Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

hetman_par...1).exe

windows10-2004-x64

7

$PLUGINSDI...ns.dll

windows10-2004-x64

3

Hetman Par...ry.chm

windows10-2004-x64

1

Hetman Par...ry.exe

windows10-2004-x64

6

Resources/...nu.dll

windows10-2004-x64

1

Resources/...nu.dll

windows10-2004-x64

1

Resources/FileExt.dll

windows10-2004-x64

1

Resources/LoadRAW.dll

windows10-2004-x64

3

Resources/...DF.dll

windows10-2004-x64

3

Resources/...rn.dll

windows10-2004-x64

3

Resources/...mp.dll

windows10-2004-x64

1

Resources/...ig.exe

windows10-2004-x64

1

Resources/...0d.dll

windows10-2004-x64

3

Resources/...tf.dll

windows10-2004-x64

1

media_dll/SDL-2.dll

windows10-2004-x64

1

media_dll/SDL.dll

windows10-2004-x64

1

media_dll/...54.dll

windows10-2004-x64

3

media_dll/...54.dll

windows10-2004-x64

1

media_dll/...-3.dll

windows10-2004-x64

1

media_dll/...54.dll

windows10-2004-x64

3

media_dll/...52.dll

windows10-2004-x64

1

media_dll/...-0.dll

windows10-2004-x64

3

media_dll/...-2.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    42s
  • max time network
    42s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2024, 09:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hetman_partition_recovery (1).exe

  • Size

    14.4MB

  • MD5

    2e38acafdd1217158022eb20bfb375dc

  • SHA1

    9409779c5c5b1c435621fe092f1cdedd6cf0444e

  • SHA256

    66e9f4d03e67dbcbd9d3a13bfc45b2c11e712b677e990e8ea1b405b60a3a40b2

  • SHA512

    e6f8b3021fee20d4dfdda272f63ec4a23d61809b4b83b7fcfb8bcd8e7d3e554f7f103e14f748d060c2839fe537c04cf8a0f6dfa8244fcb570d8e6ba7e465201e

  • SSDEEP

    393216:BI4dmkHNSQu2lFIEoLKjEGUln1jQdDSrzYlBEHZ:BJHNS7rEoLCP6BCfY

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 43 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 30 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hetman_partition_recovery (1).exe
    "C:\Users\Admin\AppData\Local\Temp\hetman_partition_recovery (1).exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:324
    • C:\Windows\SysWOW64\Regsvr32.exe
      Regsvr32 /s "C:\Program Files (x86)\Hetman Software\Hetman Partition Recovery 2.3\Resources\DiskMenu.dll"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:5076
    • C:\Windows\SysWOW64\Regsvr32.exe
      Regsvr32 /s "C:\Program Files (x86)\Hetman Software\Hetman Partition Recovery 2.3\Resources\DSKImageMenu.dll"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:4508
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4680
  • C:\Program Files (x86)\Hetman Software\Hetman Partition Recovery 2.3\Hetman Partition Recovery.exe
    "C:\Program Files (x86)\Hetman Software\Hetman Partition Recovery 2.3\Hetman Partition Recovery.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:456
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4004 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4084

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Hetman Software\Hetman Partition Recovery 2.3\Hetman Partition Recovery.exe
      Filesize

      5.7MB

      MD5

      e09c8dd9e4d4bedcbe03a1160cfb836c

      SHA1

      7542b3dafe46568bf249f19d20f2de87a1225969

      SHA256

      9644692e5de69bd9d8567c81f1912feff1b4a86f1da812b98d5236196e26911a

      SHA512

      2318c0e877ffef52aa23261c07b9592e70e0edd23d6cef43cfbc8974cbd954da11bcece9884ce7aef15c23aeaf86aeac83707b64fe51bddf3696c51090fa315f

      Download Submit

    • C:\Program Files (x86)\Hetman Software\Hetman Partition Recovery 2.3\Hetman Partition Recovery.exe
      Filesize

      12.6MB

      MD5

      9bcf99f1a39d4f74d2935858c347e8f7

      SHA1

      83548f2ccf67f8cfd9494f83d3e9455f9b755898

      SHA256

      88012c98272bf2b4aa4ae9f96bba8fac496da5d60ce6180207eaaf10cd780148

      SHA512

      96e292d6e86d6262c736288aaea3294fe15cdabe8b8aeaae11268e38944933f71bf72e45f543a0c3d82df5e8c484b49a57b4651c8618637f61a0db9e35169d7a

      Download Submit

    • C:\Program Files (x86)\Hetman Software\Hetman Partition Recovery 2.3\Hetman Partition Recovery.exe
      Filesize

      11.6MB

      MD5

      190315ecb29f60b496a4907373e86c4e

      SHA1

      09ee1bb337cf14c077f1d7394da509b717bae57c

      SHA256

      9da41bde6ca1ac97ad4a364fe3189dc3183daaf9d0aef8fb8bde16fde152ebb9

      SHA512

      0825e3b2bdfe5b9c90b045adbf130468e485df95754b31bf34989976be2c1e87e88c214a5674267ff01209cb8e6a27f61e406129f4d5271209e30276221ace4a

      Download Submit

    • C:\Program Files (x86)\Hetman Software\Hetman Partition Recovery 2.3\Language\English.lng
      Filesize

      7KB

      MD5

      9ca01bbffa3d6cfed8830fb3018b350d

      SHA1

      55a631baf0a8cc3efb9c00127a5d0001ba5564a8

      SHA256

      34c71e006778a53f29faf3d4070040c19d409c76a18b804bca21de5230dfc6a6

      SHA512

      4a5d28920865fb4b29bf0e10ae4c4b5192347e69ae13a788e198fede9dd6dba706373fc43fd1649da3d23ec2f7d84c9874a75d6d95bb48c425f7410ef9151cfd

      Download Submit

    • C:\Program Files (x86)\Hetman Software\Hetman Partition Recovery 2.3\Language\common\English.lng
      Filesize

      17KB

      MD5

      4e98d7a0773c3e7b41620dfa54e69561

      SHA1

      1e3e6f7277bb685e9d1cb3a1e78fe665c47410b6

      SHA256

      12a7b7c52ba15a0debf3fa4cef75e4b47a47a464d111029e8dfe7e0e3772a51f

      SHA512

      dacbd58aa1f33199ebc454457cbbd757f6205a6c24a3368cb56f8ce029289cda0eadbfd41ce836f1b368bd6c09b81b9986daf9c8866d682e20dbec75241527ab

      Download Submit

    • C:\Program Files (x86)\Hetman Software\Hetman Partition Recovery 2.3\Resources\DSKImageMenu.dll
      Filesize

      440KB

      MD5

      6e7ca785db2b43c45558ac7666a3413e

      SHA1

      c488648729538d312eb0f6114876e90336d3867b

      SHA256

      3a7f8b923eaf6ab54299ffcb03b0d33b09e52a5f2297b029b0f931c9896a7ca6

      SHA512

      1633e10d886d23604d8152a3299e6ed41658f5fff30ea581e2aee22695f010cda2059836c34135d67404026a30526a83f065b45cadf089180e623de253fcc2d8

      Download Submit

    • C:\Program Files (x86)\Hetman Software\Hetman Partition Recovery 2.3\Resources\DiskMenu.dll
      Filesize

      438KB

      MD5

      bc8bd63d84cb79f3f5197f93ad66ebbd

      SHA1

      aeebf9e0195a431c313c73800db40ae923d7ddd4

      SHA256

      c732134c5d48d66c1dd2e5cf96e14f5effff4d75c2fc57d68822120d61fb663c

      SHA512

      7212e410d9b38df3aa0a65ac6f3cb049acae67f7321f180c00eb85e74e422528b752fbffc237be6cf8a0bc2116bb35fe40be49b0b8e67df0870da9e3c747d210

      Download Submit

    • C:\Program Files (x86)\Hetman Software\Hetman Partition Recovery 2.3\Resources\MagicPDF.dll
      Filesize

      2.7MB

      MD5

      d6483fac44e989285975f2f93e384ee4

      SHA1

      3ab591cc4b40c21926ce2e8d925082428cbdea3b

      SHA256

      c13ecf30f5f377813465ffd1585802f7126a21b7246a2f84629a4b0d0d9f210a

      SHA512

      861b95c9c21ac73848033111eeaee7079702fe00ddbb6c885fdd0b3403df88c5f063a2bdff482409c2bd5c308a88c098e357fa4001e9bbdc7621b3ca66efbab5

      Download Submit

    • C:\Program Files (x86)\Hetman Software\Hetman Partition Recovery 2.3\Resources\StarBurn.dll
      Filesize

      754KB

      MD5

      ce92db83bd93f52dfd41aed7db8c7ee3

      SHA1

      ee975849efc8caff9996d31466c1860d0128e3d2

      SHA256

      4e47378461d096d99c2fa59c93a95822341990655141f67b2e298dc0028a81e3

      SHA512

      4a55255bf65f143e19da42b43b801690f512789b189a57392764e5f83a965f89ed7b77072b8f4ebff2152f52baa6b7c080240665efccfbfb26bf9633f9263c0f

      Download Submit

    • C:\Program Files (x86)\Hetman Software\Hetman Partition Recovery 2.3\Resources\wp_type1ttf.dll
      Filesize

      735KB

      MD5

      ab15f2fa750b56a6acb12081975325ac

      SHA1

      0781fdc03e1d0831b0f8d6a6365a0a6d8c26ca5d

      SHA256

      ac93fb3b7c4fd2a8f0cc8a1760e55cc50019e6dbf04c7d78caa2e017ba62f555

      SHA512

      d2c3a8616f4ebff17e6449170186a2e04ac50677ad7b27ab3f2bd2a67ec91dda94ffeadcd86b8553d747dee4854928ad854e9ed6043b123a541ddbbe62870b30

      Download Submit

    • C:\Program Files (x86)\Hetman Software\Hetman Partition Recovery 2.3\Settings.ini
      Filesize

      1KB

      MD5

      a7ad7e678b857b7fe5ec815e80326c9e

      SHA1

      7355efccc2c2c4bb55b7eab942a1faf38c310be3

      SHA256

      4126c46bb0610e6cef3082c1f29fc6afc8af51abf20d707d74d23d077c661d71

      SHA512

      092a67fc50a6d2fcf261db38627178a1e248bf1a1e96ebd77c2b8749743c647a43c2b2c2c6c266be4d5e3fa8ae65cf5b4e30b4439859bf681713d8ea0854e5de

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsy4A.tmp\InstallOptions.dll
      Filesize

      15KB

      MD5

      89351a0a6a89519c86c5531e20dab9ea

      SHA1

      9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00

      SHA256

      f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277

      SHA512

      13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsy4A.tmp\Options_English.ini
      Filesize

      1KB

      MD5

      0a72818b828b4251f6a1fb3336124a79

      SHA1

      355bf811ad4d752bdcdee3ccaf0aaaa456a37b23

      SHA256

      105bf24a632c945d40ee96989af54e2406d02aaf5fca05fbe19612e0d5fae68a

      SHA512

      3eb122f72b7000e8ef82657200ad5b7bc3ee892769d3d8eab068a95c42c4fa412af4b431d2c5f70ef4aeba808fe7db0c3c24fd104cdd0f8700a4444404f5aa48

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsy4A.tmp\Options_English.ini
      Filesize

      1KB

      MD5

      76a0c88892f11fe7f90cd075d4ac3693

      SHA1

      cdf45b0b1a7c8ad76eaa2839dde7b2bad6eab0c5

      SHA256

      67646a88446fd9962bc67970485bf10fb924ddf058e2c8bed14b3b340da52c48

      SHA512

      2fbe63cc528a599fabb1d449b2b64c0e40a5edca973d7fb0e2de19f12bcd8248669a1be6ce166fdb3ec947584a481143e57b4ab77a0873b81b029b265061b785

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsy4A.tmp\ioSpecial.ini
      Filesize

      1KB

      MD5

      cceb6aa8f48fbc82b4e843a972db650a

      SHA1

      c132f3ae014668901388556f8029e6796eef3e35

      SHA256

      7cd16b428bd8e4c09e13bfe5b32f4bbcf6dfe8a74a21e75bd384151518f975e2

      SHA512

      8a77f8a0f5325259ddc37cec9af4d8f006e75a11f7cc1379c4326a5f0c4016464d003972568df9677adfe27cbdebc002e303a3a0c2d96556af2ed91f779f69dd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsy4A.tmp\ioSpecial.ini
      Filesize

      1KB

      MD5

      159712303bd835146fc137da9660fdd9

      SHA1

      9bd70f29f93b68a4fb97bf0509dd5597b157041d

      SHA256

      3eb46c76d1541654ed4effd124e38fb81077051fd83d2e2f4bf67dbc86c1532d

      SHA512

      9d6b055c82925e22cacbd3e1535c83078f29f0bb4d0dc3eeeacf99e47a39b09511802c019508aec61b8ca4106a65587644bd4a1489888d9d71b9f44495817e0b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsy4A.tmp\ioSpecial.ini
      Filesize

      1KB

      MD5

      30b3698ea0fbdd5aaf9010740151f58a

      SHA1

      49949acc40370fc4b6fd19f24cfa79a6db728ae1

      SHA256

      9ffe9048473c9067d54123017720e7096d1e5d8e50afbc1546802c95a42f13e1

      SHA512

      b2e13d928eec4106b502d191dd6509843b16c183992ce53ba144a04fbe465e309a35c8398aea68d94cf2eb541cad078e83426f5ff6ed898add1d423b2105ec94

      Download Submit

    • memory/456-346-0x0000000000400000-0x000000000144C000-memory.dmp

      Filesize

      16.3MB

      Download

    • memory/456-345-0x0000000003AA0000-0x0000000003AA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/456-344-0x0000000005B00000-0x0000000005B01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/456-341-0x0000000006120000-0x0000000006422000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/456-347-0x0000000006120000-0x0000000006422000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/456-348-0x00000000075D0000-0x00000000075D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/456-335-0x0000000001A00000-0x0000000001ACF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/456-336-0x0000000003430000-0x0000000003431000-memory.dmp

      Filesize

      4KB

      Download

    • memory/456-351-0x0000000000400000-0x000000000144C000-memory.dmp

      Filesize

      16.3MB

      Download

    • memory/456-353-0x0000000003430000-0x0000000003431000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4680-84-0x00000196D3240000-0x00000196D3241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4680-90-0x00000196D3240000-0x00000196D3241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4680-89-0x00000196D3240000-0x00000196D3241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4680-85-0x00000196D3240000-0x00000196D3241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4680-86-0x00000196D3240000-0x00000196D3241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4680-87-0x00000196D3240000-0x00000196D3241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4680-88-0x00000196D3240000-0x00000196D3241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4680-79-0x00000196D3240000-0x00000196D3241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4680-80-0x00000196D3240000-0x00000196D3241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4680-78-0x00000196D3240000-0x00000196D3241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5076-318-0x0000000001FE0000-0x0000000002057000-memory.dmp

      Filesize

      476KB

      Download