4256abb5b5583aeb5c61937415555657a5ae3b76fcc59657edfcb3bce792f958

Analysis

max time kernel
148s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-06-2023 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hdtune_255.exe
Size

627KB
MD5

088812a121e0a9ceb40ce9c808c8a90c
SHA1

08ae99e095a68036fff9bdc89229e78a6393ae6d
SHA256

4256abb5b5583aeb5c61937415555657a5ae3b76fcc59657edfcb3bce792f958
SHA512

c25caebc1bcb2b1a9be42fb6cce1aba0d7d929b53be1f50dbc4ce5c9e8b1b2b3a09affee5b683abfff4b4ae0c8fbf193ce7d69a755e1e6d7b9e6a339b6c8790b
SSDEEP

12288:ymkOy//gnG9b7IiVjtThhnwT4f2BQopW3FBi2xrg8lvsOqH2gOlh:yfOyXiE7Y853e+t/gOL

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1116	is-0EQ7N.tmp
1520	HDTune.exe

Loads dropped DLL 6 IoCs

pid	Process
1256	hdtune_255.exe
1116	is-0EQ7N.tmp
1116	is-0EQ7N.tmp
1116	is-0EQ7N.tmp
1116	is-0EQ7N.tmp
1116	is-0EQ7N.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	HDTune.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HD Tune\is-H59CN.tmp	is-0EQ7N.tmp
File created	C:\Program Files (x86)\HD Tune\is-0T0I6.tmp	is-0EQ7N.tmp
File created	C:\Program Files (x86)\HD Tune\is-IHRMP.tmp	is-0EQ7N.tmp
File created	C:\Program Files (x86)\HD Tune\is-60BPJ.tmp	is-0EQ7N.tmp
File created	C:\Program Files (x86)\HD Tune\is-UM60D.tmp	is-0EQ7N.tmp
File created	C:\Program Files (x86)\HD Tune\is-GF473.tmp	is-0EQ7N.tmp
File created	C:\Program Files (x86)\HD Tune\is-R65PD.tmp	is-0EQ7N.tmp
File created	C:\Program Files (x86)\HD Tune\is-U4D75.tmp	is-0EQ7N.tmp
File created	C:\Program Files (x86)\HD Tune\is-31VL5.tmp	is-0EQ7N.tmp
File created	C:\Program Files (x86)\HD Tune\is-L769E.tmp	is-0EQ7N.tmp
File created	C:\Program Files (x86)\HD Tune\is-CE3M3.tmp	is-0EQ7N.tmp
File created	C:\Program Files (x86)\HD Tune\is-UV49I.tmp	is-0EQ7N.tmp
File opened for modification	C:\Program Files (x86)\HD Tune\HDTune.url	is-0EQ7N.tmp
File created	C:\Program Files (x86)\HD Tune\is-OM1LR.tmp	is-0EQ7N.tmp
File created	C:\Program Files (x86)\HD Tune\is-34RHT.tmp	is-0EQ7N.tmp
File opened for modification	C:\Program Files (x86)\HD Tune\unins000.dat	is-0EQ7N.tmp
File created	C:\Program Files (x86)\HD Tune\is-O0FQC.tmp	is-0EQ7N.tmp
File created	C:\Program Files (x86)\HD Tune\unins000.dat	is-0EQ7N.tmp
File created	C:\Program Files (x86)\HD Tune\is-FD3TJ.tmp	is-0EQ7N.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 6 IoCs

evasion

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Control Panel\PowerCfg\GlobalPowerPolicy\Policies = 01000000060000000300000010000000060000000300000010000000020000000300000000000000020000000300000000000000020000000100000000000000020000000100000000000000000000000500000000000000000000c00000000005000000000000000a0000000000000003000000010001000100000000000000000000000000000000000000000002000000000000000000000000000000000000000000000003000000000016000000	HDTune.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Control Panel\PowerCfg\CurrentPowerPolicy = "3"	HDTune.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Control Panel\PowerCfg	HDTune.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Control Panel\PowerCfg\PowerPolicies\3	HDTune.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Control Panel\PowerCfg\PowerPolicies\3\Policies = 0100000002000000010000000000000002000000000000000000000000000000000000003232000004000000040000000000000000000000b00400008403000000000000080700000001646464640000	HDTune.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Control Panel\PowerCfg\GlobalPowerPolicy	HDTune.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: SeShutdownPrivilege	1520	HDTune.exe
Token: 33	1572	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1572	AUDIODG.EXE
Token: 33	1572	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1572	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1520	HDTune.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1520	HDTune.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1520	HDTune.exe
1520	HDTune.exe
1520	HDTune.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 1116	1256	hdtune_255.exe	28
PID 1256 wrote to memory of 1116	1256	hdtune_255.exe	28
PID 1256 wrote to memory of 1116	1256	hdtune_255.exe	28
PID 1256 wrote to memory of 1116	1256	hdtune_255.exe	28
PID 1256 wrote to memory of 1116	1256	hdtune_255.exe	28
PID 1256 wrote to memory of 1116	1256	hdtune_255.exe	28
PID 1256 wrote to memory of 1116	1256	hdtune_255.exe	28
PID 1116 wrote to memory of 1520	1116	is-0EQ7N.tmp	30
PID 1116 wrote to memory of 1520	1116	is-0EQ7N.tmp	30
PID 1116 wrote to memory of 1520	1116	is-0EQ7N.tmp	30
PID 1116 wrote to memory of 1520	1116	is-0EQ7N.tmp	30

C:\Users\Admin\AppData\Local\Temp\hdtune_255.exe
"C:\Users\Admin\AppData\Local\Temp\hdtune_255.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\is-N8Q4A.tmp\is-0EQ7N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-N8Q4A.tmp\is-0EQ7N.tmp" /SL4 $9014E "C:\Users\Admin\AppData\Local\Temp\hdtune_255.exe" 406234 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Program Files (x86)\HD Tune\HDTune.exe
    "C:\Program Files (x86)\HD Tune\HDTune.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Modifies Control Panel
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1520

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HD Tune\HDTune.exe

Filesize
392KB

MD5
f8fc2d14df813cc920a39b3cb7e59cbc

SHA1
0b0bbb9d98262a745b9a404f47c1f222658d7c33

SHA256
b57072eb0234ce447d30ddc18b150a831b0d63c1025dd3668befb40b29c9c573

SHA512
4894567ee50584b09fa3bd653318bd4190f7ea82b60f0e370d7c08142a24177119aea79fb51ab26f5df7888168959d3b76ea1137e83619a5f35ddd4ff6342931

Download Submit
C:\Program Files (x86)\HD Tune\HDTune.exe

Filesize
392KB

MD5
f8fc2d14df813cc920a39b3cb7e59cbc

SHA1
0b0bbb9d98262a745b9a404f47c1f222658d7c33

SHA256
b57072eb0234ce447d30ddc18b150a831b0d63c1025dd3668befb40b29c9c573

SHA512
4894567ee50584b09fa3bd653318bd4190f7ea82b60f0e370d7c08142a24177119aea79fb51ab26f5df7888168959d3b76ea1137e83619a5f35ddd4ff6342931

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N8Q4A.tmp\is-0EQ7N.tmp

Filesize
656KB

MD5
4fa180886ff7c0fd86a65f760ede6318

SHA1
2c89c271c71531362e84ddab5d3028f0756a9281

SHA256
1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c

SHA512
a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N8Q4A.tmp\is-0EQ7N.tmp

Filesize
656KB

MD5
4fa180886ff7c0fd86a65f760ede6318

SHA1
2c89c271c71531362e84ddab5d3028f0756a9281

SHA256
1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c

SHA512
a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

Download Submit
\Program Files (x86)\HD Tune\HDTune.exe

Filesize
392KB

MD5
f8fc2d14df813cc920a39b3cb7e59cbc

SHA1
0b0bbb9d98262a745b9a404f47c1f222658d7c33

SHA256
b57072eb0234ce447d30ddc18b150a831b0d63c1025dd3668befb40b29c9c573

SHA512
4894567ee50584b09fa3bd653318bd4190f7ea82b60f0e370d7c08142a24177119aea79fb51ab26f5df7888168959d3b76ea1137e83619a5f35ddd4ff6342931

Download Submit
\Program Files (x86)\HD Tune\HDTune.exe

Filesize
392KB

MD5
f8fc2d14df813cc920a39b3cb7e59cbc

SHA1
0b0bbb9d98262a745b9a404f47c1f222658d7c33

SHA256
b57072eb0234ce447d30ddc18b150a831b0d63c1025dd3668befb40b29c9c573

SHA512
4894567ee50584b09fa3bd653318bd4190f7ea82b60f0e370d7c08142a24177119aea79fb51ab26f5df7888168959d3b76ea1137e83619a5f35ddd4ff6342931

Download Submit
\Program Files (x86)\HD Tune\unins000.exe

Filesize
666KB

MD5
cefc20d14d9940d53505e9b9769139e7

SHA1
858bb656cb0dc8a790ea59882e194bacea7c9c7f

SHA256
41e0a82a2e83b02fc9ee478fe22ada8609daa9c7007f8f3042f6240d6a528e0e

SHA512
1ec0cd5420f0d1b20b87fef2f02c977dcde81627fa63407fca8cc46c9e87ddbc08086d8848517ccc61f7c0ce95d5225fc8a7f26166b16e5b724559a831676f95

Download Submit
\Users\Admin\AppData\Local\Temp\is-N8Q4A.tmp\is-0EQ7N.tmp

Filesize
656KB

MD5
4fa180886ff7c0fd86a65f760ede6318

SHA1
2c89c271c71531362e84ddab5d3028f0756a9281

SHA256
1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c

SHA512
a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

Download Submit
\Users\Admin\AppData\Local\Temp\is-NANSC.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NANSC.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1116-71-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1116-69-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1116-126-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1256-70-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1256-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1256-127-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download