609cccd44a03bfd93cef765de354cdb2d3b847d90bc4dca0116ace0b1cfb1bc7

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HRSword x64/ע.bat
Size

1KB
MD5

aa0c805a6f8ddfd2c5d916302f8d1ef9
SHA1

4960aa9138d01c5f5951093559598462205c8735
SHA256

4c40774339bfb89bb1b6018f46980e6846932aa20ffd359643aad7e4d4ff6ed6
SHA512

a2dcf57d9918832123410331968eb5ab49da44c27743c5ea4735d865025f9814fb30ae28805ddb4e2cee4053edd8e08baf419fd6360e7740dd86c1d31613de80

Score

8^/10

persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\sysdiag.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\sysdiag.sys	cmd.exe
File created	C:\Windows\System32\drivers\hrwfpdrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hrwfpdrv.sys	cmd.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\sysdiag\ImagePath = "system32\\DRIVERS\\sysdiag.sys"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hrwfpdr\ImagePath = "system32\\DRIVERS\\hrwfpdrv.sys"	reg.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2412	sc.exe
2692	sc.exe
2548	sc.exe
2608	sc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2488	1220	cmd.exe	29
PID 1220 wrote to memory of 2488	1220	cmd.exe	29
PID 1220 wrote to memory of 2488	1220	cmd.exe	29
PID 1220 wrote to memory of 2204	1220	cmd.exe	30
PID 1220 wrote to memory of 2204	1220	cmd.exe	30
PID 1220 wrote to memory of 2204	1220	cmd.exe	30
PID 1220 wrote to memory of 2888	1220	cmd.exe	31
PID 1220 wrote to memory of 2888	1220	cmd.exe	31
PID 1220 wrote to memory of 2888	1220	cmd.exe	31
PID 1220 wrote to memory of 2772	1220	cmd.exe	32
PID 1220 wrote to memory of 2772	1220	cmd.exe	32
PID 1220 wrote to memory of 2772	1220	cmd.exe	32
PID 1220 wrote to memory of 2940	1220	cmd.exe	33
PID 1220 wrote to memory of 2940	1220	cmd.exe	33
PID 1220 wrote to memory of 2940	1220	cmd.exe	33
PID 1220 wrote to memory of 2936	1220	cmd.exe	34
PID 1220 wrote to memory of 2936	1220	cmd.exe	34
PID 1220 wrote to memory of 2936	1220	cmd.exe	34
PID 1220 wrote to memory of 2992	1220	cmd.exe	35
PID 1220 wrote to memory of 2992	1220	cmd.exe	35
PID 1220 wrote to memory of 2992	1220	cmd.exe	35
PID 1220 wrote to memory of 2548	1220	cmd.exe	36
PID 1220 wrote to memory of 2548	1220	cmd.exe	36
PID 1220 wrote to memory of 2548	1220	cmd.exe	36
PID 1220 wrote to memory of 2608	1220	cmd.exe	37
PID 1220 wrote to memory of 2608	1220	cmd.exe	37
PID 1220 wrote to memory of 2608	1220	cmd.exe	37
PID 1220 wrote to memory of 2620	1220	cmd.exe	38
PID 1220 wrote to memory of 2620	1220	cmd.exe	38
PID 1220 wrote to memory of 2620	1220	cmd.exe	38
PID 1220 wrote to memory of 2648	1220	cmd.exe	39
PID 1220 wrote to memory of 2648	1220	cmd.exe	39
PID 1220 wrote to memory of 2648	1220	cmd.exe	39
PID 1220 wrote to memory of 2664	1220	cmd.exe	40
PID 1220 wrote to memory of 2664	1220	cmd.exe	40
PID 1220 wrote to memory of 2664	1220	cmd.exe	40
PID 1220 wrote to memory of 2804	1220	cmd.exe	41
PID 1220 wrote to memory of 2804	1220	cmd.exe	41
PID 1220 wrote to memory of 2804	1220	cmd.exe	41
PID 1220 wrote to memory of 2560	1220	cmd.exe	42
PID 1220 wrote to memory of 2560	1220	cmd.exe	42
PID 1220 wrote to memory of 2560	1220	cmd.exe	42
PID 1220 wrote to memory of 2512	1220	cmd.exe	43
PID 1220 wrote to memory of 2512	1220	cmd.exe	43
PID 1220 wrote to memory of 2512	1220	cmd.exe	43
PID 1220 wrote to memory of 2532	1220	cmd.exe	44
PID 1220 wrote to memory of 2532	1220	cmd.exe	44
PID 1220 wrote to memory of 2532	1220	cmd.exe	44
PID 1220 wrote to memory of 2540	1220	cmd.exe	45
PID 1220 wrote to memory of 2540	1220	cmd.exe	45
PID 1220 wrote to memory of 2540	1220	cmd.exe	45
PID 1220 wrote to memory of 2412	1220	cmd.exe	46
PID 1220 wrote to memory of 2412	1220	cmd.exe	46
PID 1220 wrote to memory of 2412	1220	cmd.exe	46
PID 1220 wrote to memory of 2692	1220	cmd.exe	47
PID 1220 wrote to memory of 2692	1220	cmd.exe	47
PID 1220 wrote to memory of 2692	1220	cmd.exe	47

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\HRSword x64\ע.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\system32\reg.exe
  REG QUERY "HKU\S-1-5-19"
  2⤵
  PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y"
  2⤵
  PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" copy usysdiag.exe "C:\Users\Admin\AppData\Local\Temp\HRSword x64\\" 1>NUL 2>NUL"
  2⤵
  PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y"
  2⤵
  PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" copy sysdiag.sys "C:\Windows\System32\drivers\" 1>NUL 2>NUL"
  2⤵
  - Drops file in Drivers directory
  PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y"
  2⤵
  PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" copy hrwfpdrv.sys "C:\Windows\System32\drivers\" 1>NUL 2>NUL"
  2⤵
  - Drops file in Drivers directory
  PID:2992
- C:\Windows\system32\sc.exe
  sc create hrwfpdrv binpath= "C:\Windows\System32\drivers\hrwfpdrv.sys" type= kernel start= demand error= normal
  2⤵
  - Launches sc.exe
  PID:2548
- C:\Windows\system32\sc.exe
  sc create sysdiag binpath= "C:\Windows\System32\drivers\sysdiag.sys" type= kernel start= demand error= normal depend= FltMgr group= "PNP_TDI"
  2⤵
  - Launches sc.exe
  PID:2608
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "ImagePath" /t REG_EXPAND_SZ /d "system32\DRIVERS\sysdiag.sys"
  2⤵
  - Sets service image path in registry
  PID:2620
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\hrwfpdr" /f /v "ImagePath" /t REG_EXPAND_SZ /d "system32\DRIVERS\hrwfpdrv.sys"
  2⤵
  - Sets service image path in registry
  PID:2648
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "Start" /t reg_dword /d "1"
  2⤵
  PID:2664
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\hrwfpdr" /f /v "Start" /t reg_dword /d "1"
  2⤵
  PID:2804
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag" /f /v "Group" /d "PNP_TDI"
  2⤵
  PID:2560
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances" /f /v "DefaultInstance" /d "sysdiag"
  2⤵
  PID:2512
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances\sysdiag" /f /v "Altitude" /d "324600"
  2⤵
  PID:2532
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\sysdiag\Instances\sysdiag" /f /v "Flags" /t reg_dword /d "0"
  2⤵
  PID:2540
- C:\Windows\system32\sc.exe
  sc start sysdiag
  2⤵
  - Launches sc.exe
  PID:2412
- C:\Windows\system32\sc.exe
  sc start hrwfpdrv
  2⤵
  - Launches sc.exe
  PID:2692