f4054cff11bed4262ce7f99fd3cb69c3358102cf3543ddc4428742b73745fde9

Analysis

max time kernel
161s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HRSword-main/win10初始化.bat
Size

1KB
MD5

5b53acdf4ec5d7362e3c5f355cfde55f
SHA1

8f4af3169478d310f4329b6198833685f08625cf
SHA256

55d308565b647c2633c34b57eee58294579ee029949023a454171bb5e65668ba
SHA512

c1cb9bcfa382774f071c7cd3aaecbc84ea7725c324f66f748ad9ca26e5f7cef02c7311edd043a897a4a66cd7874e725fd7975e1e1e9b475e2efc28648c3a2211

Score

8^/10

persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\sysdiag_win10.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\sysdiag_win10.sys	cmd.exe
File created	C:\Windows\System32\drivers\hrwfpdrv_win10.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hrwfpdrv_win10.sys	cmd.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\sysdiag\ImagePath = "system32\\DRIVERS\\sysdiag_win10.sys"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hrwfpdr\ImagePath = "system32\\DRIVERS\\hrwfpdrv_win10.sys"	reg.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5056	sc.exe
112	sc.exe
2488	sc.exe
2356	sc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 5064	4532	cmd.exe	84
PID 4532 wrote to memory of 5064	4532	cmd.exe	84
PID 4532 wrote to memory of 3892	4532	cmd.exe	86
PID 4532 wrote to memory of 3892	4532	cmd.exe	86
PID 4532 wrote to memory of 2972	4532	cmd.exe	87
PID 4532 wrote to memory of 2972	4532	cmd.exe	87
PID 4532 wrote to memory of 1584	4532	cmd.exe	88
PID 4532 wrote to memory of 1584	4532	cmd.exe	88
PID 4532 wrote to memory of 1356	4532	cmd.exe	89
PID 4532 wrote to memory of 1356	4532	cmd.exe	89
PID 4532 wrote to memory of 4248	4532	cmd.exe	90
PID 4532 wrote to memory of 4248	4532	cmd.exe	90
PID 4532 wrote to memory of 3296	4532	cmd.exe	91
PID 4532 wrote to memory of 3296	4532	cmd.exe	91
PID 4532 wrote to memory of 5056	4532	cmd.exe	92
PID 4532 wrote to memory of 5056	4532	cmd.exe	92
PID 4532 wrote to memory of 112	4532	cmd.exe	93
PID 4532 wrote to memory of 112	4532	cmd.exe	93
PID 4532 wrote to memory of 228	4532	cmd.exe	94
PID 4532 wrote to memory of 228	4532	cmd.exe	94
PID 4532 wrote to memory of 5000	4532	cmd.exe	95
PID 4532 wrote to memory of 5000	4532	cmd.exe	95
PID 4532 wrote to memory of 1444	4532	cmd.exe	96
PID 4532 wrote to memory of 1444	4532	cmd.exe	96
PID 4532 wrote to memory of 3108	4532	cmd.exe	97
PID 4532 wrote to memory of 3108	4532	cmd.exe	97
PID 4532 wrote to memory of 3176	4532	cmd.exe	98
PID 4532 wrote to memory of 3176	4532	cmd.exe	98
PID 4532 wrote to memory of 4660	4532	cmd.exe	99
PID 4532 wrote to memory of 4660	4532	cmd.exe	99
PID 4532 wrote to memory of 3052	4532	cmd.exe	100
PID 4532 wrote to memory of 3052	4532	cmd.exe	100
PID 4532 wrote to memory of 3340	4532	cmd.exe	101
PID 4532 wrote to memory of 3340	4532	cmd.exe	101
PID 4532 wrote to memory of 2488	4532	cmd.exe	102
PID 4532 wrote to memory of 2488	4532	cmd.exe	102
PID 4532 wrote to memory of 2356	4532	cmd.exe	103
PID 4532 wrote to memory of 2356	4532	cmd.exe	103

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\HRSword-main\win10初始化.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\system32\reg.exe
  REG QUERY "HKU\S-1-5-19"
  2⤵
  PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y"
  2⤵
  PID:3892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" copy Drivers\usysdiag.exe "C:\Users\Admin\AppData\Local\Temp\HRSword-main\\" 1>NUL 2>NUL"
  2⤵
  PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y"
  2⤵
  PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" copy Drivers\sysdiag_win10.sys "C:\Windows\System32\drivers\" 1>NUL 2>NUL"
  2⤵
  - Drops file in Drivers directory
  PID:1356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y"
  2⤵
  PID:4248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" copy Drivers\hrwfpdrv_win10.sys "C:\Windows\System32\drivers\" 1>NUL 2>NUL"
  2⤵
  - Drops file in Drivers directory
  PID:3296
- C:\Windows\system32\sc.exe
  sc create hrwfpdrv binpath= "C:\Windows\System32\drivers\hrwfpdrv.sys" type= kernel start= demand error= normal
  2⤵
  - Launches sc.exe
  PID:5056
- C:\Windows\system32\sc.exe
  sc create sysdiag binpath= "C:\Windows\System32\drivers\sysdiag.sys" type= kernel start= demand error= normal depend= FltMgr group= "PNP_TDI"
  2⤵
  - Launches sc.exe
  PID:112
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "ImagePath" /t REG_EXPAND_SZ /d "system32\DRIVERS\sysdiag_win10.sys"
  2⤵
  - Sets service image path in registry
  PID:228
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\hrwfpdr" /f /v "ImagePath" /t REG_EXPAND_SZ /d "system32\DRIVERS\hrwfpdrv_win10.sys"
  2⤵
  - Sets service image path in registry
  PID:5000
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "Start" /t reg_dword /d "1"
  2⤵
  PID:1444
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\hrwfpdr" /f /v "Start" /t reg_dword /d "1"
  2⤵
  PID:3108
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "Group" /d "PNP_TDI"
  2⤵
  PID:3176
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances" /f /v "DefaultInstance" /d "sysdiag"
  2⤵
  PID:4660
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances\sysdiag" /f /v "Altitude" /d "324600"
  2⤵
  PID:3052
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances\sysdiag" /f /v "Flags" /t reg_dword /d "0"
  2⤵
  PID:3340
- C:\Windows\system32\sc.exe
  sc start sysdiag
  2⤵
  - Launches sc.exe
  PID:2488
- C:\Windows\system32\sc.exe
  sc start hrwfpdrv
  2⤵
  - Launches sc.exe
  PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...