Analysis
-
max time kernel
129s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
-
submitted
14-12-2023 07:58
General
-
Target
ce7e4f57d738e91311d0dd3a8b8d8dcb1374ee9ae7da57d14a47e1d2432a5b3f.exe
-
Size
1.9MB
-
MD5
a60a60af95a32a81795761865b7f3bd9
-
SHA1
6573299b94c46cebfaec0b25f85e921b7b3a7cbc
-
SHA256
ce7e4f57d738e91311d0dd3a8b8d8dcb1374ee9ae7da57d14a47e1d2432a5b3f
-
SHA512
113205d19a41a82a62ca84197ddf6cf62d798af3e0dcc5f56423da213b79a443154fa683bce2f22b794357ea62f3b83ba217effa4e22af81cdf890fecc49415f
-
SSDEEP
49152:NjPTJMkPEn2W/W/WI+fiUBHskWLEMPtckTgNbC:NDTJPEl/lI+fiieTtjsbC
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Drops file in Drivers directory 4 IoCs
-
Sets service image path in registry 2 TTPs 2 IoCs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce7e4f57d738e91311d0dd3a8b8d8dcb1374ee9ae7da57d14a47e1d2432a5b3f.exe"C:\Users\Admin\AppData\Local\Temp\ce7e4f57d738e91311d0dd3a8b8d8dcb1374ee9ae7da57d14a47e1d2432a5b3f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\HRSword.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY "HKU\S-1-5-19"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" copy Drivers\x64\usysdiag.exe "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\\" 1>NUL 2>NUL"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" copy Drivers\x64\sysdiag.sys "C:\Windows\System32\drivers\" 1>NUL 2>NUL"3⤵
- Drops file in Drivers directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" copy Drivers\x64\hrwfpdrv.sys "C:\Windows\System32\drivers\" 1>NUL 2>NUL"3⤵
- Drops file in Drivers directory
-
C:\Windows\system32\sc.exesc create hrwfpdrv binpath= "C:\Windows\System32\drivers\hrwfpdrv.sys" type= kernel start= demand error= normal3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc create sysdiag binpath= "C:\Windows\System32\drivers\sysdiag.sys" type= kernel start= demand error= normal depend= FltMgr group= "PNP_TDI"3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "ImagePath" /t REG_EXPAND_SZ /d "system32\DRIVERS\sysdiag.sys"3⤵
- Sets service image path in registry
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\hrwfpdr" /f /v "ImagePath" /t REG_EXPAND_SZ /d "system32\DRIVERS\hrwfpdrv.sys"3⤵
- Sets service image path in registry
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "Start" /t reg_dword /d "1"3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\hrwfpdr" /f /v "Start" /t reg_dword /d "1"3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "Group" /d "PNP_TDI"3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances" /f /v "DefaultInstance" /d "sysdiag"3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances\sysdiag" /f /v "Altitude" /d "324600"3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances\sysdiag" /f /v "Flags" /t reg_dword /d "0"3⤵
-
C:\Windows\system32\sc.exesc start sysdiag3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc start hrwfpdrv3⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\HRSword.exeHRSword.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exenet stop "sysdiag"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "sysdiag"4⤵
-
C:\Windows\system32\net.exenet stop "hrwfpdrv"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "hrwfpdrv"4⤵
-
C:\Windows\system32\sc.exesc delete "hrwfpdrv"3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\hrwfpdr" /f3⤵
-
C:\Windows\system32\sc.exesc delete "sysdiag"3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f3⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD53d6b41a929f4e43dd314d1faacfeaa07
SHA18567f8a7ab86771d321ed987acabd500c45983d5
SHA25601a3dabb4684908082cb2ac710d5d42afae2d30f282f023d54d7e945ad3272f5
SHA512475ba01e59425b3c5f36b3d2ce4e7779d5ba9b7a958c831f080641bf6d61928dffda219c234201733a671d868b462c55dbf1a5cb9acfee39e4f2af9e7c359393
-
Filesize
372KB
MD524f25d123103e16a33e3820e9caeb221
SHA14ab5f84dc23f3e57c5085952c177d27133de8934
SHA25611b262c936ffa8eb83457efd3261578376d49d6e789c7c026f1fa0b91929e135
SHA512468d7ce08f1f7e6f8accbf34387b2852c677db77825be2984e8ae3c19c40cd77538d40f37a85aa83e59677cdc894d3d13e82d2fe054f6c61faa7dc46dd462f60
-
Filesize
465KB
MD5033c9f28acadaaa32d947a4026020bea
SHA148c62ced29bfbdf25b60c692c9b2b9396c895ee3
SHA25690040340ee101cac7831d7035230ac8ad4224d432e5636f34f13aa1c4a0c2041
SHA512a2fc74c738450cb7daeefa88bd0e875304e7a05a9b2ec6a918a32618044ed32ace94be3840aa4b615a3322621e43dfe135659309f85092471dbc4b5e71a2f315
-
Filesize
2KB
MD508287d592dbb0b62b6102ba69c41cd01
SHA12ad8841b3f08f7769fa01bb444a6c940cf0b850d
SHA256edeacb1eb572585b590291670cd94e91ebbf5b4b1e8e33d7df6d118abf5da654
SHA51238b7b6f5545190b3c53ec40857dd51d17ed811813c777a134bf8a9c61eafa6cfe14b3c2102de9e84cf144dcdb331316c5775954a8637f0558b6d20d8a83d3294
-
Filesize
1.2MB
MD5f3f6a3ad37c08d53db9fd94827b24b28
SHA1ea57fd1d4ea8a3bbee6dc8f3bc8b4ac230a85fe3
SHA2565d44528171262b48899c3c1887f79d4eafa5491d6ad32d4e4db241c54d00bcb5
SHA512b7d1e8ae551d19289c838739cdeef236f696697274937fb35d118ea1c78fc0696a2b75441641e5e4ab707bb20393d408f55ceb9ea2d33aa7adf54a53dc1f315d
-
Filesize
1.5MB
MD5322e0770b0125261d5366ee6fe6a24cd
SHA114d3b9d9f3bf9514fa7e08d72e302c0c57cbc1c3
SHA256a4dcc657bed118b4459115522477abc5364cc099f23db93f6a6d3088cfb66051
SHA512dfd553d68cf23848673812b2da879315404ef8db2d69add8061f7e5cbf93a069e93484e78b642c10c52f22409eed47ac645c31717c1b4063dccbd2a11319892d
-
Filesize
405KB
MD5ff1febcbe870732f1d5c05249bf170bd
SHA18389262982ea518203e791e9aa3b7d2f05b68968
SHA256c73619449cea5194e5d8b43bd45758419853dc6cf67fdc0d6c561011671e1007
SHA512a331e333edf690975ec374ac385aa40f1c55c8e7ee0e5e8d486ef0a841623a8dad1eacf99442818c9085545796ef903909f4293731b4d5b7ed8ba11681fee682
-
Filesize
378KB
MD5b5efa5d82e2d5e56641df5f51c2f4fa9
SHA16dd68d5409f919ee85998b8c8767fd9dba0b221b
SHA256d54e680de12427dee9bd3f1681c388b9d68856bf05a04aaf8f3285acc02e9a62
SHA51235ccab5891c9ffd75ea0a509920ccd7ddb44797ea47c03440a52fc166cb94e16889c2dfedb42b6a7bb5b21c8281af4202811705b1a1e6032687176131655bcd8
-
Filesize
540KB
MD5c47671c720673da9d7c86a6a3061fc7c
SHA17f1aae332ab66715ba1f28b90391023d50166715
SHA256f383c9c85c9eb343dc80054ea013ce9a25087d0b23844c1502be7dffcf5b4b84
SHA5121534d579e050728cb11c6d8b13ef94349e52409a08bae7c45d6e9cf51ff9763b2e2280758fbaeb1a7a82af02abb956ff5edf65683d45dd05167141492f55b529
-
Filesize
1.1MB
MD56450f7382ab6829ab19e46f05ebe1a35
SHA172218a55a97b537b45c5435eed7dcf405d86cd78
SHA2562a20f321c58f83e0cb79000033abbd5dcbe94feb91272a77f959069395289561
SHA512eba474847a254dc6bf0ebc2f1b09981ea2960e386be27ccb53f878a5a296c2309645e55909e36a2a524c391b1b0ae44b103128580461d96b8f1a981f0a00db66
-
Filesize
855KB
MD5d2858da36e52ea8479ca5ecfe8b3affc
SHA117056f0944025576b1d0288bb17e9ed19b406bdb
SHA2565900caf6adf8b53f632a85897608200d76e1848e53d50fc4477901524a9ff48a
SHA512f2ff9a55fdd992a5eea37a51779322ca893ff4e0256819ef2ba7ed0e41d7079f2d62401554f67ac379fb59b69b00a43f8f85194c33cb41e2162329ef403a4790
-
Filesize
180KB
-
Filesize
180KB