5e238c36ae5f8a8ab9aa5e6fa3c568967d61953393384c7c8fd6370f8bc86b85

General

Target

OpenHardwareMonitor/OpenHardwareMonitor.exe
Size

482KB
MD5

a261f824ab957a5331af53c7722fa2de
SHA1

65fe3a6c45fdfa7c92f72a276ad3cd0de723865d
SHA256

ec767a74c5659a05bdb7ac10bd42c2ea6d44fa946286029b2866aed476ad83bc
SHA512

beb9badfc473911b26f8929b13e36fb625eac7cbfd30a7ad0dc3435e6cf3e6a97cc4cb9cb2fd913898bb509b507cac3795b59a28c882c6dec4e948d433857d71
SSDEEP

6144:yVFazTEmgydFPKLuqMgLHqHrHFHwHaC1UTvC38kAieWb2r:cazT7zPKL2AyvC3Rpi

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	OpenHardwareMonitor.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\WBEM\Framework\root\OpenHardwareMonitor\OpenHardwareMonitor_SN__Version_0.9.6.0.cs	OpenHardwareMonitor.exe
File created	C:\Windows\system32\WBEM\Framework\root\OpenHardwareMonitor\OpenHardwareMonitor_SN__Version_0.9.6.0.mof	OpenHardwareMonitor.exe
File created	C:\Windows\system32\wbem\AutoRecover\00F67A77883EFBAE535B360A10E07FD8.mof	mofcomp.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
684	Process not Found
684	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4852	mofcomp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3220	OpenHardwareMonitor.exe
3220	OpenHardwareMonitor.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3220	OpenHardwareMonitor.exe
3220	OpenHardwareMonitor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 4852	3220	OpenHardwareMonitor.exe	87
PID 3220 wrote to memory of 4852	3220	OpenHardwareMonitor.exe	87
PID 3220 wrote to memory of 756	3220	OpenHardwareMonitor.exe	90
PID 3220 wrote to memory of 756	3220	OpenHardwareMonitor.exe	90
PID 756 wrote to memory of 1556	756	csc.exe	92
PID 756 wrote to memory of 1556	756	csc.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\OpenHardwareMonitor\OpenHardwareMonitor.exe
"C:\Users\Admin\AppData\Local\Temp\OpenHardwareMonitor\OpenHardwareMonitor.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Windows\system32\WBEM\mofcomp.exe
  "C:\Windows\system32\WBEM\mofcomp.exe" C:\Windows\system32\WBEM\Framework\root\OpenHardwareMonitor\OpenHardwareMonitor_SN__Version_0.9.6.0.mof
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lsq4mnlv\lsq4mnlv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5D5.tmp" "c:\Users\Admin\AppData\Local\Temp\lsq4mnlv\CSC5FCBB3C53B724D18867F4A245D62F512.TMP"
    3⤵
    PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA5D5.tmp

Filesize
1KB

MD5
76e52d02a1097e7617f5b097698308dc

SHA1
32ae1725d8f096c30583e3fee1d6f2b00cf5f5ad

SHA256
cf7a4e490ab32b010e2ca17b3ce5f1dc29fe5bf042343ad6fbcac16bb36cef88

SHA512
05336bdddd13110c60c8a3d9d32c0d9385ff4cae662c882883275f99fc43c0b4d395381a9b1827209479b9d22d18b03f57e520558d224c6c0537f3601478d6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsq4mnlv\lsq4mnlv.dll

Filesize
12KB

MD5
a9d4f140debf765c67dffead5e99f0c2

SHA1
c55faf5038d005f4f3bef157e696b40a314c86e4

SHA256
771d3e1c193f5b665c426de09552ca2f32dcbf45299ec0c6e6e22133fbc90c97

SHA512
004e276a89ec0f64f6cb11c6d30c2369a9cebc1d866cfa93e1cbf5b08075d4fb430e7cf556fada7c947efc79d0b11d008bf617ae3f9b30f45a14236572a79596

Download Submit
C:\Windows\system32\WBEM\Framework\root\OpenHardwareMonitor\OpenHardwareMonitor_SN__Version_0.9.6.0.mof

Filesize
6KB

MD5
51b2d2494b0f7e8eae04e9fd67e3cb28

SHA1
07d8fbd286638702adf234aec05dc796a19d8c38

SHA256
b3e2460646a549881082d8fe9e6532c153d3deb65a6deff2d3146bca6cda4766

SHA512
4a31675d636261f50eb241b5d61b5ebbfe7464464ca916b98fa384d18fed362740a41c0566488e4f1c2dc1a88c0068fbd4558641a70f7197bced52e3d07f7beb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lsq4mnlv\CSC5FCBB3C53B724D18867F4A245D62F512.TMP

Filesize
652B

MD5
072e6bd538534262c07d9ce14a63e329

SHA1
0b72da9f565bb378de5d83ebbbe12b84bb8e16b8

SHA256
843271485c94490e0e8236f459015ef7e12c1c5cde9dc44a0a7ed2829d8870c6

SHA512
30cdafc1c1fcbf7cac8224926793cf7612e786c6d5edfffe33c9498735b16ec5cda616a129b601086730adfd6510401a8b16f896d1956d16ed4b39657d2d560c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lsq4mnlv\lsq4mnlv.0.cs

Filesize
19KB

MD5
07a1d0ad3304d4589bb083a5e4187d7d

SHA1
f7f7a5a5809149bb9e5da124602cae006bb2ffb2

SHA256
fdfe8a3908694c6e084a051c54be36225c2395b43a860852fb51ebc1095597d4

SHA512
aba2820cdf1efc677fed70f889c51547a067401b279b07b7f3567dfa2f4f42f487fc4476cbe64c8452c6e7d264182ee402d5542352f70eb051f87100d26c10cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lsq4mnlv\lsq4mnlv.cmdline

Filesize
532B

MD5
9861dd4e0f542ff09e06e0dbb060f46a

SHA1
14e9916c2cc10804237c74a152ea41b3ce04c426

SHA256
6002c5780294bfe57e429a19b0779712605d817432d88b8333eaf5fc5ec888e3

SHA512
e9d39ef49db173c19f29ad0656bd404fb3e8bb00346327039c2ec5590009b9376db31adfe2db256dfa36de6a17153c3a1df3908cc00bbbdc42796a64a0f50ba2

Download Submit
memory/3220-5-0x000001A9CF9D0000-0x000001A9CFA20000-memory.dmp

Filesize
320KB

Download
memory/3220-1-0x000001A9B5C90000-0x000001A9B5CBA000-memory.dmp

Filesize
168KB

Download
memory/3220-0-0x000001A9B3F00000-0x000001A9B3F7E000-memory.dmp

Filesize
504KB

Download
memory/3220-4-0x000001A9B5D80000-0x000001A9B5D90000-memory.dmp

Filesize
64KB

Download
memory/3220-3-0x000001A9B5D20000-0x000001A9B5D72000-memory.dmp

Filesize
328KB

Download
memory/3220-2-0x00007FFCBD990000-0x00007FFCBE452000-memory.dmp

Filesize
10.8MB

Download
memory/3220-30-0x000001A9CE6A0000-0x000001A9CE6AA000-memory.dmp

Filesize
40KB

Download
memory/3220-6-0x000001A9B5DC0000-0x000001A9B5DCC000-memory.dmp

Filesize
48KB

Download
memory/3220-32-0x000001A9B5D80000-0x000001A9B5D90000-memory.dmp

Filesize
64KB

Download
memory/3220-33-0x000001A9B5E50000-0x000001A9B5E51000-memory.dmp

Filesize
4KB

Download
memory/3220-34-0x000001A9B5D80000-0x000001A9B5D90000-memory.dmp

Filesize
64KB

Download
memory/3220-35-0x00007FFCBD990000-0x00007FFCBE452000-memory.dmp

Filesize
10.8MB

Download
memory/3220-36-0x000001A9B5D80000-0x000001A9B5D90000-memory.dmp

Filesize
64KB

Download
memory/3220-37-0x000001A9B5D80000-0x000001A9B5D90000-memory.dmp

Filesize
64KB

Download
memory/3220-38-0x000001A9B5D80000-0x000001A9B5D90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads