5a549502964ba6fc1847b65745f97e6bcb1d8f9d9c3939f39359fa725ce8f3f7

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19-07-2023 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HDTunePro5.5.exe
Size

643KB
MD5

33cdb6726b3201807b4f111e9f1deda3
SHA1

e5bcbbdd1d3637ebba3fd2b67a75c0db93252fc5
SHA256

5a549502964ba6fc1847b65745f97e6bcb1d8f9d9c3939f39359fa725ce8f3f7
SHA512

6964ecf6e6fdbfbb2c0d2009ec4fbbfe4b2b08dc60c9a5c67a791a723ebe7cacc80895be9d8ef19e5edb540a300526bdf82b902b26947f7dd3ba5c649248895e
SSDEEP

12288:CBltMukdAQYB/H3ePjpawfT/te8l5lumGOX5c1ilaVC:CBrM1dw/HOowLN5lqON4VC

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2568	HDTunePro.exe

Loads dropped DLL 6 IoCs

pid	Process
2328	HDTunePro5.5.exe
2568	HDTunePro.exe
2568	HDTunePro.exe
2568	HDTunePro.exe
2568	HDTunePro.exe
2568	HDTunePro.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	HDTunePro.exe
File opened (read-only)	\??\B:	HDTunePro.exe
File opened (read-only)	\??\D:	HDTunePro.exe
File opened (read-only)	\??\E:	HDTunePro.exe
File opened (read-only)	\??\M:	HDTunePro.exe
File opened (read-only)	\??\Q:	HDTunePro.exe
File opened (read-only)	\??\S:	HDTunePro.exe
File opened (read-only)	\??\V:	HDTunePro.exe
File opened (read-only)	\??\H:	HDTunePro.exe
File opened (read-only)	\??\I:	HDTunePro.exe
File opened (read-only)	\??\L:	HDTunePro.exe
File opened (read-only)	\??\N:	HDTunePro.exe
File opened (read-only)	\??\P:	HDTunePro.exe
File opened (read-only)	\??\W:	HDTunePro.exe
File opened (read-only)	\??\G:	HDTunePro.exe
File opened (read-only)	\??\O:	HDTunePro.exe
File opened (read-only)	\??\R:	HDTunePro.exe
File opened (read-only)	\??\U:	HDTunePro.exe
File opened (read-only)	\??\A:	HDTunePro.exe
File opened (read-only)	\??\F:	HDTunePro.exe
File opened (read-only)	\??\J:	HDTunePro.exe
File opened (read-only)	\??\K:	HDTunePro.exe
File opened (read-only)	\??\T:	HDTunePro.exe
File opened (read-only)	\??\Y:	HDTunePro.exe
File opened (read-only)	\??\Z:	HDTunePro.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	HDTunePro.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2568	HDTunePro.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2568	HDTunePro.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2568	HDTunePro.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2568	HDTunePro.exe
2568	HDTunePro.exe
2568	HDTunePro.exe
2568	HDTunePro.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2568	2328	HDTunePro5.5.exe	28
PID 2328 wrote to memory of 2568	2328	HDTunePro5.5.exe	28
PID 2328 wrote to memory of 2568	2328	HDTunePro5.5.exe	28
PID 2328 wrote to memory of 2568	2328	HDTunePro5.5.exe	28
PID 2328 wrote to memory of 2568	2328	HDTunePro5.5.exe	28
PID 2328 wrote to memory of 2568	2328	HDTunePro5.5.exe	28
PID 2328 wrote to memory of 2568	2328	HDTunePro5.5.exe	28

C:\Users\Admin\AppData\Local\Temp\HDTunePro5.5.exe
"C:\Users\Admin\AppData\Local\Temp\HDTunePro5.5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\HDTunePro\HDTunePro.exe
  C:\Users\Admin\AppData\Local\Temp\HDTunePro\HDTunePro.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HDTunePro\HDTunePro.exe

Filesize
1.3MB

MD5
b628106fc1983a69f925b9cb9c4fa7b8

SHA1
76596e839814a229a9faf952ddc3028304b0777e

SHA256
8026359e287f5e0ebd27ec61960bbcd5552396cb4fffd1dfd961e46170a65ac9

SHA512
6b1a42486fe443c5c9260d5494ad98dc5800f295d41de355b9dda92313cecbe32d0e1045bee7f04d1fa9e0235c6efd4f7c2fc7d15ccf973b45f8a6546d92b341

Download Submit
C:\Users\Admin\AppData\Local\Temp\HDTunePro\HDTunePro.exe

Filesize
1.3MB

MD5
b628106fc1983a69f925b9cb9c4fa7b8

SHA1
76596e839814a229a9faf952ddc3028304b0777e

SHA256
8026359e287f5e0ebd27ec61960bbcd5552396cb4fffd1dfd961e46170a65ac9

SHA512
6b1a42486fe443c5c9260d5494ad98dc5800f295d41de355b9dda92313cecbe32d0e1045bee7f04d1fa9e0235c6efd4f7c2fc7d15ccf973b45f8a6546d92b341

Download Submit
C:\Users\Admin\AppData\Local\Temp\HDTunePro\SHFOLDER.dll

Filesize
24KB

MD5
53f06c7dd06ec9fdef35af6b399c9b1f

SHA1
72ea7728591e3992472068faa25e18268f960890

SHA256
4ba96a393ee44c63d22d02961826d7d3ca47c9c2cccb8dd7fa6c2616e07a33d6

SHA512
95ebefcd2e206f830cbc25cac8670f126eae9e24c6c9755032461af264d725c4d0d6e854b23405e154e660d16fe9a4733add2b56aaadd714dc907841b37901b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HDTunePro\odbcbcp.dll

Filesize
24KB

MD5
2be9ef5c97f4ef4ed8d5fe0684b2abd8

SHA1
8c9331afb06d2f29d05e91e63e1838269a1f782a

SHA256
2e2db8b034f3e98af519f636b8e4306214f371022e69a828fb3d58d5344cdd9a

SHA512
93d47f4ac3b51b9fc3d9db95bdbd375ecb8a86edb98c723484b6d0178fb93753d599e345d0c1615aa276b1656913884debc51ba9af90355c31951d327b10c888

Download Submit
C:\Users\Admin\AppData\Local\Temp\HDTunePro\pdh.dll

Filesize
301KB

MD5
cb40a5293c4fdd7dd83b656a84610975

SHA1
df4b4baafef924b88ff13c51a2adafd0ec000c85

SHA256
f0a4e15f074cf2aba7ec6d3bc74b8acd8533a0b6a2bc17f148306217fd21cdfd

SHA512
dc4ec5d3561e2ffc059b267a247c452456c2ccd8e93f2974c03af4316dc3302c0758a6999670775d6406fe31d33295a6b133746bc0606277c8b61a8af7d9c955

Download Submit
\Users\Admin\AppData\Local\Temp\HDTunePro\HDTunePro.exe

Filesize
1.3MB

MD5
b628106fc1983a69f925b9cb9c4fa7b8

SHA1
76596e839814a229a9faf952ddc3028304b0777e

SHA256
8026359e287f5e0ebd27ec61960bbcd5552396cb4fffd1dfd961e46170a65ac9

SHA512
6b1a42486fe443c5c9260d5494ad98dc5800f295d41de355b9dda92313cecbe32d0e1045bee7f04d1fa9e0235c6efd4f7c2fc7d15ccf973b45f8a6546d92b341

Download Submit
\Users\Admin\AppData\Local\Temp\HDTunePro\HDTunePro.exe

Filesize
1.3MB

MD5
b628106fc1983a69f925b9cb9c4fa7b8

SHA1
76596e839814a229a9faf952ddc3028304b0777e

SHA256
8026359e287f5e0ebd27ec61960bbcd5552396cb4fffd1dfd961e46170a65ac9

SHA512
6b1a42486fe443c5c9260d5494ad98dc5800f295d41de355b9dda92313cecbe32d0e1045bee7f04d1fa9e0235c6efd4f7c2fc7d15ccf973b45f8a6546d92b341

Download Submit
\Users\Admin\AppData\Local\Temp\HDTunePro\HDTunePro.exe

Filesize
1.3MB

MD5
b628106fc1983a69f925b9cb9c4fa7b8

SHA1
76596e839814a229a9faf952ddc3028304b0777e

SHA256
8026359e287f5e0ebd27ec61960bbcd5552396cb4fffd1dfd961e46170a65ac9

SHA512
6b1a42486fe443c5c9260d5494ad98dc5800f295d41de355b9dda92313cecbe32d0e1045bee7f04d1fa9e0235c6efd4f7c2fc7d15ccf973b45f8a6546d92b341

Download Submit
\Users\Admin\AppData\Local\Temp\HDTunePro\odbcbcp.dll

Filesize
24KB

MD5
2be9ef5c97f4ef4ed8d5fe0684b2abd8

SHA1
8c9331afb06d2f29d05e91e63e1838269a1f782a

SHA256
2e2db8b034f3e98af519f636b8e4306214f371022e69a828fb3d58d5344cdd9a

SHA512
93d47f4ac3b51b9fc3d9db95bdbd375ecb8a86edb98c723484b6d0178fb93753d599e345d0c1615aa276b1656913884debc51ba9af90355c31951d327b10c888

Download Submit
\Users\Admin\AppData\Local\Temp\HDTunePro\pdh.dll

Filesize
301KB

MD5
cb40a5293c4fdd7dd83b656a84610975

SHA1
df4b4baafef924b88ff13c51a2adafd0ec000c85

SHA256
f0a4e15f074cf2aba7ec6d3bc74b8acd8533a0b6a2bc17f148306217fd21cdfd

SHA512
dc4ec5d3561e2ffc059b267a247c452456c2ccd8e93f2974c03af4316dc3302c0758a6999670775d6406fe31d33295a6b133746bc0606277c8b61a8af7d9c955

Download Submit
\Users\Admin\AppData\Local\Temp\HDTunePro\shfolder.dll

Filesize
24KB

MD5
53f06c7dd06ec9fdef35af6b399c9b1f

SHA1
72ea7728591e3992472068faa25e18268f960890

SHA256
4ba96a393ee44c63d22d02961826d7d3ca47c9c2cccb8dd7fa6c2616e07a33d6

SHA512
95ebefcd2e206f830cbc25cac8670f126eae9e24c6c9755032461af264d725c4d0d6e854b23405e154e660d16fe9a4733add2b56aaadd714dc907841b37901b7

Download Submit