f4054cff11bed4262ce7f99fd3cb69c3358102cf3543ddc4428742b73745fde9

Analysis

max time kernel
165s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HRSword-main/win7初始化.bat
Size

1KB
MD5

547509b22fe8c715019bd7a278c561c0
SHA1

32d3f64e00e5d37f61f7d3694c3eaf8a1230e8cd
SHA256

253c0ece38ec4b0fa9b22cd2aefcbdc412ea47a44e55c235d09b481d5c596210
SHA512

cd0485ea27b1fa261e309b87c392f94a90a1833b8a48eda64044f41f2e4d226ae32b731882b2ea87637770c3afb0df8fe0b8d5d68cb79a5bafca79f729c3f4db

Score

8^/10

persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\sysdiag.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\sysdiag.sys	cmd.exe
File created	C:\Windows\System32\drivers\hrwfpdrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hrwfpdrv.sys	cmd.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\sysdiag\ImagePath = "system32\\DRIVERS\\sysdiag.sys"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hrwfpdr\ImagePath = "system32\\DRIVERS\\hrwfpdrv.sys"	reg.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3244	sc.exe
2024	sc.exe
240	sc.exe
204	sc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 1704	764	cmd.exe	82
PID 764 wrote to memory of 1704	764	cmd.exe	82
PID 764 wrote to memory of 1232	764	cmd.exe	83
PID 764 wrote to memory of 1232	764	cmd.exe	83
PID 764 wrote to memory of 3616	764	cmd.exe	84
PID 764 wrote to memory of 3616	764	cmd.exe	84
PID 764 wrote to memory of 3632	764	cmd.exe	85
PID 764 wrote to memory of 3632	764	cmd.exe	85
PID 764 wrote to memory of 1244	764	cmd.exe	86
PID 764 wrote to memory of 1244	764	cmd.exe	86
PID 764 wrote to memory of 2260	764	cmd.exe	87
PID 764 wrote to memory of 2260	764	cmd.exe	87
PID 764 wrote to memory of 1936	764	cmd.exe	88
PID 764 wrote to memory of 1936	764	cmd.exe	88
PID 764 wrote to memory of 3244	764	cmd.exe	89
PID 764 wrote to memory of 3244	764	cmd.exe	89
PID 764 wrote to memory of 2024	764	cmd.exe	90
PID 764 wrote to memory of 2024	764	cmd.exe	90
PID 764 wrote to memory of 1600	764	cmd.exe	91
PID 764 wrote to memory of 1600	764	cmd.exe	91
PID 764 wrote to memory of 4596	764	cmd.exe	92
PID 764 wrote to memory of 4596	764	cmd.exe	92
PID 764 wrote to memory of 1356	764	cmd.exe	93
PID 764 wrote to memory of 1356	764	cmd.exe	93
PID 764 wrote to memory of 2188	764	cmd.exe	94
PID 764 wrote to memory of 2188	764	cmd.exe	94
PID 764 wrote to memory of 3028	764	cmd.exe	95
PID 764 wrote to memory of 3028	764	cmd.exe	95
PID 764 wrote to memory of 5056	764	cmd.exe	96
PID 764 wrote to memory of 5056	764	cmd.exe	96
PID 764 wrote to memory of 3444	764	cmd.exe	97
PID 764 wrote to memory of 3444	764	cmd.exe	97
PID 764 wrote to memory of 1184	764	cmd.exe	98
PID 764 wrote to memory of 1184	764	cmd.exe	98
PID 764 wrote to memory of 240	764	cmd.exe	99
PID 764 wrote to memory of 240	764	cmd.exe	99
PID 764 wrote to memory of 204	764	cmd.exe	100
PID 764 wrote to memory of 204	764	cmd.exe	100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\HRSword-main\win7初始化.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\system32\reg.exe
  REG QUERY "HKU\S-1-5-19"
  2⤵
  PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y"
  2⤵
  PID:1232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" copy Drivers\usysdiag.exe "C:\Users\Admin\AppData\Local\Temp\HRSword-main\\" 1>NUL 2>NUL"
  2⤵
  PID:3616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y"
  2⤵
  PID:3632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" copy Drivers\sysdiag.sys "C:\Windows\System32\drivers\" 1>NUL 2>NUL"
  2⤵
  - Drops file in Drivers directory
  PID:1244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y"
  2⤵
  PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" copy Drivers\hrwfpdrv.sys "C:\Windows\System32\drivers\" 1>NUL 2>NUL"
  2⤵
  - Drops file in Drivers directory
  PID:1936
- C:\Windows\system32\sc.exe
  sc create hrwfpdrv binpath= "C:\Windows\System32\drivers\hrwfpdrv.sys" type= kernel start= demand error= normal
  2⤵
  - Launches sc.exe
  PID:3244
- C:\Windows\system32\sc.exe
  sc create sysdiag binpath= "C:\Windows\System32\drivers\sysdiag.sys" type= kernel start= demand error= normal depend= FltMgr group= "PNP_TDI"
  2⤵
  - Launches sc.exe
  PID:2024
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "ImagePath" /t REG_EXPAND_SZ /d "system32\DRIVERS\sysdiag.sys"
  2⤵
  - Sets service image path in registry
  PID:1600
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\hrwfpdr" /f /v "ImagePath" /t REG_EXPAND_SZ /d "system32\DRIVERS\hrwfpdrv.sys"
  2⤵
  - Sets service image path in registry
  PID:4596
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "Start" /t reg_dword /d "1"
  2⤵
  PID:1356
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\hrwfpdr" /f /v "Start" /t reg_dword /d "1"
  2⤵
  PID:2188
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "Group" /d "PNP_TDI"
  2⤵
  PID:3028
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances" /f /v "DefaultInstance" /d "sysdiag"
  2⤵
  PID:5056
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances\sysdiag" /f /v "Altitude" /d "324600"
  2⤵
  PID:3444
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances\sysdiag" /f /v "Flags" /t reg_dword /d "0"
  2⤵
  PID:1184
- C:\Windows\system32\sc.exe
  sc start sysdiag
  2⤵
  - Launches sc.exe
  PID:240
- C:\Windows\system32\sc.exe
  sc start hrwfpdrv
  2⤵
  - Launches sc.exe
  PID:204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads