53e52b4a938eb421cbb5d336f049be3bdd4688b645863a1880e55c5748eeea29

Analysis

max time kernel
134s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15/02/2023, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53e52b4a938eb421cbb5d336f049be3bdd4688b645863a1880e55c5748eeea29.exe
Size

2.8MB
MD5

427cbdaf708b4fb597a993d379023a7b
SHA1

3c1db2bc2fae45c95a78df54d5c463f2e8095cda
SHA256

53e52b4a938eb421cbb5d336f049be3bdd4688b645863a1880e55c5748eeea29
SHA512

78a0dafcb1b9c93cf3b5f91028a1b146ba6b73284bce995abf6e20b984045f530e548d7617dd2dcca06d3751767f625dc9b4d4eac0ea7d7c969d82fb8495ef54
SSDEEP

49152:Rvofmdo+h5x6KV1wvc33BoY/Cmw+9prbesdZxKCo4YJ9hVNvsgStM5qFfziaT:Rvofmdo8x6KV4cxpqmwkJesdbU4+hHkN

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	53e52b4a938eb421cbb5d336f049be3bdd4688b645863a1880e55c5748eeea29.exe

Executes dropped EXE 1 IoCs

pid	Process
4900	DiskInfo64.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	DiskInfo64.exe
File opened (read-only)	\??\O:	DiskInfo64.exe
File opened (read-only)	\??\T:	DiskInfo64.exe
File opened (read-only)	\??\U:	DiskInfo64.exe
File opened (read-only)	\??\W:	DiskInfo64.exe
File opened (read-only)	\??\Z:	DiskInfo64.exe
File opened (read-only)	\??\A:	DiskInfo64.exe
File opened (read-only)	\??\M:	DiskInfo64.exe
File opened (read-only)	\??\N:	DiskInfo64.exe
File opened (read-only)	\??\Q:	DiskInfo64.exe
File opened (read-only)	\??\S:	DiskInfo64.exe
File opened (read-only)	\??\X:	DiskInfo64.exe
File opened (read-only)	\??\B:	DiskInfo64.exe
File opened (read-only)	\??\E:	DiskInfo64.exe
File opened (read-only)	\??\F:	DiskInfo64.exe
File opened (read-only)	\??\G:	DiskInfo64.exe
File opened (read-only)	\??\J:	DiskInfo64.exe
File opened (read-only)	\??\L:	DiskInfo64.exe
File opened (read-only)	\??\P:	DiskInfo64.exe
File opened (read-only)	\??\R:	DiskInfo64.exe
File opened (read-only)	\??\H:	DiskInfo64.exe
File opened (read-only)	\??\I:	DiskInfo64.exe
File opened (read-only)	\??\V:	DiskInfo64.exe
File opened (read-only)	\??\Y:	DiskInfo64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	DiskInfo64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4900	DiskInfo64.exe
4900	DiskInfo64.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4900	4984	53e52b4a938eb421cbb5d336f049be3bdd4688b645863a1880e55c5748eeea29.exe	80
PID 4984 wrote to memory of 4900	4984	53e52b4a938eb421cbb5d336f049be3bdd4688b645863a1880e55c5748eeea29.exe	80

C:\Users\Admin\AppData\Local\Temp\53e52b4a938eb421cbb5d336f049be3bdd4688b645863a1880e55c5748eeea29.exe
"C:\Users\Admin\AppData\Local\Temp\53e52b4a938eb421cbb5d336f049be3bdd4688b645863a1880e55c5748eeea29.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\DiskInfo64.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\DiskInfo64.exe" %SfxVarCmdLine0%
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:4900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\dialog\Graph.html

Filesize
8KB

MD5
1f2f281f50cdefb6794c9c87133b89fb

SHA1
6aaf495b5eba156f3b6d69395a022251f54e8460

SHA256
00ceba3cca57b7ae140f077d6aebb88e172f69b4cc0c8879c5be7f2734a989f8

SHA512
c1d8d99104f0dfc0f3417c6c0a2519ab9508aadecc573b6c338614237d6d91ce03825b4b978a3a9a03272759d7d566d1bc7c60b7742b4f83a8ad1b9d943e906b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\language\English.lang

Filesize
79KB

MD5
295dc87e2f2dd0ce282e124e2d637ade

SHA1
97cf293fd09a5c5eb0f90b7eb165372bcb648181

SHA256
0e2119bb896ce25c6010a910ead02b98aaf7a06921acdf74259dedf388e4e708

SHA512
31add625a0aa1117eaa6591b8c66b28f3ef86d848200fef7c067fa0e8056c48fe215bac9d3229ef92e8d1bd1775fa3517c9c5ed2f442cbb8c5c24a3472bcc75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\language\Simplified Chinese.lang

Filesize
46KB

MD5
e2e76626502b8437877fd2fe9323715c

SHA1
d024590dacf577ec5aee68eaa9ac90c5f917fe63

SHA256
a7eced5dc7563a179be590a2799f29890b65b6e473aa1619a62e58d011cbc597

SHA512
3d3d2326aca7f22077312b5f59bf63821c5a21fd54d4ced5d9a07abadbfc9a0b5f45e8b7eb6af3eef0d03e9bb9c30c58832db990ff837208b2d563b26eb92812

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\Background-300.png

Filesize
29KB

MD5
77767641110eb0eb62cd38ac3494fd24

SHA1
2d6c0cedf6b9a96292695ebd3e829e6f47dbfc45

SHA256
8717fdc9d5f8a4c200d38dac5178b31e1157d7a1f4f389c839dae74198d35e10

SHA512
0e0bf2ecf9c765ae0265706f19218ede958c65cab79743fcc2785bccef824200f06ce0543a8b1a765681ee9846a5c911548f8e1f5f25310aaa1122d22601b3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\diskGood-100.png

Filesize
1KB

MD5
c0e81a6dd776dcedbe2107bcad87bdcd

SHA1
1d1bbc27de9329d287179b36cdcaad1083359ea3

SHA256
41e8e14948103b7ba676fceaccef1f6b4fb08b70ea6f207f4d6fb6aef3f1e71f

SHA512
38b57f9cee97ac10b61a2fe9222c0085b0e6ffe18ac6457963a5a5e21ff5b602350204675f1ff9606c384d5b8484e4588ad9bac9208aeaf0008215c6fae678b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\diskStatusGood-100.png

Filesize
918B

MD5
ad2e97a4c59814858876abad24002ffd

SHA1
7636bf632981a0d6ccbf3adcdc78d2715f9f359e

SHA256
e290f8d7031f82007b91cf3082825540f0a6585065dd0ae8f467fefe4d81e4fc

SHA512
09a1485cb7c4580e5094c4d6f08c5b10c567b6ffa6a6b7f7b80d8fcc5ee0ba88091432530f1b01ee09b0cd15a6e387e5557d843d91b0273bd0a6bb1a550f2efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\nextDisk-100.png

Filesize
1KB

MD5
dc3be62f884c9b96af9a3d5b2a937cb6

SHA1
7a06d204ea1bb9130845305face66d7f74efa2e5

SHA256
cb9099db8ccb5d69db902858ebdd0657667fdc4c2ac1b8211b0d2503be18639a

SHA512
2b8163d191793ddda76ce36c08d87b343dd528ca042cfb795a816b96c8d7be90d584a34e4734d217a24ed54db1ce11332108540bd34baa64778f785c0bcd4a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\noDisk-100.png

Filesize
137B

MD5
aca9c4d69b8c4779167452f77f415a9a

SHA1
d40806f8ef1a7cb989dfbe9cfb4b3be717a47292

SHA256
0229291a30857f8ce7499e7f9a6ac30be452419bd5327b98468deba097ae76ee

SHA512
91652e2bdb710a11c25e78a8192c0da52538690e2743ba2f228e29279e0175d02e30ee01e4213b866552c4cf4e8c18ce687da13bd64d4ee554054f2efbc2df8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\preDisk-100.png

Filesize
1KB

MD5
b49a97118724c54530d4c4eaefd729c8

SHA1
102187b9534a2c6359d37b68f9509e0fd227b473

SHA256
4358ec9b50bf01820f6037299941916c196616fa08d8150b57607957cecda485

SHA512
5a5ab0d9cec7aa61b99cb1b3742df2acdadff43cb12dcdc48cfea95eb9479ae4c5673870f2b85560ed3285961837fe0c4eed3e31f1ada33fdcdcd23336dc236c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\temperatureGood-100.png

Filesize
2KB

MD5
f8f84f5782ae011b707822d8ac8ee4d6

SHA1
fa9fceedd5066b2e97ef2774a4315c9ecb71f897

SHA256
26d0fdec518f2a16d535306d81459746811882da15c691113134d82442f5d58a

SHA512
ace2ceb3289ce68a8bcf2f18a040afee31138683656d8adb24a305f6b9f0bc32a34db4b2c681a538a634a3e6a36b2481cea282b61edbd5f2c5bf62066b5e402d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\theme.ini

Filesize
267B

MD5
ec7be8d591e7fc9b16b7700fe78f2d1a

SHA1
a167edd91f9f0bce9b9d93785e683942bd7dbde2

SHA256
2b95db1daf862a5c38c8628fdf941512004bcea7b56b22e44fa52709e57c6ddb

SHA512
d884e807e773bfb48bfe6c26a99ad7e9316bf4aea08bda148e84fd2922064a46696d830b327dee24eb0d8db3ad9e6d93d62f3965e6cd1c64330f5abc5015b8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\DiskInfo64.exe

Filesize
2.7MB

MD5
290b9d139ca0057e5970d02bab50ee1e

SHA1
19416e9b9e66b29bfbcd2be8d4051025e1370904

SHA256
d6d7dde91c5d873778c7cfe300c4cd325cf827b522dbdd9834a2c636dcbd99d9

SHA512
eab988fedf1d7988ec475f18d171f342d7c5ec6ca357f67041848f9eb018996ff8a36a8f3aa348c84f9a545c584118c899052ebd0ff656b06664e31cde58cde4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads