736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb

Analysis

max time kernel
96s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30-03-2023 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe
Size

31.9MB
MD5

1b5a9cdfb1e2e5525ba77008aacfed3d
SHA1

f5053f7b425d2019a254d4952814a752c2987302
SHA256

736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb
SHA512

d1281dcaa794a85fa76163a0ec2b87a5745ceacd559c90f39ca5cd6b6f610e77839b3f9b3ff8866bc64ea104e975133222e8ca4966bbfa583f20466c8c1674b5
SSDEEP

786432:1HI5TJ/XpqhDctzm+deBbq2O879gNBCN3KHLlLYWCA16pNa5AlomnNCs7t8X:1o5TJ/5qhD4S++W2Ou9oBCN6HqWJ16pw

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe

Executes dropped EXE 1 IoCs

Processes:

DiskGenius.exe

pid process

4968 DiskGenius.exe
Loads dropped DLL 3 IoCs

Processes:

DiskGenius.exe

pid process

4968 DiskGenius.exe
4968 DiskGenius.exe
4968 DiskGenius.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

DiskGenius.exe

description ioc process

File opened for modification \??\PhysicalDrive0 DiskGenius.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

DiskGenius.exe

pid process

4968 DiskGenius.exe
4968 DiskGenius.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DiskGenius.exe

pid process

4968 DiskGenius.exe
4968 DiskGenius.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DiskGenius.exe

pid process

4968 DiskGenius.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

DiskGenius.exe

pid process

4968 DiskGenius.exe
4968 DiskGenius.exe
4968 DiskGenius.exe
4968 DiskGenius.exe

pid	process
4968	DiskGenius.exe

pid	process
4968	DiskGenius.exe
4968	DiskGenius.exe
4968	DiskGenius.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	DiskGenius.exe

pid	process
4968	DiskGenius.exe
4968	DiskGenius.exe

pid	process
4968	DiskGenius.exe
4968	DiskGenius.exe

pid	process
4968	DiskGenius.exe

pid	process
4968	DiskGenius.exe
4968	DiskGenius.exe
4968	DiskGenius.exe
4968	DiskGenius.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe

description	pid	process	target process
PID 1656 wrote to memory of 4968	1656	736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe	DiskGenius.exe
PID 1656 wrote to memory of 4968	1656	736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe	DiskGenius.exe
PID 1656 wrote to memory of 4968	1656	736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe	DiskGenius.exe

C:\Users\Admin\AppData\Local\Temp\736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe
"C:\Users\Admin\AppData\Local\Temp\736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
Filesize
27.0MB

MD5
104b8e9c7836eacaa8c16c71aa79d067

SHA1
dc1deb4a4e957190f92901256e9f606ea198ca72

SHA256
7169b64c443524615cd745356826654c2ebd1319fb4bf3cef30bac72e5e34f13

SHA512
dcbb4adacd6806fe7846efc9d5fe5a80442368716af95810f82996526297c1d456db11134b85905266810b49a6cd6c4d7759f203a83038f4a5bf60ec1be69995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
Filesize
27.0MB

MD5
104b8e9c7836eacaa8c16c71aa79d067

SHA1
dc1deb4a4e957190f92901256e9f606ea198ca72

SHA256
7169b64c443524615cd745356826654c2ebd1319fb4bf3cef30bac72e5e34f13

SHA512
dcbb4adacd6806fe7846efc9d5fe5a80442368716af95810f82996526297c1d456db11134b85905266810b49a6cd6c4d7759f203a83038f4a5bf60ec1be69995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
Filesize
27.0MB

MD5
104b8e9c7836eacaa8c16c71aa79d067

SHA1
dc1deb4a4e957190f92901256e9f606ea198ca72

SHA256
7169b64c443524615cd745356826654c2ebd1319fb4bf3cef30bac72e5e34f13

SHA512
dcbb4adacd6806fe7846efc9d5fe5a80442368716af95810f82996526297c1d456db11134b85905266810b49a6cd6c4d7759f203a83038f4a5bf60ec1be69995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\MSIMG32.dll
Filesize
5KB

MD5
d927d43c0d44b65c2067f2abe8d59261

SHA1
88da81305b742b49b48467c947d4030369faa538

SHA256
e236088bfede4f99f6d138991df32b7edb7f4454abee76f8ca6955daaed2abf2

SHA512
267a9e12fd53c4ef17b3c1264da873aa4aa845e10002dd379d936248e8510530de75bbf66ba55cd64ed3eb2d54d19b208bfbc667962d353895f6410f6e099528

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Options.ini
Filesize
387B

MD5
1a1a966775880cf96a7e82cac71c805e

SHA1
c29fbcb6003484e0001896e4524481bffb08959a

SHA256
cc2c3852ad0d29415f2ff2a258a03a3026965684dd2dff73e9701bd7caa21549

SHA512
24720b68895c4a4ad3ac62ee0be67f23c96984df2f264b3af66cda83da2e58b44c04501c1a132cfd34bf006841924c3090ef021120cacdcd6af24c07aa309bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\VERSION.dll
Filesize
3.7MB

MD5
1e8af4c81c6d4076681e9dbbf93f2d69

SHA1
4636dcca6226e868fb7599bcbcc785ae0ae0bed7

SHA256
2d55781f0fe93c02c019bdcd79ca0489a1906a59aee0bce15aebad862fae2871

SHA512
a7df48e9a6c71d2ad4ed968efe20c54e855600e272b0c013e4a3177f12d9e3710b806ba8ba52994fc2b999e071c15e7b91a2ce33d507cf461d967c935ad3a015

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\msimg32.dll
Filesize
5KB

MD5
d927d43c0d44b65c2067f2abe8d59261

SHA1
88da81305b742b49b48467c947d4030369faa538

SHA256
e236088bfede4f99f6d138991df32b7edb7f4454abee76f8ca6955daaed2abf2

SHA512
267a9e12fd53c4ef17b3c1264da873aa4aa845e10002dd379d936248e8510530de75bbf66ba55cd64ed3eb2d54d19b208bfbc667962d353895f6410f6e099528

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\msimg32.dll
Filesize
5KB

MD5
d927d43c0d44b65c2067f2abe8d59261

SHA1
88da81305b742b49b48467c947d4030369faa538

SHA256
e236088bfede4f99f6d138991df32b7edb7f4454abee76f8ca6955daaed2abf2

SHA512
267a9e12fd53c4ef17b3c1264da873aa4aa845e10002dd379d936248e8510530de75bbf66ba55cd64ed3eb2d54d19b208bfbc667962d353895f6410f6e099528

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\version.dll
Filesize
3.7MB

MD5
1e8af4c81c6d4076681e9dbbf93f2d69

SHA1
4636dcca6226e868fb7599bcbcc785ae0ae0bed7

SHA256
2d55781f0fe93c02c019bdcd79ca0489a1906a59aee0bce15aebad862fae2871

SHA512
a7df48e9a6c71d2ad4ed968efe20c54e855600e272b0c013e4a3177f12d9e3710b806ba8ba52994fc2b999e071c15e7b91a2ce33d507cf461d967c935ad3a015

Download Submit
memory/4968-204-0x000000006F5F0000-0x000000006F600000-memory.dmp

Filesize
64KB

Download
memory/4968-205-0x000000006F5F0000-0x000000006F600000-memory.dmp

Filesize
64KB

Download
memory/4968-206-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/4968-207-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/4968-208-0x0000000000400000-0x00000000032C8000-memory.dmp

Filesize
46.8MB

Download