cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0

Analysis

max time kernel
122s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe
Size

29.5MB
MD5

e0f5c5dacb2c49b9de937e1ac4e6aa12
SHA1

7d4e57d53f0b855780ebeee66d7fb51c51a7ab78
SHA256

cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0
SHA512

bf6e9a08a1969cac5a1fe53472364a9fee321001be4b003db5e282596ccff3ad9cc50e13c313012a0804e4c66923ac53559443c4c9adc697ebd7a420e9873b97
SSDEEP

786432:oX+PCDglQifSjUTs6LhQ/+loqcH9jnfazU/NpQDoWnSz+XBW:EurlQifgUw6LhI+JQ9jfa4/NpmhSR

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe

Executes dropped EXE 1 IoCs

Processes:

DiskGenius.exe

pid process

260 DiskGenius.exe
Loads dropped DLL 3 IoCs

Processes:

DiskGenius.exe

pid process

260 DiskGenius.exe
260 DiskGenius.exe
260 DiskGenius.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

DiskGenius.exe

description ioc process

File opened for modification \??\PhysicalDrive0 DiskGenius.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

DiskGenius.exe

pid process

260 DiskGenius.exe
260 DiskGenius.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DiskGenius.exe

pid process

260 DiskGenius.exe
260 DiskGenius.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DiskGenius.exe

pid process

260 DiskGenius.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

DiskGenius.exe

pid process

260 DiskGenius.exe
260 DiskGenius.exe
260 DiskGenius.exe
260 DiskGenius.exe

pid	process
260	DiskGenius.exe

pid	process
260	DiskGenius.exe
260	DiskGenius.exe
260	DiskGenius.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	DiskGenius.exe

pid	process
260	DiskGenius.exe
260	DiskGenius.exe

pid	process
260	DiskGenius.exe
260	DiskGenius.exe

pid	process
260	DiskGenius.exe

pid	process
260	DiskGenius.exe
260	DiskGenius.exe
260	DiskGenius.exe
260	DiskGenius.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.execmd.exe

description	pid	process	target process
PID 2624 wrote to memory of 5040	2624	cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe	cmd.exe
PID 2624 wrote to memory of 5040	2624	cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe	cmd.exe
PID 2624 wrote to memory of 5040	2624	cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe	cmd.exe
PID 5040 wrote to memory of 260	5040	cmd.exe	DiskGenius.exe
PID 5040 wrote to memory of 260	5040	cmd.exe	DiskGenius.exe
PID 5040 wrote to memory of 260	5040	cmd.exe	DiskGenius.exe

C:\Users\Admin\AppData\Local\Temp\cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe
"C:\Users\Admin\AppData\Local\Temp\cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\StartDGEng.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
DiskGenius.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
Filesize
27.0MB

MD5
104b8e9c7836eacaa8c16c71aa79d067

SHA1
dc1deb4a4e957190f92901256e9f606ea198ca72

SHA256
7169b64c443524615cd745356826654c2ebd1319fb4bf3cef30bac72e5e34f13

SHA512
dcbb4adacd6806fe7846efc9d5fe5a80442368716af95810f82996526297c1d456db11134b85905266810b49a6cd6c4d7759f203a83038f4a5bf60ec1be69995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
Filesize
27.0MB

MD5
104b8e9c7836eacaa8c16c71aa79d067

SHA1
dc1deb4a4e957190f92901256e9f606ea198ca72

SHA256
7169b64c443524615cd745356826654c2ebd1319fb4bf3cef30bac72e5e34f13

SHA512
dcbb4adacd6806fe7846efc9d5fe5a80442368716af95810f82996526297c1d456db11134b85905266810b49a6cd6c4d7759f203a83038f4a5bf60ec1be69995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\MSIMG32.dll
Filesize
5KB

MD5
d927d43c0d44b65c2067f2abe8d59261

SHA1
88da81305b742b49b48467c947d4030369faa538

SHA256
e236088bfede4f99f6d138991df32b7edb7f4454abee76f8ca6955daaed2abf2

SHA512
267a9e12fd53c4ef17b3c1264da873aa4aa845e10002dd379d936248e8510530de75bbf66ba55cd64ed3eb2d54d19b208bfbc667962d353895f6410f6e099528

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\Options.ini
Filesize
379B

MD5
c5a3694ba3529642c79fe2ccd4f00e32

SHA1
d5baf9cd8e5784cc3af58fd7a492e1381ed87514

SHA256
60e5f3abfdf3c2f35c0caee2e0d0523191777931f95bed3f994e577950c89d61

SHA512
7374a9747278292850f15eb5eae9fc7a198adb9a36eba0fe748cdf9bdd7875745e368c585a7ef3bd641903edd6145c1b42ad158612fe3166802131ba2723a0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\StartDGEng.bat
Filesize
89B

MD5
7df9ed38a5a267966322248b5d228af7

SHA1
1fb961c469bab1a840b62c290eadd104501ef8c4

SHA256
fe7e41f49cc58e970461d87e88f91d0fb7c850622a99e2ebb4cdf10506e80029

SHA512
b1efa436e6fc12facc858986d360dc6645d1d5a206338b1ea37793bd64faf2dcf9ec99d92c8252be3b7373e826fd89d3a6f49ab22c4f8c935aff113d61af01f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\VERSION.dll
Filesize
3.7MB

MD5
1e8af4c81c6d4076681e9dbbf93f2d69

SHA1
4636dcca6226e868fb7599bcbcc785ae0ae0bed7

SHA256
2d55781f0fe93c02c019bdcd79ca0489a1906a59aee0bce15aebad862fae2871

SHA512
a7df48e9a6c71d2ad4ed968efe20c54e855600e272b0c013e4a3177f12d9e3710b806ba8ba52994fc2b999e071c15e7b91a2ce33d507cf461d967c935ad3a015

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\msimg32.dll
Filesize
5KB

MD5
d927d43c0d44b65c2067f2abe8d59261

SHA1
88da81305b742b49b48467c947d4030369faa538

SHA256
e236088bfede4f99f6d138991df32b7edb7f4454abee76f8ca6955daaed2abf2

SHA512
267a9e12fd53c4ef17b3c1264da873aa4aa845e10002dd379d936248e8510530de75bbf66ba55cd64ed3eb2d54d19b208bfbc667962d353895f6410f6e099528

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\msimg32.dll
Filesize
5KB

MD5
d927d43c0d44b65c2067f2abe8d59261

SHA1
88da81305b742b49b48467c947d4030369faa538

SHA256
e236088bfede4f99f6d138991df32b7edb7f4454abee76f8ca6955daaed2abf2

SHA512
267a9e12fd53c4ef17b3c1264da873aa4aa845e10002dd379d936248e8510530de75bbf66ba55cd64ed3eb2d54d19b208bfbc667962d353895f6410f6e099528

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\version.dll
Filesize
3.7MB

MD5
1e8af4c81c6d4076681e9dbbf93f2d69

SHA1
4636dcca6226e868fb7599bcbcc785ae0ae0bed7

SHA256
2d55781f0fe93c02c019bdcd79ca0489a1906a59aee0bce15aebad862fae2871

SHA512
a7df48e9a6c71d2ad4ed968efe20c54e855600e272b0c013e4a3177f12d9e3710b806ba8ba52994fc2b999e071c15e7b91a2ce33d507cf461d967c935ad3a015

Download Submit
memory/260-199-0x000000006F190000-0x000000006F1A0000-memory.dmp

Filesize
64KB

Download
memory/260-198-0x000000006F190000-0x000000006F1A0000-memory.dmp

Filesize
64KB

Download
memory/260-200-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/260-201-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/260-202-0x0000000000400000-0x00000000032C8000-memory.dmp

Filesize
46.8MB

Download