01f4965a9cb79bb5008613244fb231b8b7da260643c0793812821bb19bfe0c4e

Analysis

max time kernel
141s
max time network
100s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/06/2023, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrystalDiskInfo.exe
Size

1.5MB
MD5

54b2bbbbde3a88b692f793ad4f95f17d
SHA1

c85acbfeec23c26953da18c9d4f90cc1591d7c79
SHA256

01f4965a9cb79bb5008613244fb231b8b7da260643c0793812821bb19bfe0c4e
SHA512

a21058eec89755220d7ea16d44bbf7d56866d3f8ac70abc6ce96c246f94d3ec416e6d1c497fa748c27553b299442e3c1f428755b8e80648fb3badf8df07dc20e
SSDEEP

24576:yjpNR3HDq1+EOuiGCw6F5yig3zMg1AInmwbU8gHisNObpL/aMJkWsj9jw2D9M4:yjp3HDw+OiFngDMu9nmLypHuWsjC2xV

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1060	DiskInfo64.exe
1272	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
1424	CrystalDiskInfo.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1424-262-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1424-432-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	DiskInfo64.exe
File opened (read-only)	\??\T:	DiskInfo64.exe
File opened (read-only)	\??\V:	DiskInfo64.exe
File opened (read-only)	\??\W:	DiskInfo64.exe
File opened (read-only)	\??\E:	DiskInfo64.exe
File opened (read-only)	\??\I:	DiskInfo64.exe
File opened (read-only)	\??\K:	DiskInfo64.exe
File opened (read-only)	\??\N:	DiskInfo64.exe
File opened (read-only)	\??\Q:	DiskInfo64.exe
File opened (read-only)	\??\Y:	DiskInfo64.exe
File opened (read-only)	\??\Z:	DiskInfo64.exe
File opened (read-only)	\??\A:	DiskInfo64.exe
File opened (read-only)	\??\H:	DiskInfo64.exe
File opened (read-only)	\??\J:	DiskInfo64.exe
File opened (read-only)	\??\M:	DiskInfo64.exe
File opened (read-only)	\??\S:	DiskInfo64.exe
File opened (read-only)	\??\R:	DiskInfo64.exe
File opened (read-only)	\??\U:	DiskInfo64.exe
File opened (read-only)	\??\X:	DiskInfo64.exe
File opened (read-only)	\??\B:	DiskInfo64.exe
File opened (read-only)	\??\F:	DiskInfo64.exe
File opened (read-only)	\??\G:	DiskInfo64.exe
File opened (read-only)	\??\L:	DiskInfo64.exe
File opened (read-only)	\??\O:	DiskInfo64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	DiskInfo64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1060	DiskInfo64.exe
1060	DiskInfo64.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1060	1424	CrystalDiskInfo.exe	28
PID 1424 wrote to memory of 1060	1424	CrystalDiskInfo.exe	28
PID 1424 wrote to memory of 1060	1424	CrystalDiskInfo.exe	28
PID 1424 wrote to memory of 1060	1424	CrystalDiskInfo.exe	28

C:\Users\Admin\AppData\Local\Temp\CrystalDiskInfo.exe
"C:\Users\Admin\AppData\Local\Temp\CrystalDiskInfo.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskInfo64.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskInfo64.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CdiResource\dialog\Graph.html

Filesize
7KB

MD5
006b850ce85cfbcc92bbee6966bdf0d5

SHA1
32b80697347d6c40d606926f4adc05f1150ea8c3

SHA256
647860cda8fdf6f344b835472c04acb929ea411270f780b4fa27161e9e145c35

SHA512
7e385ca9fe5d7099a9f47ab472f9d13f86f459298a2f375c186091d3d5a32117b1d9d7e504a9220a313eb6c55c7cc0d56a8be60457d11dee696a284e935c6f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CdiResource\language\English.lang

Filesize
63KB

MD5
41b3a8ccb3544b7b6778c073caf85672

SHA1
2a2663c7f56e5f0bfcf2d1e753569d18d0fbbf8d

SHA256
8ef5e8de05813a8f3955aadfd0fa5aface6999e3931a89f28588f4e596b31e35

SHA512
fded4a1c6227829d3d252c952ce01f98fb88f336dc114c431267f7bddb9f839394f3e568548a37a665299f9953c947ad33f043d93564da566d24a77793f91ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CdiResource\language\Simplified Chinese.lang

Filesize
39KB

MD5
5126a43b9bebaada8799f6387c8b4a97

SHA1
44f01724a121d98d9961da88beb75427926401a0

SHA256
119b68f5a622ae322a777369de4ad240fc0c01547dcd1e257bedc5029049a8e1

SHA512
6f8243091192b4a844b549ba49a00c318a30a5630ca76e8ef0d13787c0dc82ce540aa43d991e4c245127476ecc5a61ce706275291e5c66e0986291a59062cf6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CdiResource\themes\Default\diskGood-100.png

Filesize
1KB

MD5
c0e81a6dd776dcedbe2107bcad87bdcd

SHA1
1d1bbc27de9329d287179b36cdcaad1083359ea3

SHA256
41e8e14948103b7ba676fceaccef1f6b4fb08b70ea6f207f4d6fb6aef3f1e71f

SHA512
38b57f9cee97ac10b61a2fe9222c0085b0e6ffe18ac6457963a5a5e21ff5b602350204675f1ff9606c384d5b8484e4588ad9bac9208aeaf0008215c6fae678b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CdiResource\themes\Default\diskStatusGood-100.png

Filesize
665B

MD5
0abfaef38bc9e297cd79be0f2e691cdd

SHA1
bdf71d8a6d227d1fc858c047855ed3df841e11d4

SHA256
45e84adbec967aa386d4c94c3a33421fff02baaa59ad0c6e5f3ed842efb5abae

SHA512
4fa815d590a6415a03a432da28632063c96620bc0b657c770825759e26a6b11039c2136fe19f96b81b22be54a2e5dc1a880d7ee525cb91abe7e770a033fcf897

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CdiResource\themes\Default\nextDisk-100.png

Filesize
1KB

MD5
dc3be62f884c9b96af9a3d5b2a937cb6

SHA1
7a06d204ea1bb9130845305face66d7f74efa2e5

SHA256
cb9099db8ccb5d69db902858ebdd0657667fdc4c2ac1b8211b0d2503be18639a

SHA512
2b8163d191793ddda76ce36c08d87b343dd528ca042cfb795a816b96c8d7be90d584a34e4734d217a24ed54db1ce11332108540bd34baa64778f785c0bcd4a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CdiResource\themes\Default\noDisk-100.png

Filesize
137B

MD5
aca9c4d69b8c4779167452f77f415a9a

SHA1
d40806f8ef1a7cb989dfbe9cfb4b3be717a47292

SHA256
0229291a30857f8ce7499e7f9a6ac30be452419bd5327b98468deba097ae76ee

SHA512
91652e2bdb710a11c25e78a8192c0da52538690e2743ba2f228e29279e0175d02e30ee01e4213b866552c4cf4e8c18ce687da13bd64d4ee554054f2efbc2df8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CdiResource\themes\Default\preDisk-100.png

Filesize
1KB

MD5
b49a97118724c54530d4c4eaefd729c8

SHA1
102187b9534a2c6359d37b68f9509e0fd227b473

SHA256
4358ec9b50bf01820f6037299941916c196616fa08d8150b57607957cecda485

SHA512
5a5ab0d9cec7aa61b99cb1b3742df2acdadff43cb12dcdc48cfea95eb9479ae4c5673870f2b85560ed3285961837fe0c4eed3e31f1ada33fdcdcd23336dc236c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CdiResource\themes\Default\temperatureGood-100.png

Filesize
529B

MD5
2d48c03e3e4e9b960eb0c5714aa55db6

SHA1
8d3785b771879702f75c512222396816549ff813

SHA256
a28638b3152f1bf898a2a14570077bfd599fa0a31c67d72856c2ec77dbd56865

SHA512
fe5103e542c9392768dc25fed57a69f5fa5b9a4e60696027f33294c699264a88bbde56763332013906033aba29bd20c17b27fc2d5a373d2b1adcd9f1787f5750

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CdiResource\themes\Default\theme.ini

Filesize
267B

MD5
ec7be8d591e7fc9b16b7700fe78f2d1a

SHA1
a167edd91f9f0bce9b9d93785e683942bd7dbde2

SHA256
2b95db1daf862a5c38c8628fdf941512004bcea7b56b22e44fa52709e57c6ddb

SHA512
d884e807e773bfb48bfe6c26a99ad7e9316bf4aea08bda148e84fd2922064a46696d830b327dee24eb0d8db3ad9e6d93d62f3965e6cd1c64330f5abc5015b8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskInfo.ini

Filesize
282B

MD5
059eac0063cf233a5c076351a1a044c7

SHA1
3388220c4250b6d066da7c0ff3d49e8af612b4f0

SHA256
930ca713c1af1cd06cc15ed56fa142d9910216a0e97e572f80458c625dad941b

SHA512
7a3d1c87a53482a7b6ee0627bfdb9684d2d5655bdfeecf1d72396b96f48eb816d2a564388a05196dfc054014e70e8158fb7d4b2d2a06bcc86e1165cf3d287b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskInfo.ini

Filesize
282B

MD5
d6cb20b3215ce676fd2aeb1b89f0fb8f

SHA1
531d8e6c312de8b000feb58ac0e19b1dddf6e3e1

SHA256
103000a2afff7073b289179482d4f49cba9043783caf848bdf33d703eb578bcd

SHA512
f7b72132559500529aa9d699a61a68f4e546470141dbe041398d7b08dfa9e260852ac17aff9c40bdd0a3e547439779f300cbe7d5e5d86a9e578e6ab978e5b3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskInfo.ini

Filesize
318B

MD5
af4b7632a5ee3495de2f390106769d6b

SHA1
dbcddb75a0504cb115d2a7f225c2dd16cb3df591

SHA256
4929c09fdc295a477129af6424e2602dd9b35cb1d40fa0f0cdd465cca0ab9ffe

SHA512
422b7e53af245c3f2f281c496c308a7538c8946d3816d541dc0a7add901f986a6a39150ef9cb44a333d8c45139865e631c71d029a03037215ac017c9b4f93f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskInfo.ini

Filesize
342B

MD5
5d9aca5bf347b64cb7f129542b1a9e03

SHA1
5bc3638b230321ae82041d7f045ab71994557c41

SHA256
eae96d397d7fa146e4809750250c15bc1413fe6591e7ca3468581f28638b1fa7

SHA512
c12a02e5ac4fecb141d363f6191573d5465852a7d066d824a2a79fa335195edcc7cc78852ddf21a8e5a884ef942239c9b2ed91e8c63e499395ed0984e62de06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskInfo64.exe

Filesize
2.6MB

MD5
841cdd6726b716d781c1b201a2e3ae34

SHA1
bf5162eb6b5df01d871f4a054f95e5924ff0681e

SHA256
dab7cdaf31535f12185cf03b885459cce95e1f6749da8c7838df3df0da5720c4

SHA512
c6f61694b29a9c8caf000122d04a2de654626f7452958b88f79af67fcc12cd2714f7916eb97583bca01f92b5eb8176e8a01b9c76add1c6cc235a2ba34b8896ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Smart\DADY HARDDISKQM00013\09.csv

Filesize
25B

MD5
34818d4eb2deaebf5f12eadca8547fb0

SHA1
e97de7415de66aa966a9039a7ad118b2897c7ed1

SHA256
c61b4fbb26f15e1ad7af4b324d15fa4ea39180ce14b8cc94efb257bac3998c16

SHA512
ac965945b49bcf05389f26efd4de398e90e2f153220030da2f75a4a289c59e8c09c9422ded56bc52c8ddb3e39d8f6a1ecb62dc324c4328645f55cbc254ee81e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Smart\DADY HARDDISKQM00013\Smart.ini

Filesize
198B

MD5
bc2074f112717cf4712ddf695970f295

SHA1
91aa261ec771d19fa8c25bf78f5fd8091c77e389

SHA256
d2c2f07981038a7d48c40878cac736264c19732740da00738446997e13fcb9d5

SHA512
c09c3749b3cc398cd3eb0bca42bcca5a6bc0592a58d49287304a383d0bd0a949e27d77ecb8c0f6b8c3d9df2cc787e9baa7820aea622bf8af3e5ffc7efe32be1d

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskInfo64.exe

Filesize
2.6MB

MD5
841cdd6726b716d781c1b201a2e3ae34

SHA1
bf5162eb6b5df01d871f4a054f95e5924ff0681e

SHA256
dab7cdaf31535f12185cf03b885459cce95e1f6749da8c7838df3df0da5720c4

SHA512
c6f61694b29a9c8caf000122d04a2de654626f7452958b88f79af67fcc12cd2714f7916eb97583bca01f92b5eb8176e8a01b9c76add1c6cc235a2ba34b8896ec

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskInfo64.exe

Filesize
2.6MB

MD5
841cdd6726b716d781c1b201a2e3ae34

SHA1
bf5162eb6b5df01d871f4a054f95e5924ff0681e

SHA256
dab7cdaf31535f12185cf03b885459cce95e1f6749da8c7838df3df0da5720c4

SHA512
c6f61694b29a9c8caf000122d04a2de654626f7452958b88f79af67fcc12cd2714f7916eb97583bca01f92b5eb8176e8a01b9c76add1c6cc235a2ba34b8896ec

Download Submit
memory/1424-262-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1424-432-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download