHA256
4358ec9b50bf01820f6037299941916c196616fa08d8150b57607957cecda485

SHA512
5a5ab0d9cec7aa61b99cb1b3742df2acdadff43cb12dcdc48cfea95eb9479ae4c5673870f2b85560ed3285961837fe0c4eed3e31f1ada33fdcdcd23336dc236c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\temperatureGood-100.png

Filesize
529B

MD5
2d48c03e3e4e9b960eb0c5714aa55db6

SHA1
8d3785b771879702f75c512222396816549ff813

SHA256
a28638b3152f1bf898a2a14570077bfd599fa0a31c67d72856c2ec77dbd56865

SHA512
fe5103e542c9392768dc25fed57a69f5fa5b9a4e60696027f33294c699264a88bbde56763332013906033aba29bd20c17b27fc2d5a373d2b1adcd9f1787f5750

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\theme.ini

Filesize
267B

MD5
ec7be8d591e7fc9b16b7700fe78f2d1a

SHA1
a167edd91f9f0bce9b9d93785e683942bd7dbde2

SHA256
2b95db1daf862a5c38c8628fdf941512004bcea7b56b22e44fa52709e57c6ddb

SHA512
d884e807e773bfb48bfe6c26a99ad7e9316bf4aea08bda148e84fd2922064a46696d830b327dee24eb0d8db3ad9e6d93d62f3965e6cd1c64330f5abc5015b8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\DiskInfo.ini

Filesize
329B

MD5
d983249099bce500262fa632baebf218

SHA1
d3bcda5de44b406ec26b6bfd9b3c42d22ec8c39a

SHA256
eb9e821df2dbd7fd1db2088a65bbdec739139850ad00ec50778c0937b3b2f7f6

SHA512
993e6ce6801130fa7f0dd675767a9681aec7cccdf6045c04a23de6b2c0f815bda2ce3376753310dbf8554b0e64b6371ce21a56e2e1d0313399b5c010184794b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\DiskInfo64.exe

Filesize
2.7MB

MD5
b8f35b2fde070e7dc23cbbed525030e0

SHA1
af1820c9f8c15376fa31f5fca6b2f96a10f3280b

SHA256
7a2e2110ddb90037e5c6bed266dff7a3b8982dbb35ea0de621494b987a2cb0c9

SHA512
69143e02a76a0f6283884e1effb45cfc7bcd54c85a5f709cf6d8dd2829bf769fa03780ba35d6a379da0d6a2ba945d610e5832adbe8ed8f95d80c4df0308a3733

Download Submit
memory/1496-132-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1496-147-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads