Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
HRSword-ma...rv.exe
windows7-x64
HRSword-ma...rv.exe
windows10-2004-x64
HRSword-ma...10.exe
windows7-x64
HRSword-ma...10.exe
windows10-2004-x64
HRSword-ma...ag.exe
windows7-x64
HRSword-ma...ag.exe
windows10-2004-x64
HRSword-ma...10.exe
windows7-x64
HRSword-ma...10.exe
windows10-2004-x64
HRSword-ma...ag.exe
windows7-x64
1HRSword-ma...ag.exe
windows10-2004-x64
1HRSword-ma...ib.dll
windows7-x64
3HRSword-ma...ib.dll
windows10-2004-x64
3HRSword-ma...rd.exe
windows7-x64
1HRSword-ma...rd.exe
windows10-2004-x64
1HRSword-ma...or.dll
windows7-x64
1HRSword-ma...or.dll
windows10-2004-x64
1HRSword-ma...on.dll
windows7-x64
3HRSword-ma...on.dll
windows10-2004-x64
3HRSword-ma...cs.dll
windows7-x64
1HRSword-ma...cs.dll
windows10-2004-x64
1HRSword-ma...se.dll
windows7-x64
1HRSword-ma...se.dll
windows10-2004-x64
1HRSword-ma...ot.dll
windows7-x64
1HRSword-ma...ot.dll
windows10-2004-x64
1HRSword-ma...on.dll
windows7-x64
1HRSword-ma...on.dll
windows10-2004-x64
1HRSword-ma...ag.dll
windows7-x64
1HRSword-ma...ag.dll
windows10-2004-x64
1HRSword-ma...��.bat
windows7-x64
8HRSword-ma...��.bat
windows10-2004-x64
8HRSword-ma...��.bat
windows7-x64
8HRSword-ma...��.bat
windows10-2004-x64
8Analysis
-
max time kernel
41s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 07:32
Static task
static1
Behavioral task
behavioral1
Sample
HRSword-main/Drivers/hrwfpdrv.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
HRSword-main/Drivers/hrwfpdrv.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
HRSword-main/Drivers/hrwfpdrv_win10.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
HRSword-main/Drivers/hrwfpdrv_win10.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
HRSword-main/Drivers/sysdiag.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral6
Sample
HRSword-main/Drivers/sysdiag.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
HRSword-main/Drivers/sysdiag_win10.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral8
Sample
HRSword-main/Drivers/sysdiag_win10.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
HRSword-main/Drivers/usysdiag.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
HRSword-main/Drivers/usysdiag.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
HRSword-main/DuiLib.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral12
Sample
HRSword-main/DuiLib.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
HRSword-main/HRSword.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral14
Sample
HRSword-main/HRSword.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
HRSword-main/behavior.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral16
Sample
HRSword-main/behavior.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
HRSword-main/daemon.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral18
Sample
HRSword-main/daemon.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
HRSword-main/libcodecs.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral20
Sample
HRSword-main/libcodecs.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
HRSword-main/libxsse.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral22
Sample
HRSword-main/libxsse.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
HRSword-main/selfprot.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral24
Sample
HRSword-main/selfprot.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
HRSword-main/uactmon.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral26
Sample
HRSword-main/uactmon.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
HRSword-main/usysdiag.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral28
Sample
HRSword-main/usysdiag.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
HRSword-main/win10初始化.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral30
Sample
HRSword-main/win10初始化.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
HRSword-main/win7初始化.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral32
Sample
HRSword-main/win7初始化.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
HRSword-main/win10初始化.bat
-
Size
1KB
-
MD5
5b53acdf4ec5d7362e3c5f355cfde55f
-
SHA1
8f4af3169478d310f4329b6198833685f08625cf
-
SHA256
55d308565b647c2633c34b57eee58294579ee029949023a454171bb5e65668ba
-
SHA512
c1cb9bcfa382774f071c7cd3aaecbc84ea7725c324f66f748ad9ca26e5f7cef02c7311edd043a897a4a66cd7874e725fd7975e1e1e9b475e2efc28648c3a2211
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\System32\drivers\hrwfpdrv_win10.sys cmd.exe File opened for modification C:\Windows\System32\drivers\hrwfpdrv_win10.sys cmd.exe File created C:\Windows\System32\drivers\sysdiag_win10.sys cmd.exe File opened for modification C:\Windows\System32\drivers\sysdiag_win10.sys cmd.exe -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\sysdiag\ImagePath = "system32\\DRIVERS\\sysdiag_win10.sys" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hrwfpdr\ImagePath = "system32\\DRIVERS\\hrwfpdrv_win10.sys" reg.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 800 sc.exe 388 sc.exe 1064 sc.exe 432 sc.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 464 Process not Found 464 Process not Found -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 1416 wrote to memory of 1740 1416 cmd.exe 28 PID 1416 wrote to memory of 1740 1416 cmd.exe 28 PID 1416 wrote to memory of 1740 1416 cmd.exe 28 PID 1416 wrote to memory of 1708 1416 cmd.exe 29 PID 1416 wrote to memory of 1708 1416 cmd.exe 29 PID 1416 wrote to memory of 1708 1416 cmd.exe 29 PID 1416 wrote to memory of 1032 1416 cmd.exe 30 PID 1416 wrote to memory of 1032 1416 cmd.exe 30 PID 1416 wrote to memory of 1032 1416 cmd.exe 30 PID 1416 wrote to memory of 744 1416 cmd.exe 31 PID 1416 wrote to memory of 744 1416 cmd.exe 31 PID 1416 wrote to memory of 744 1416 cmd.exe 31 PID 1416 wrote to memory of 1212 1416 cmd.exe 32 PID 1416 wrote to memory of 1212 1416 cmd.exe 32 PID 1416 wrote to memory of 1212 1416 cmd.exe 32 PID 1416 wrote to memory of 1868 1416 cmd.exe 33 PID 1416 wrote to memory of 1868 1416 cmd.exe 33 PID 1416 wrote to memory of 1868 1416 cmd.exe 33 PID 1416 wrote to memory of 1876 1416 cmd.exe 34 PID 1416 wrote to memory of 1876 1416 cmd.exe 34 PID 1416 wrote to memory of 1876 1416 cmd.exe 34 PID 1416 wrote to memory of 800 1416 cmd.exe 35 PID 1416 wrote to memory of 800 1416 cmd.exe 35 PID 1416 wrote to memory of 800 1416 cmd.exe 35 PID 1416 wrote to memory of 388 1416 cmd.exe 36 PID 1416 wrote to memory of 388 1416 cmd.exe 36 PID 1416 wrote to memory of 388 1416 cmd.exe 36 PID 1416 wrote to memory of 2032 1416 cmd.exe 37 PID 1416 wrote to memory of 2032 1416 cmd.exe 37 PID 1416 wrote to memory of 2032 1416 cmd.exe 37 PID 1416 wrote to memory of 812 1416 cmd.exe 38 PID 1416 wrote to memory of 812 1416 cmd.exe 38 PID 1416 wrote to memory of 812 1416 cmd.exe 38 PID 1416 wrote to memory of 344 1416 cmd.exe 39 PID 1416 wrote to memory of 344 1416 cmd.exe 39 PID 1416 wrote to memory of 344 1416 cmd.exe 39 PID 1416 wrote to memory of 984 1416 cmd.exe 40 PID 1416 wrote to memory of 984 1416 cmd.exe 40 PID 1416 wrote to memory of 984 1416 cmd.exe 40 PID 1416 wrote to memory of 1188 1416 cmd.exe 41 PID 1416 wrote to memory of 1188 1416 cmd.exe 41 PID 1416 wrote to memory of 1188 1416 cmd.exe 41 PID 1416 wrote to memory of 1016 1416 cmd.exe 42 PID 1416 wrote to memory of 1016 1416 cmd.exe 42 PID 1416 wrote to memory of 1016 1416 cmd.exe 42 PID 1416 wrote to memory of 680 1416 cmd.exe 43 PID 1416 wrote to memory of 680 1416 cmd.exe 43 PID 1416 wrote to memory of 680 1416 cmd.exe 43 PID 1416 wrote to memory of 928 1416 cmd.exe 44 PID 1416 wrote to memory of 928 1416 cmd.exe 44 PID 1416 wrote to memory of 928 1416 cmd.exe 44 PID 1416 wrote to memory of 1064 1416 cmd.exe 45 PID 1416 wrote to memory of 1064 1416 cmd.exe 45 PID 1416 wrote to memory of 1064 1416 cmd.exe 45 PID 1416 wrote to memory of 432 1416 cmd.exe 46 PID 1416 wrote to memory of 432 1416 cmd.exe 46 PID 1416 wrote to memory of 432 1416 cmd.exe 46
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\HRSword-main\win10初始化.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\system32\reg.exeREG QUERY "HKU\S-1-5-19"2⤵PID:1740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:1708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" copy Drivers\usysdiag.exe "C:\Users\Admin\AppData\Local\Temp\HRSword-main\\" 1>NUL 2>NUL"2⤵PID:1032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" copy Drivers\sysdiag_win10.sys "C:\Windows\System32\drivers\" 1>NUL 2>NUL"2⤵
- Drops file in Drivers directory
PID:1212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" copy Drivers\hrwfpdrv_win10.sys "C:\Windows\System32\drivers\" 1>NUL 2>NUL"2⤵
- Drops file in Drivers directory
PID:1876
-
-
C:\Windows\system32\sc.exesc create hrwfpdrv binpath= "C:\Windows\System32\drivers\hrwfpdrv.sys" type= kernel start= demand error= normal2⤵
- Launches sc.exe
PID:800
-
-
C:\Windows\system32\sc.exesc create sysdiag binpath= "C:\Windows\System32\drivers\sysdiag.sys" type= kernel start= demand error= normal depend= FltMgr group= "PNP_TDI"2⤵
- Launches sc.exe
PID:388
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "ImagePath" /t REG_EXPAND_SZ /d "system32\DRIVERS\sysdiag_win10.sys"2⤵
- Sets service image path in registry
PID:2032
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\hrwfpdr" /f /v "ImagePath" /t REG_EXPAND_SZ /d "system32\DRIVERS\hrwfpdrv_win10.sys"2⤵
- Sets service image path in registry
PID:812
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "Start" /t reg_dword /d "1"2⤵PID:344
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\hrwfpdr" /f /v "Start" /t reg_dword /d "1"2⤵PID:984
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "Group" /d "PNP_TDI"2⤵PID:1188
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances" /f /v "DefaultInstance" /d "sysdiag"2⤵PID:1016
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances\sysdiag" /f /v "Altitude" /d "324600"2⤵PID:680
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances\sysdiag" /f /v "Flags" /t reg_dword /d "0"2⤵PID:928
-
-
C:\Windows\system32\sc.exesc start sysdiag2⤵
- Launches sc.exe
PID:1064
-
-
C:\Windows\system32\sc.exesc start hrwfpdrv2⤵
- Launches sc.exe
PID:432
-