Overview
overview
8Static
static
HRSword-ma...rv.exe
windows7-x64
HRSword-ma...rv.exe
windows10-2004-x64
HRSword-ma...10.exe
windows7-x64
HRSword-ma...10.exe
windows10-2004-x64
HRSword-ma...ag.exe
windows7-x64
HRSword-ma...ag.exe
windows10-2004-x64
HRSword-ma...10.exe
windows7-x64
HRSword-ma...10.exe
windows10-2004-x64
HRSword-ma...ag.exe
windows7-x64
1HRSword-ma...ag.exe
windows10-2004-x64
1HRSword-ma...ib.dll
windows7-x64
3HRSword-ma...ib.dll
windows10-2004-x64
3HRSword-ma...rd.exe
windows7-x64
1HRSword-ma...rd.exe
windows10-2004-x64
1HRSword-ma...or.dll
windows7-x64
1HRSword-ma...or.dll
windows10-2004-x64
1HRSword-ma...on.dll
windows7-x64
3HRSword-ma...on.dll
windows10-2004-x64
3HRSword-ma...cs.dll
windows7-x64
1HRSword-ma...cs.dll
windows10-2004-x64
1HRSword-ma...se.dll
windows7-x64
1HRSword-ma...se.dll
windows10-2004-x64
1HRSword-ma...ot.dll
windows7-x64
1HRSword-ma...ot.dll
windows10-2004-x64
1HRSword-ma...on.dll
windows7-x64
1HRSword-ma...on.dll
windows10-2004-x64
1HRSword-ma...ag.dll
windows7-x64
1HRSword-ma...ag.dll
windows10-2004-x64
1HRSword-ma...��.bat
windows7-x64
8HRSword-ma...��.bat
windows10-2004-x64
8HRSword-ma...��.bat
windows7-x64
8HRSword-ma...��.bat
windows10-2004-x64
8Analysis
-
max time kernel
43s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-10-2022 07:32
Static task
static1
Behavioral task
behavioral1
Sample
HRSword-main/Drivers/hrwfpdrv.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
HRSword-main/Drivers/hrwfpdrv.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
HRSword-main/Drivers/hrwfpdrv_win10.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
HRSword-main/Drivers/hrwfpdrv_win10.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
HRSword-main/Drivers/sysdiag.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral6
Sample
HRSword-main/Drivers/sysdiag.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
HRSword-main/Drivers/sysdiag_win10.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral8
Sample
HRSword-main/Drivers/sysdiag_win10.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
HRSword-main/Drivers/usysdiag.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
HRSword-main/Drivers/usysdiag.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
HRSword-main/DuiLib.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral12
Sample
HRSword-main/DuiLib.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
HRSword-main/HRSword.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral14
Sample
HRSword-main/HRSword.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
HRSword-main/behavior.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral16
Sample
HRSword-main/behavior.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
HRSword-main/daemon.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral18
Sample
HRSword-main/daemon.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
HRSword-main/libcodecs.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral20
Sample
HRSword-main/libcodecs.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
HRSword-main/libxsse.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral22
Sample
HRSword-main/libxsse.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
HRSword-main/selfprot.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral24
Sample
HRSword-main/selfprot.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
HRSword-main/uactmon.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral26
Sample
HRSword-main/uactmon.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
HRSword-main/usysdiag.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral28
Sample
HRSword-main/usysdiag.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
HRSword-main/win10初始化.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral30
Sample
HRSword-main/win10初始化.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
HRSword-main/win7初始化.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral32
Sample
HRSword-main/win7初始化.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
HRSword-main/win7初始化.bat
-
Size
1KB
-
MD5
547509b22fe8c715019bd7a278c561c0
-
SHA1
32d3f64e00e5d37f61f7d3694c3eaf8a1230e8cd
-
SHA256
253c0ece38ec4b0fa9b22cd2aefcbdc412ea47a44e55c235d09b481d5c596210
-
SHA512
cd0485ea27b1fa261e309b87c392f94a90a1833b8a48eda64044f41f2e4d226ae32b731882b2ea87637770c3afb0df8fe0b8d5d68cb79a5bafca79f729c3f4db
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Drops file in Drivers directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\hrwfpdrv.sys cmd.exe File created C:\Windows\System32\drivers\sysdiag.sys cmd.exe File opened for modification C:\Windows\System32\drivers\sysdiag.sys cmd.exe File created C:\Windows\System32\drivers\hrwfpdrv.sys cmd.exe -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\sysdiag\ImagePath = "system32\\DRIVERS\\sysdiag.sys" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hrwfpdr\ImagePath = "system32\\DRIVERS\\hrwfpdrv.sys" reg.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 612 sc.exe 1372 sc.exe 1988 sc.exe 1760 sc.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 464 Process not Found 464 Process not Found -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 1028 wrote to memory of 964 1028 cmd.exe 28 PID 1028 wrote to memory of 964 1028 cmd.exe 28 PID 1028 wrote to memory of 964 1028 cmd.exe 28 PID 1028 wrote to memory of 832 1028 cmd.exe 29 PID 1028 wrote to memory of 832 1028 cmd.exe 29 PID 1028 wrote to memory of 832 1028 cmd.exe 29 PID 1028 wrote to memory of 1220 1028 cmd.exe 30 PID 1028 wrote to memory of 1220 1028 cmd.exe 30 PID 1028 wrote to memory of 1220 1028 cmd.exe 30 PID 1028 wrote to memory of 1980 1028 cmd.exe 31 PID 1028 wrote to memory of 1980 1028 cmd.exe 31 PID 1028 wrote to memory of 1980 1028 cmd.exe 31 PID 1028 wrote to memory of 2024 1028 cmd.exe 32 PID 1028 wrote to memory of 2024 1028 cmd.exe 32 PID 1028 wrote to memory of 2024 1028 cmd.exe 32 PID 1028 wrote to memory of 2036 1028 cmd.exe 33 PID 1028 wrote to memory of 2036 1028 cmd.exe 33 PID 1028 wrote to memory of 2036 1028 cmd.exe 33 PID 1028 wrote to memory of 1732 1028 cmd.exe 34 PID 1028 wrote to memory of 1732 1028 cmd.exe 34 PID 1028 wrote to memory of 1732 1028 cmd.exe 34 PID 1028 wrote to memory of 1988 1028 cmd.exe 35 PID 1028 wrote to memory of 1988 1028 cmd.exe 35 PID 1028 wrote to memory of 1988 1028 cmd.exe 35 PID 1028 wrote to memory of 1760 1028 cmd.exe 36 PID 1028 wrote to memory of 1760 1028 cmd.exe 36 PID 1028 wrote to memory of 1760 1028 cmd.exe 36 PID 1028 wrote to memory of 1108 1028 cmd.exe 37 PID 1028 wrote to memory of 1108 1028 cmd.exe 37 PID 1028 wrote to memory of 1108 1028 cmd.exe 37 PID 1028 wrote to memory of 1212 1028 cmd.exe 38 PID 1028 wrote to memory of 1212 1028 cmd.exe 38 PID 1028 wrote to memory of 1212 1028 cmd.exe 38 PID 1028 wrote to memory of 1716 1028 cmd.exe 39 PID 1028 wrote to memory of 1716 1028 cmd.exe 39 PID 1028 wrote to memory of 1716 1028 cmd.exe 39 PID 1028 wrote to memory of 1976 1028 cmd.exe 40 PID 1028 wrote to memory of 1976 1028 cmd.exe 40 PID 1028 wrote to memory of 1976 1028 cmd.exe 40 PID 1028 wrote to memory of 1712 1028 cmd.exe 41 PID 1028 wrote to memory of 1712 1028 cmd.exe 41 PID 1028 wrote to memory of 1712 1028 cmd.exe 41 PID 1028 wrote to memory of 824 1028 cmd.exe 42 PID 1028 wrote to memory of 824 1028 cmd.exe 42 PID 1028 wrote to memory of 824 1028 cmd.exe 42 PID 1028 wrote to memory of 1348 1028 cmd.exe 43 PID 1028 wrote to memory of 1348 1028 cmd.exe 43 PID 1028 wrote to memory of 1348 1028 cmd.exe 43 PID 1028 wrote to memory of 1808 1028 cmd.exe 44 PID 1028 wrote to memory of 1808 1028 cmd.exe 44 PID 1028 wrote to memory of 1808 1028 cmd.exe 44 PID 1028 wrote to memory of 612 1028 cmd.exe 45 PID 1028 wrote to memory of 612 1028 cmd.exe 45 PID 1028 wrote to memory of 612 1028 cmd.exe 45 PID 1028 wrote to memory of 1372 1028 cmd.exe 46 PID 1028 wrote to memory of 1372 1028 cmd.exe 46 PID 1028 wrote to memory of 1372 1028 cmd.exe 46
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\HRSword-main\win7初始化.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\system32\reg.exeREG QUERY "HKU\S-1-5-19"2⤵PID:964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" copy Drivers\usysdiag.exe "C:\Users\Admin\AppData\Local\Temp\HRSword-main\\" 1>NUL 2>NUL"2⤵PID:1220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:1980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" copy Drivers\sysdiag.sys "C:\Windows\System32\drivers\" 1>NUL 2>NUL"2⤵
- Drops file in Drivers directory
PID:2024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:2036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" copy Drivers\hrwfpdrv.sys "C:\Windows\System32\drivers\" 1>NUL 2>NUL"2⤵
- Drops file in Drivers directory
PID:1732
-
-
C:\Windows\system32\sc.exesc create hrwfpdrv binpath= "C:\Windows\System32\drivers\hrwfpdrv.sys" type= kernel start= demand error= normal2⤵
- Launches sc.exe
PID:1988
-
-
C:\Windows\system32\sc.exesc create sysdiag binpath= "C:\Windows\System32\drivers\sysdiag.sys" type= kernel start= demand error= normal depend= FltMgr group= "PNP_TDI"2⤵
- Launches sc.exe
PID:1760
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "ImagePath" /t REG_EXPAND_SZ /d "system32\DRIVERS\sysdiag.sys"2⤵
- Sets service image path in registry
PID:1108
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\hrwfpdr" /f /v "ImagePath" /t REG_EXPAND_SZ /d "system32\DRIVERS\hrwfpdrv.sys"2⤵
- Sets service image path in registry
PID:1212
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "Start" /t reg_dword /d "1"2⤵PID:1716
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\hrwfpdr" /f /v "Start" /t reg_dword /d "1"2⤵PID:1976
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "Group" /d "PNP_TDI"2⤵PID:1712
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances" /f /v "DefaultInstance" /d "sysdiag"2⤵PID:824
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances\sysdiag" /f /v "Altitude" /d "324600"2⤵PID:1348
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances\sysdiag" /f /v "Flags" /t reg_dword /d "0"2⤵PID:1808
-
-
C:\Windows\system32\sc.exesc start sysdiag2⤵
- Launches sc.exe
PID:612
-
-
C:\Windows\system32\sc.exesc start hrwfpdrv2⤵
- Launches sc.exe
PID:1372
-