Malware Analysis Report

2025-01-02 12:05

Sample ID 221119-pdg7maah38
Target 9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a
SHA256 9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a
Tags
upx bazarbackdoor backdoor bootkit persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a

Threat Level: Known bad

The file 9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a was found to be: Known bad.

Malicious Activity Summary

upx bazarbackdoor backdoor bootkit persistence

BazarBackdoor

Bazar/Team9 Backdoor payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-19 12:12

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-19 12:12

Reported

2022-11-19 12:17

Platform

win7-20221111-en

Max time kernel

151s

Max time network

32s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~614510119051466356~\sg.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\DiskGenius.exe N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\DiskGenius.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\DiskGenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\DiskGenius.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\DiskGenius.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\~614510119051466356~\sg.tmp N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\~614510119051466356~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~614510119051466356~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~614510119051466356~\sg.tmp N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1508 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe C:\Windows\system32\cmd.exe
PID 1508 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe C:\Windows\system32\cmd.exe
PID 1508 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe C:\Windows\system32\cmd.exe
PID 1508 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe C:\Users\Admin\AppData\Local\Temp\~614510119051466356~\sg.tmp
PID 1508 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe C:\Users\Admin\AppData\Local\Temp\~614510119051466356~\sg.tmp
PID 1508 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe C:\Users\Admin\AppData\Local\Temp\~614510119051466356~\sg.tmp
PID 1508 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\DiskGenius.exe
PID 1508 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\DiskGenius.exe
PID 1508 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\DiskGenius.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe

"C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe"

C:\Windows\system32\cmd.exe

cmd.exe /c set

C:\Users\Admin\AppData\Local\Temp\~614510119051466356~\sg.tmp

7zG_exe x "C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~7683691749526359237"

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\DiskGenius.exe

"C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\DiskGenius.exe"

Network

N/A

Files

memory/1220-54-0x0000000000000000-mapping.dmp

memory/1508-55-0x0000000140000000-0x00000001401F4000-memory.dmp

memory/1508-56-0x0000000140000000-0x00000001401F4000-memory.dmp

\Users\Admin\AppData\Local\Temp\~614510119051466356~\sg.tmp

MD5 8a36dcd25ae8543d26b0a99b7d48864a
SHA1 72581de60cedf59b1b932f6201bafc7cb02bb56e
SHA256 b3daf97e499467c6337b4320059ac44bc7a949dc4e500eb0d2f79f900a229531
SHA512 26eecfa81f6c94a89d1f9be0224a3f36309a5c43d658055f48e6e7ee2847c29bddf665f077381ee5b318201bc7658f6cfc36d248f64f51302622e5e949f147ef

memory/524-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\~614510119051466356~\sg.tmp

MD5 8a36dcd25ae8543d26b0a99b7d48864a
SHA1 72581de60cedf59b1b932f6201bafc7cb02bb56e
SHA256 b3daf97e499467c6337b4320059ac44bc7a949dc4e500eb0d2f79f900a229531
SHA512 26eecfa81f6c94a89d1f9be0224a3f36309a5c43d658055f48e6e7ee2847c29bddf665f077381ee5b318201bc7658f6cfc36d248f64f51302622e5e949f147ef

\Users\Admin\AppData\Local\Temp\~614510119051466356~\sg.tmp

MD5 8a36dcd25ae8543d26b0a99b7d48864a
SHA1 72581de60cedf59b1b932f6201bafc7cb02bb56e
SHA256 b3daf97e499467c6337b4320059ac44bc7a949dc4e500eb0d2f79f900a229531
SHA512 26eecfa81f6c94a89d1f9be0224a3f36309a5c43d658055f48e6e7ee2847c29bddf665f077381ee5b318201bc7658f6cfc36d248f64f51302622e5e949f147ef

memory/1508-61-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

\Users\Admin\AppData\Local\Temp\~7683691749526359237\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

memory/676-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\MSIMG32.dll

MD5 2e111b435e8013f5aba504f903a307cf
SHA1 c082e11050a6e4e28c1993a74e64816e71d6fabf
SHA256 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2
SHA512 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

\Users\Admin\AppData\Local\Temp\~7683691749526359237\msimg32.dll

MD5 2e111b435e8013f5aba504f903a307cf
SHA1 c082e11050a6e4e28c1993a74e64816e71d6fabf
SHA256 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2
SHA512 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

memory/676-68-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

memory/676-70-0x0000000140000000-0x000000014402F000-memory.dmp

memory/676-71-0x0000000140000000-0x000000014402F000-memory.dmp

memory/676-75-0x0000000140000000-0x000000014402F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\Options.ini

MD5 88f78aff88381486a880cd8438f9ef73
SHA1 b35e9bd35e9372c581d91e3d7ee6efb28986d4db
SHA256 dbdd621cd8045ae2e6d74fd88f970e6dc0942403c71607b837c314b1b16a8db1
SHA512 10e7e07651108f4f55b0af7e2ec28dd2a64abb34e2d62984bf2aad806cc69e1c90384f31386cd3c2d263124eac64e4c2b6079599706028d74423479d4ddd1967

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\lang\Language_arabic.lang

MD5 36e6bd12713cc7ea2ed619492f3a0b36
SHA1 4c9c7553e7b0280d4a06080a55b81d562cae967f
SHA256 88beb58ebd7ef27916eeff1c4e95886006543a9e1c0b40e3d75a0552a7a5dd4a
SHA512 583fdff02d3ecfef6604b8a6f2e60a62d067b7f9d274320e4500019cacc07762b8e606236967ddaad98727731d269b0b9ea4927cbfd412b72817f406ef9b3456

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\lang\Language_Chinese Simplified.lang

MD5 bbde798220757e7b571071f8c0d8aa32
SHA1 f9dcd74498d639a48759fb1f75ee370b03cdf83a
SHA256 3a72e222efcd3c6915e6ec5812848de54e646f3dbd53d9112303a27863afc941
SHA512 4d6c39951b2c2da33e3d608c170045dccb0a648106fc5c5ebe7928870342ff028d7f48a0654ac8846ba5bf4554af3cd64f8ce36aab375193c15e0c1c8143f282

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\lang\Language_dutch.lang

MD5 793d1512888813f57abca0c14d00e008
SHA1 1c410cd16abc2a30cb9f9d1e76dc5562d09c8249
SHA256 d76187550ee2d2b898427e991d170892648abe65b6ce60b413b62b8e87e9b7b7
SHA512 e8277e668f565d52de09dc903a917febe792e388d4ab8df84f4a31a92da2c2446838bc4da70c141726cf8d47b4d7cb10ad04f29d4ef1bfb8b175bcfafff5e443

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\lang\Language_french.lang

MD5 db9d40bea550efb174b0b0cde8342f40
SHA1 2fe99a4bbc23ebbccd7d1fd6db33e769e23f3fa1
SHA256 748373d2c75c82b6e00010cef871dfd38095ec721e3551821e5b48180075214f
SHA512 e8cfda67138df0c1d56362e55a6a313b7d913d016d431e43bbe6bb1950a14fa9042f277700736be687f6e3ec0ca8bfba869de06038a3fa15527f873f3f049e65

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\lang\Language_german.lang

MD5 13ee86273ff93e697d6178e81d459569
SHA1 f8f489206a0ece4da3267c7848ee6c0cdd62c261
SHA256 c077a071c1d4ed3b62db0776368d3b58f825f7d460e716245770985b20662d32
SHA512 9f7319ea9b518249a4281c8bb838892c6877d69269521bfda3aa420d69b5f1966aefca4214723f4c14edbb9e979347b3b0f1081587603214e6c31582ea6bfb8c

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\lang\Language_hungarian.lang

MD5 20cb6a53db84e79c542af6cc2e4c1637
SHA1 b046477c76ae89102a2ebea0dfbfb76731b4cb98
SHA256 98a82c56c27ae93243442b9e037d99bd33f1dab9cd85a580274d1a320616f3d4
SHA512 c6088adb738964aae91d46b90eb1c056d6df68b60ab52026518787586eec09b23cdff0a90a94e367efbfeaae69b689af29924d711626848d0ab5c7ff649643a4

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\lang\Language_italian.lang

MD5 04587c0ff9a63ae631d562b73ec4b3a6
SHA1 e31d7b421439d1f7930fe3dc2b02cbe69b0a292d
SHA256 fd3619a3ccc1ae396f9da0445b307b25cc0d0c4a063b7c026add7c76cc314179
SHA512 c7289975ad24b730c7380e3fa3040dc216d31efccd6719d58937e870ee22221f5546aeca1fa0d256ce5aaadd9047876dad08e9f12fc6fa26dbf77403bc678760

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\lang\Language_japanese.lang

MD5 31163ce99a34fa1dd0d533670f1fcf98
SHA1 ae4955292d8496fcb22b4e22506b2bbe7370e312
SHA256 e381e174a933840ae951970c158b8442be2fc4caa9c9573eb6532440fd3b5930
SHA512 35b4282a9fac1f1e1f7c3f50f591c3bbb572685b61b06b00afcafacb6f806a7b89fbb81d6c3fc87c1c73cb3a53bd57a16c6d29e8b5087e84dacf0c543b075a2b

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\lang\Language_korean.lang

MD5 2b3a48778aad515d0e0428b0cc2d35ad
SHA1 c04361d21cb91db3a8faeeac85947ad0cb853d11
SHA256 f92b5b909c3366220eb5847c6535a4b75f9fa51a6a475468058dd08509a01579
SHA512 992531c5fc3c28081ac044279b9112f093dda8f4083c1c68b5a5bd9eef6f11d173a4ecb36cff37698b6097f4b8144c205fd62585f90e21b89dac6be8086f25d2

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\lang\Language_polish.lang

MD5 b18e8317c304d45704a2298dcca59e7d
SHA1 d127f5daa2a6dd70f7fb0af9c048226f417b452f
SHA256 c5bed4b6e4fffb864bc5314f81de1f206eadfcffedc75a0cbf0f07c81047ad3a
SHA512 cda33ddd356513b7b3ae37c4483e7ee06005475967e871184079c4ba08430bbdfe0098d09ec476c4d821e7e21fd91b2622587ce70cd33df6048d7997151ca4b6

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\lang\Language_portuguese.lang

MD5 106cfc3c40e4eeca11c4264ec120514f
SHA1 53a418b2fec3eaa171464beb674e93022c0e62f1
SHA256 63029ad335371feefa6f38b35ebeae643efbb369251b9773f212a5b79640507d
SHA512 4ed03e90f223b951e08e3ca5d328e35b1421c40946f918274c5589029d3e80dfafc6f432755607ad269322b8ae36bf44bc59206294b647df1276316345c64c86

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\lang\Language_russian.lang

MD5 df313c0cf1629a0b8ef0155d201f1722
SHA1 4d40f70ee5a40437a22edd29b56e178de42868fa
SHA256 a12b3d675f6eff07c4331a8abf9a4cb3c806618c9c3eb4a7dded4ea39c215f80
SHA512 baa4d64868e65db30d9f5193ef29eb6ef589a0b3f78d153520c464d8dc1248a1db406ea487f762a8a63f6987d117dc8ddd1e6b0ab9f13fe908848beded2d0704

C:\Users\Admin\AppData\Local\Temp\~7683691749526359237\lang\Language_spanish.lang

MD5 4366c4286cf305840372aad993c090ca
SHA1 cb357756eca8a52d2c67ec5bf5c5de0ceffbdc47
SHA256 e1dc3882e7308ba76c9ef2887f7355e1d86dce0f2ae506f2a1c98609a4311a77
SHA512 042af06d2c5e79c0b36851b5198cca408ce9cdbc24cbb89898cafa4d09c97b7128f6c0b14419c1570d4af96de358ff4f730c7e238969e8c91cd4abf7dc23db56

\Users\Admin\AppData\Local\Temp\~7683691749526359237\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-19 12:12

Reported

2022-11-19 12:17

Platform

win10v2004-20221111-en

Max time kernel

202s

Max time network

241s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~111493598103716447\DiskGenius.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\~111493598103716447\DiskGenius.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~111493598103716447\DiskGenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~111493598103716447\DiskGenius.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~111493598103716447\DiskGenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~111493598103716447\DiskGenius.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\~1692987073956872566~\sg.tmp N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\~1692987073956872566~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~1692987073956872566~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~1692987073956872566~\sg.tmp N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe

"C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c set

C:\Users\Admin\AppData\Local\Temp\~1692987073956872566~\sg.tmp

7zG_exe x "C:\Users\Admin\AppData\Local\Temp\9372104ec9a78ada0d13de64f68a55e7b42857bc1da6b778f59071039e1f1b9a.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~111493598103716447"

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\DiskGenius.exe

"C:\Users\Admin\AppData\Local\Temp\~111493598103716447\DiskGenius.exe"

Network

Country Destination Domain Proto
N/A 104.80.225.205:443 tcp
N/A 51.132.193.104:443 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp

Files

memory/3492-132-0x0000000000000000-mapping.dmp

memory/4300-133-0x0000000140000000-0x00000001401F4000-memory.dmp

memory/932-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\~1692987073956872566~\sg.tmp

MD5 8a36dcd25ae8543d26b0a99b7d48864a
SHA1 72581de60cedf59b1b932f6201bafc7cb02bb56e
SHA256 b3daf97e499467c6337b4320059ac44bc7a949dc4e500eb0d2f79f900a229531
SHA512 26eecfa81f6c94a89d1f9be0224a3f36309a5c43d658055f48e6e7ee2847c29bddf665f077381ee5b318201bc7658f6cfc36d248f64f51302622e5e949f147ef

memory/4300-136-0x0000000140000000-0x00000001401F4000-memory.dmp

memory/2624-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\MSIMG32.dll

MD5 2e111b435e8013f5aba504f903a307cf
SHA1 c082e11050a6e4e28c1993a74e64816e71d6fabf
SHA256 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2
SHA512 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\msimg32.dll

MD5 2e111b435e8013f5aba504f903a307cf
SHA1 c082e11050a6e4e28c1993a74e64816e71d6fabf
SHA256 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2
SHA512 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

memory/2624-142-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

memory/2624-143-0x0000000140000000-0x000000014402F000-memory.dmp

memory/2624-147-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\lang\Language_arabic.lang

MD5 36e6bd12713cc7ea2ed619492f3a0b36
SHA1 4c9c7553e7b0280d4a06080a55b81d562cae967f
SHA256 88beb58ebd7ef27916eeff1c4e95886006543a9e1c0b40e3d75a0552a7a5dd4a
SHA512 583fdff02d3ecfef6604b8a6f2e60a62d067b7f9d274320e4500019cacc07762b8e606236967ddaad98727731d269b0b9ea4927cbfd412b72817f406ef9b3456

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\lang\Language_Chinese Simplified.lang

MD5 bbde798220757e7b571071f8c0d8aa32
SHA1 f9dcd74498d639a48759fb1f75ee370b03cdf83a
SHA256 3a72e222efcd3c6915e6ec5812848de54e646f3dbd53d9112303a27863afc941
SHA512 4d6c39951b2c2da33e3d608c170045dccb0a648106fc5c5ebe7928870342ff028d7f48a0654ac8846ba5bf4554af3cd64f8ce36aab375193c15e0c1c8143f282

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\Options.ini

MD5 88f78aff88381486a880cd8438f9ef73
SHA1 b35e9bd35e9372c581d91e3d7ee6efb28986d4db
SHA256 dbdd621cd8045ae2e6d74fd88f970e6dc0942403c71607b837c314b1b16a8db1
SHA512 10e7e07651108f4f55b0af7e2ec28dd2a64abb34e2d62984bf2aad806cc69e1c90384f31386cd3c2d263124eac64e4c2b6079599706028d74423479d4ddd1967

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\lang\Language_german.lang

MD5 13ee86273ff93e697d6178e81d459569
SHA1 f8f489206a0ece4da3267c7848ee6c0cdd62c261
SHA256 c077a071c1d4ed3b62db0776368d3b58f825f7d460e716245770985b20662d32
SHA512 9f7319ea9b518249a4281c8bb838892c6877d69269521bfda3aa420d69b5f1966aefca4214723f4c14edbb9e979347b3b0f1081587603214e6c31582ea6bfb8c

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\lang\Language_french.lang

MD5 db9d40bea550efb174b0b0cde8342f40
SHA1 2fe99a4bbc23ebbccd7d1fd6db33e769e23f3fa1
SHA256 748373d2c75c82b6e00010cef871dfd38095ec721e3551821e5b48180075214f
SHA512 e8cfda67138df0c1d56362e55a6a313b7d913d016d431e43bbe6bb1950a14fa9042f277700736be687f6e3ec0ca8bfba869de06038a3fa15527f873f3f049e65

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\lang\Language_dutch.lang

MD5 793d1512888813f57abca0c14d00e008
SHA1 1c410cd16abc2a30cb9f9d1e76dc5562d09c8249
SHA256 d76187550ee2d2b898427e991d170892648abe65b6ce60b413b62b8e87e9b7b7
SHA512 e8277e668f565d52de09dc903a917febe792e388d4ab8df84f4a31a92da2c2446838bc4da70c141726cf8d47b4d7cb10ad04f29d4ef1bfb8b175bcfafff5e443

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\lang\Language_italian.lang

MD5 04587c0ff9a63ae631d562b73ec4b3a6
SHA1 e31d7b421439d1f7930fe3dc2b02cbe69b0a292d
SHA256 fd3619a3ccc1ae396f9da0445b307b25cc0d0c4a063b7c026add7c76cc314179
SHA512 c7289975ad24b730c7380e3fa3040dc216d31efccd6719d58937e870ee22221f5546aeca1fa0d256ce5aaadd9047876dad08e9f12fc6fa26dbf77403bc678760

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\lang\Language_hungarian.lang

MD5 20cb6a53db84e79c542af6cc2e4c1637
SHA1 b046477c76ae89102a2ebea0dfbfb76731b4cb98
SHA256 98a82c56c27ae93243442b9e037d99bd33f1dab9cd85a580274d1a320616f3d4
SHA512 c6088adb738964aae91d46b90eb1c056d6df68b60ab52026518787586eec09b23cdff0a90a94e367efbfeaae69b689af29924d711626848d0ab5c7ff649643a4

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\lang\Language_portuguese.lang

MD5 106cfc3c40e4eeca11c4264ec120514f
SHA1 53a418b2fec3eaa171464beb674e93022c0e62f1
SHA256 63029ad335371feefa6f38b35ebeae643efbb369251b9773f212a5b79640507d
SHA512 4ed03e90f223b951e08e3ca5d328e35b1421c40946f918274c5589029d3e80dfafc6f432755607ad269322b8ae36bf44bc59206294b647df1276316345c64c86

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\lang\Language_spanish.lang

MD5 4366c4286cf305840372aad993c090ca
SHA1 cb357756eca8a52d2c67ec5bf5c5de0ceffbdc47
SHA256 e1dc3882e7308ba76c9ef2887f7355e1d86dce0f2ae506f2a1c98609a4311a77
SHA512 042af06d2c5e79c0b36851b5198cca408ce9cdbc24cbb89898cafa4d09c97b7128f6c0b14419c1570d4af96de358ff4f730c7e238969e8c91cd4abf7dc23db56

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\lang\Language_russian.lang

MD5 df313c0cf1629a0b8ef0155d201f1722
SHA1 4d40f70ee5a40437a22edd29b56e178de42868fa
SHA256 a12b3d675f6eff07c4331a8abf9a4cb3c806618c9c3eb4a7dded4ea39c215f80
SHA512 baa4d64868e65db30d9f5193ef29eb6ef589a0b3f78d153520c464d8dc1248a1db406ea487f762a8a63f6987d117dc8ddd1e6b0ab9f13fe908848beded2d0704

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\lang\Language_polish.lang

MD5 b18e8317c304d45704a2298dcca59e7d
SHA1 d127f5daa2a6dd70f7fb0af9c048226f417b452f
SHA256 c5bed4b6e4fffb864bc5314f81de1f206eadfcffedc75a0cbf0f07c81047ad3a
SHA512 cda33ddd356513b7b3ae37c4483e7ee06005475967e871184079c4ba08430bbdfe0098d09ec476c4d821e7e21fd91b2622587ce70cd33df6048d7997151ca4b6

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\lang\Language_korean.lang

MD5 2b3a48778aad515d0e0428b0cc2d35ad
SHA1 c04361d21cb91db3a8faeeac85947ad0cb853d11
SHA256 f92b5b909c3366220eb5847c6535a4b75f9fa51a6a475468058dd08509a01579
SHA512 992531c5fc3c28081ac044279b9112f093dda8f4083c1c68b5a5bd9eef6f11d173a4ecb36cff37698b6097f4b8144c205fd62585f90e21b89dac6be8086f25d2

C:\Users\Admin\AppData\Local\Temp\~111493598103716447\lang\Language_japanese.lang

MD5 31163ce99a34fa1dd0d533670f1fcf98
SHA1 ae4955292d8496fcb22b4e22506b2bbe7370e312
SHA256 e381e174a933840ae951970c158b8442be2fc4caa9c9573eb6532440fd3b5930
SHA512 35b4282a9fac1f1e1f7c3f50f591c3bbb572685b61b06b00afcafacb6f806a7b89fbb81d6c3fc87c1c73cb3a53bd57a16c6d29e8b5087e84dacf0c543b075a2b

memory/2624-162-0x0000000140000000-0x000000014402F000-memory.dmp