Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3hetman_par...1).exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows10-2004-x64
3Hetman Par...ry.chm
windows10-2004-x64
1Hetman Par...ry.exe
windows10-2004-x64
6Resources/...nu.dll
windows10-2004-x64
1Resources/...nu.dll
windows10-2004-x64
1Resources/FileExt.dll
windows10-2004-x64
1Resources/LoadRAW.dll
windows10-2004-x64
3Resources/...DF.dll
windows10-2004-x64
3Resources/...rn.dll
windows10-2004-x64
3Resources/...mp.dll
windows10-2004-x64
1Resources/...ig.exe
windows10-2004-x64
1Resources/...0d.dll
windows10-2004-x64
3Resources/...tf.dll
windows10-2004-x64
1media_dll/SDL-2.dll
windows10-2004-x64
1media_dll/SDL.dll
windows10-2004-x64
1media_dll/...54.dll
windows10-2004-x64
3media_dll/...54.dll
windows10-2004-x64
1media_dll/...-3.dll
windows10-2004-x64
1media_dll/...54.dll
windows10-2004-x64
3media_dll/...52.dll
windows10-2004-x64
1media_dll/...-0.dll
windows10-2004-x64
3media_dll/...-2.dll
windows10-2004-x64
3Analysis
-
max time kernel
1384s -
max time network
1171s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2024, 09:34
Static task
static1
Behavioral task
behavioral1
Sample
hetman_partition_recovery (1).exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Hetman Partition Recovery.chm
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
Hetman Partition Recovery.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Resources/DSKImageMenu.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
Resources/DiskMenu.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Resources/FileExt.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
Resources/LoadRAW.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Resources/MagicPDF.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
Resources/StarBurn.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Resources/magic_cmp.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
Resources/magic_jbig.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Resources/msvcr100d.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
Resources/wp_type1ttf.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
media_dll/SDL-2.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
media_dll/SDL.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
media_dll/avcodec-54.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
media_dll/avdevice-54.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
media_dll/avfilter-3.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
media_dll/avformat-54.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
media_dll/avutil-52.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
media_dll/swresample-0.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
media_dll/swscale-2.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
Resources/DiskMenu.dll
-
Size
438KB
-
MD5
bc8bd63d84cb79f3f5197f93ad66ebbd
-
SHA1
aeebf9e0195a431c313c73800db40ae923d7ddd4
-
SHA256
c732134c5d48d66c1dd2e5cf96e14f5effff4d75c2fc57d68822120d61fb663c
-
SHA512
7212e410d9b38df3aa0a65ac6f3cb049acae67f7321f180c00eb85e74e422528b752fbffc237be6cf8a0bc2116bb35fe40be49b0b8e67df0870da9e3c747d210
-
SSDEEP
6144:wkkZ95ynk6VMzgtB6/lMWEsaE0PrHlPZ1xoSkUQ6TU+6NvM:wR5ynkMMzMyWWEK0PrRG2UfE
Malware Config
Signatures
-
Modifies registry class 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DiskMenu.Hetman Partition Recovery\Clsid\ = "{66953641-5DA9-4A81-82E8-2727300BBD29}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66953641-5DA9-4A81-82E8-2727300BBD29}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\Hetman Partition Recovery regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66953641-5DA9-4A81-82E8-2727300BBD29} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66953641-5DA9-4A81-82E8-2727300BBD29}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Resources\\DiskMenu.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66953641-5DA9-4A81-82E8-2727300BBD29}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\Hetman Partition Recovery\ = "{66953641-5DA9-4A81-82E8-2727300BBD29}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DiskMenu.Hetman Partition Recovery regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DiskMenu.Hetman Partition Recovery\ = "Recover Deleted Files" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66953641-5DA9-4A81-82E8-2727300BBD29}\ProgID\ = "DiskMenu.Hetman Partition Recovery" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66953641-5DA9-4A81-82E8-2727300BBD29}\ = "Recover Deleted Files" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66953641-5DA9-4A81-82E8-2727300BBD29}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DiskMenu.Hetman Partition Recovery\Clsid regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 540 wrote to memory of 4312 540 regsvr32.exe 90 PID 540 wrote to memory of 4312 540 regsvr32.exe 90 PID 540 wrote to memory of 4312 540 regsvr32.exe 90