fc672a41e4f1925d1f66ce262321b7f80267996786a58c2bc749b8d69582c8e9

Analysis

max time kernel
23s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/10/2022, 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hwmonitor_1.44.exe
Size

1.3MB
MD5

82b9fecfcfeac82b1e8d8f04ad085162
SHA1

da9cc1945785f9b708f038c2362830d756d75a21
SHA256

fc672a41e4f1925d1f66ce262321b7f80267996786a58c2bc749b8d69582c8e9
SHA512

7a532930d1c34c3a5c953647da6daa68f1bb83befc2db3c4694726d6ee22f467b6a8b89226e73cc4c1265d557dce0c327183a6cebc62bfcba0cc7ec0848d3f6a
SSDEEP

24576:gyIevssPWcAfFJfsYpQXapK3O6g9isKA0k38PIrsOxMuBRUo:gyQsuc0PsYcg9dZX/1ao

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1872	hwmonitor_1.44.tmp

Loads dropped DLL 8 IoCs

pid	Process
1884	hwmonitor_1.44.exe
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\CPUID\HWMonitor\unins000.dat	hwmonitor_1.44.tmp
File opened for modification	C:\Program Files\CPUID\HWMonitor\HWMonitor.exe	hwmonitor_1.44.tmp
File created	C:\Program Files\CPUID\HWMonitor\unins000.dat	hwmonitor_1.44.tmp
File created	C:\Program Files\CPUID\HWMonitor\is-NVG37.tmp	hwmonitor_1.44.tmp
File created	C:\Program Files\CPUID\HWMonitor\is-2BFP0.tmp	hwmonitor_1.44.tmp
File created	C:\Program Files\CPUID\HWMonitor\is-P8FI6.tmp	hwmonitor_1.44.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp
1872	hwmonitor_1.44.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1872	1884	hwmonitor_1.44.exe	27
PID 1884 wrote to memory of 1872	1884	hwmonitor_1.44.exe	27
PID 1884 wrote to memory of 1872	1884	hwmonitor_1.44.exe	27
PID 1884 wrote to memory of 1872	1884	hwmonitor_1.44.exe	27
PID 1884 wrote to memory of 1872	1884	hwmonitor_1.44.exe	27
PID 1884 wrote to memory of 1872	1884	hwmonitor_1.44.exe	27
PID 1884 wrote to memory of 1872	1884	hwmonitor_1.44.exe	27
PID 1872 wrote to memory of 776	1872	hwmonitor_1.44.tmp	29
PID 1872 wrote to memory of 776	1872	hwmonitor_1.44.tmp	29
PID 1872 wrote to memory of 776	1872	hwmonitor_1.44.tmp	29
PID 1872 wrote to memory of 776	1872	hwmonitor_1.44.tmp	29

C:\Users\Admin\AppData\Local\Temp\hwmonitor_1.44.exe
"C:\Users\Admin\AppData\Local\Temp\hwmonitor_1.44.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\is-TVTSA.tmp\hwmonitor_1.44.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TVTSA.tmp\hwmonitor_1.44.tmp" /SL5="$60122,1149014,58368,C:\Users\Admin\AppData\Local\Temp\hwmonitor_1.44.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\CPUID\HWMonitor\hwm_readme.txt
    3⤵
    PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CPUID\HWMonitor\hwm_readme.txt

Filesize
5KB

MD5
df5739663f0d3d54ed67f8963714b81e

SHA1
95d14fd86354e8c430b3cbc661e415839caa717c

SHA256
907f15f0cb58c1cba580d9e0609635058024066b7937c6c9d2a44c1293d36a29

SHA512
201dc8a559895a28f72122d2449f31ebc7deca7b218b08cdf9659f12558dccc2c441de358948864dfec3040b33a236f3a69334b582f3700200476af171c9ba35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TVTSA.tmp\hwmonitor_1.44.tmp

Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TVTSA.tmp\hwmonitor_1.44.tmp

Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
\Program Files\CPUID\HWMonitor\HWMonitor.exe

Filesize
2.5MB

MD5
a5e059f2860ed3e5e05f0b3f51b778cd

SHA1
039db66d2ed233af882ac197fddee47f50419f64

SHA256
7a4c753635c528e4708171032eb3b6ffbf7bb5c777c843dd81f26d8df28b4645

SHA512
59dd344321d67379272d3bb4e8ff567762867e2c9d62a9de4310222b8406f069b781a6540eeb792689b7ce65da2f2c989425cb06b862d3e896c290236d5f0984

Download Submit
\Program Files\CPUID\HWMonitor\HWMonitor.exe

Filesize
2.5MB

MD5
a5e059f2860ed3e5e05f0b3f51b778cd

SHA1
039db66d2ed233af882ac197fddee47f50419f64

SHA256
7a4c753635c528e4708171032eb3b6ffbf7bb5c777c843dd81f26d8df28b4645

SHA512
59dd344321d67379272d3bb4e8ff567762867e2c9d62a9de4310222b8406f069b781a6540eeb792689b7ce65da2f2c989425cb06b862d3e896c290236d5f0984

Download Submit
\Program Files\CPUID\HWMonitor\HWMonitor.exe

Filesize
2.5MB

MD5
a5e059f2860ed3e5e05f0b3f51b778cd

SHA1
039db66d2ed233af882ac197fddee47f50419f64

SHA256
7a4c753635c528e4708171032eb3b6ffbf7bb5c777c843dd81f26d8df28b4645

SHA512
59dd344321d67379272d3bb4e8ff567762867e2c9d62a9de4310222b8406f069b781a6540eeb792689b7ce65da2f2c989425cb06b862d3e896c290236d5f0984

Download Submit
\Program Files\CPUID\HWMonitor\HWMonitor.exe

Filesize
2.5MB

MD5
a5e059f2860ed3e5e05f0b3f51b778cd

SHA1
039db66d2ed233af882ac197fddee47f50419f64

SHA256
7a4c753635c528e4708171032eb3b6ffbf7bb5c777c843dd81f26d8df28b4645

SHA512
59dd344321d67379272d3bb4e8ff567762867e2c9d62a9de4310222b8406f069b781a6540eeb792689b7ce65da2f2c989425cb06b862d3e896c290236d5f0984

Download Submit
\Program Files\CPUID\HWMonitor\HWMonitor.exe

Filesize
2.5MB

MD5
a5e059f2860ed3e5e05f0b3f51b778cd

SHA1
039db66d2ed233af882ac197fddee47f50419f64

SHA256
7a4c753635c528e4708171032eb3b6ffbf7bb5c777c843dd81f26d8df28b4645

SHA512
59dd344321d67379272d3bb4e8ff567762867e2c9d62a9de4310222b8406f069b781a6540eeb792689b7ce65da2f2c989425cb06b862d3e896c290236d5f0984

Download Submit
\Program Files\CPUID\HWMonitor\HWMonitor.exe

Filesize
2.5MB

MD5
a5e059f2860ed3e5e05f0b3f51b778cd

SHA1
039db66d2ed233af882ac197fddee47f50419f64

SHA256
7a4c753635c528e4708171032eb3b6ffbf7bb5c777c843dd81f26d8df28b4645

SHA512
59dd344321d67379272d3bb4e8ff567762867e2c9d62a9de4310222b8406f069b781a6540eeb792689b7ce65da2f2c989425cb06b862d3e896c290236d5f0984

Download Submit
\Program Files\CPUID\HWMonitor\unins000.exe

Filesize
713KB

MD5
71af240219d3ab64e88771b32b49a389

SHA1
f1fb98cf3f222cfae2a08d374e05203d03cbc103

SHA256
9d9646faf3da6ea03fad24a430d5a5fe4a6cae0e26d4437faeb2c33e527b5d51

SHA512
4c65edeb46f17b3145491013a4aebfc48280465e9cd4579660fc1a4290404c1069698bb7d95a05bf0285de2eb59f005ba19323e4a46baf633bb23d26898c0f0e

Download Submit
\Users\Admin\AppData\Local\Temp\is-TVTSA.tmp\hwmonitor_1.44.tmp

Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
memory/1872-62-0x00000000741E1000-0x00000000741E3000-memory.dmp

Filesize
8KB

Download
memory/1884-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1884-61-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1884-55-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1884-73-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download