8da9e6d81d1c75f2096569cf7fbb0aac9935973bfd1a07224872a5e4751ab3a6

General

Target

8da9e6d81d1c75f2096569cf7fbb0aac9935973bfd1a07224872a5e4751ab3a6.exe
Size

31.3MB
MD5

725ca74f7130d31b4c39c36d069b9795
SHA1

d13350b16df10edf2fdfa14b2b0e755d4c88e1a1
SHA256

8da9e6d81d1c75f2096569cf7fbb0aac9935973bfd1a07224872a5e4751ab3a6
SHA512

2dd5fc3ac723b1a4a6926f8333a90af9217b78255ae21cfd7928dca6dc20c952d2302b5d3097bce4adab857540ab475136dadcbe97244bd598509f79601eedf8
SSDEEP

786432:VlT7NPyLNCgGeoKA/OdTYEgW4eJopfW9Pj9o3Tp:VlT7dcDzohOdzgZQhC

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8da9e6d81d1c75f2096569cf7fbb0aac9935973bfd1a07224872a5e4751ab3a6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	8da9e6d81d1c75f2096569cf7fbb0aac9935973bfd1a07224872a5e4751ab3a6.exe

Executes dropped EXE 1 IoCs

Processes:

DiskGenius.exe

pid process

224 DiskGenius.exe
Loads dropped DLL 2 IoCs

Processes:

DiskGenius.exe

pid process

224 DiskGenius.exe
224 DiskGenius.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

DiskGenius.exe

description ioc process

File opened for modification \??\PhysicalDrive0 DiskGenius.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

DiskGenius.exe

pid process

224 DiskGenius.exe
224 DiskGenius.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DiskGenius.exe

pid process

224 DiskGenius.exe
224 DiskGenius.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

DiskGenius.exe

pid process

224 DiskGenius.exe
224 DiskGenius.exe
224 DiskGenius.exe
224 DiskGenius.exe

pid	process
224	DiskGenius.exe

pid	process
224	DiskGenius.exe
224	DiskGenius.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	DiskGenius.exe

pid	process
224	DiskGenius.exe
224	DiskGenius.exe

pid	process
224	DiskGenius.exe
224	DiskGenius.exe

pid	process
224	DiskGenius.exe
224	DiskGenius.exe
224	DiskGenius.exe
224	DiskGenius.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

8da9e6d81d1c75f2096569cf7fbb0aac9935973bfd1a07224872a5e4751ab3a6.exe

description	pid	process	target process
PID 2904 wrote to memory of 224	2904	8da9e6d81d1c75f2096569cf7fbb0aac9935973bfd1a07224872a5e4751ab3a6.exe	DiskGenius.exe
PID 2904 wrote to memory of 224	2904	8da9e6d81d1c75f2096569cf7fbb0aac9935973bfd1a07224872a5e4751ab3a6.exe	DiskGenius.exe

C:\Users\Admin\AppData\Local\Temp\8da9e6d81d1c75f2096569cf7fbb0aac9935973bfd1a07224872a5e4751ab3a6.exe
"C:\Users\Admin\AppData\Local\Temp\8da9e6d81d1c75f2096569cf7fbb0aac9935973bfd1a07224872a5e4751ab3a6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2904

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
Filesize
28.5MB

MD5
329b61adba69e2b2ef5697e1c821137e

SHA1
2da9fe2c7a36fe348194a40ae2d12c4fcd987cf0

SHA256
fff5ef49b248604d1e85b4c8cd04caa8febc6a0d2bd06e3e9222cd278d2df8f0

SHA512
f6d3f42b3965fba905935854c0c10984a320017560c124f788b691ed9c019fdbeba7038297523f70ca13ac5b4f4e9618f5af7a2e6942d2e3577782ed45ba26cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
Filesize
28.5MB

MD5
329b61adba69e2b2ef5697e1c821137e

SHA1
2da9fe2c7a36fe348194a40ae2d12c4fcd987cf0

SHA256
fff5ef49b248604d1e85b4c8cd04caa8febc6a0d2bd06e3e9222cd278d2df8f0

SHA512
f6d3f42b3965fba905935854c0c10984a320017560c124f788b691ed9c019fdbeba7038297523f70ca13ac5b4f4e9618f5af7a2e6942d2e3577782ed45ba26cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
Filesize
28.5MB

MD5
329b61adba69e2b2ef5697e1c821137e

SHA1
2da9fe2c7a36fe348194a40ae2d12c4fcd987cf0

SHA256
fff5ef49b248604d1e85b4c8cd04caa8febc6a0d2bd06e3e9222cd278d2df8f0

SHA512
f6d3f42b3965fba905935854c0c10984a320017560c124f788b691ed9c019fdbeba7038297523f70ca13ac5b4f4e9618f5af7a2e6942d2e3577782ed45ba26cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\MSIMG32.dll
Filesize
7KB

MD5
bda85e995d64c90a27a7a0ca6c7144eb

SHA1
78f3a7253fa9950a4b630797ec08057378b8ac55

SHA256
dfdf475eac565ccf6ec93d65a8e196b72e024ac49b1e49413a9203c35890ed4d

SHA512
24227e4d8e9e33b8f8844ff66e41d509a1044601422aaaa6c7522b45af776aa3f08e5181e721ade6993723d6aa7862148b5a5da795e70fe8c9d7b8df2fd477d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\Options.ini
Filesize
379B

MD5
c5a3694ba3529642c79fe2ccd4f00e32

SHA1
d5baf9cd8e5784cc3af58fd7a492e1381ed87514

SHA256
60e5f3abfdf3c2f35c0caee2e0d0523191777931f95bed3f994e577950c89d61

SHA512
7374a9747278292850f15eb5eae9fc7a198adb9a36eba0fe748cdf9bdd7875745e368c585a7ef3bd641903edd6145c1b42ad158612fe3166802131ba2723a0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\VERSION.dll
Filesize
3.8MB

MD5
62f605456d5cda3a1539bfa2badebb7c

SHA1
bfb9765576d68535a4a16ca49c1a868b131e3b9b

SHA256
90238193d39ea3d5d8a1d328d1d127c19cdbedac1586e8bda8d77050f032b4de

SHA512
c66e9f4d90b7a8ce9e999194a3e249d3f8753bfc7d5746dc12b5aac299ef8091c9ba31a728696f43755865eab78f78767882362c2e93acc504f6296eb4c6c1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\msimg32.dll
Filesize
7KB

MD5
bda85e995d64c90a27a7a0ca6c7144eb

SHA1
78f3a7253fa9950a4b630797ec08057378b8ac55

SHA256
dfdf475eac565ccf6ec93d65a8e196b72e024ac49b1e49413a9203c35890ed4d

SHA512
24227e4d8e9e33b8f8844ff66e41d509a1044601422aaaa6c7522b45af776aa3f08e5181e721ade6993723d6aa7862148b5a5da795e70fe8c9d7b8df2fd477d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\version.dll
Filesize
3.8MB

MD5
62f605456d5cda3a1539bfa2badebb7c

SHA1
bfb9765576d68535a4a16ca49c1a868b131e3b9b

SHA256
90238193d39ea3d5d8a1d328d1d127c19cdbedac1586e8bda8d77050f032b4de

SHA512
c66e9f4d90b7a8ce9e999194a3e249d3f8753bfc7d5746dc12b5aac299ef8091c9ba31a728696f43755865eab78f78767882362c2e93acc504f6296eb4c6c1d1

Download Submit
memory/224-199-0x00007FF7F5130000-0x00007FF7F5140000-memory.dmp

Filesize
64KB

Download
memory/224-200-0x00007FF8352D0000-0x00007FF8352D2000-memory.dmp

Filesize
8KB

Download
memory/224-201-0x00007FF8352E0000-0x00007FF8352E2000-memory.dmp

Filesize
8KB

Download
memory/224-202-0x0000000140000000-0x0000000143322000-memory.dmp

Filesize
51.1MB

Download

Analysis

Sharing