a6eb7a7372c462b2e181014540491a062c540edc4ba0f65a9169cfbfb473e6c7

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hrsword.exe
Size

2.1MB
MD5

32dad2acce51b9474545efd6d3b49c06
SHA1

77ff0ec1afa6758b52bedb5e920f2ae16155a878
SHA256

a6eb7a7372c462b2e181014540491a062c540edc4ba0f65a9169cfbfb473e6c7
SHA512

9dd53a25200b6544acf1ea7d38a8cb5be83e94c03bca2865d89a8285fbc49192ddd1a7e5cffe59e586568a8600c964f72f779a7927f753e685c98d363ea1342a
SSDEEP

49152:uy+7vlXiY0zkUuut9O1IpxpBUCchsxt4XqEkxqaVgNaVb5gc:uyadCzkUbNLTiVdkxxt

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\sysdiag.sys	hrsword.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\sysdiag\ImagePath = "system32\\DRIVERS\\sysdiag.sys"	hrsword.exe

Executes dropped EXE 2 IoCs

pid	Process
1340	usysdiag.exe
1984	sysdiag-gui.exe

Loads dropped DLL 22 IoCs

pid	Process
1884	hrsword.exe
1884	hrsword.exe
1884	hrsword.exe
1884	hrsword.exe
1884	hrsword.exe
1884	hrsword.exe
1884	hrsword.exe
1884	hrsword.exe
1884	hrsword.exe
1884	hrsword.exe
1884	hrsword.exe
1884	hrsword.exe
1884	hrsword.exe
1884	hrsword.exe
1884	hrsword.exe
1884	hrsword.exe
1884	hrsword.exe
1884	hrsword.exe
1984	sysdiag-gui.exe
1984	sysdiag-gui.exe
1984	sysdiag-gui.exe
1984	sysdiag-gui.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dtrampo.dll	hrsword.exe
File created	C:\Windows\System32\dtrampo.dll	hrsword.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Huorong\Sysdiag\bin\behavior.dll	hrsword.exe
File created	C:\Program Files (x86)\Huorong\Sysdiag\bin\libxsse.dll	hrsword.exe
File created	C:\Program Files (x86)\Huorong\Sysdiag\bin\dbghelp.dll	hrsword.exe
File created	C:\Program Files (x86)\Huorong\Sysdiag\bin\symsrv.dll	hrsword.exe
File created	C:\Program Files (x86)\Huorong\Sysdiag\bin\usysdiag.exe	hrsword.exe
File created	C:\Program Files (x86)\Huorong\Sysdiag\bin\sysdiag-gui.exe	hrsword.exe
File created	C:\Program Files (x86)\Huorong\Sysdiag\bin\usysdiag.dll	hrsword.exe
File created	C:\Program Files (x86)\Huorong\Sysdiag\bin\daemon.dll	hrsword.exe
File created	C:\Program Files (x86)\Huorong\Sysdiag\bin\symsrv.yes	hrsword.exe
File created	C:\Program Files (x86)\Huorong\Sysdiag\uninst.exe	hrsword.exe
File created	C:\Program Files (x86)\Huorong\Sysdiag\bin\uactmon.dll	hrsword.exe
File created	C:\Program Files (x86)\Huorong\Sysdiag\VERSION	hrsword.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1884	hrsword.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1884	hrsword.exe
Token: SeLoadDriverPrivilege	1884	hrsword.exe
Token: SeDebugPrivilege	1884	hrsword.exe
Token: SeLoadDriverPrivilege	1884	hrsword.exe
Token: SeDebugPrivilege	1884	hrsword.exe
Token: SeLoadDriverPrivilege	1884	hrsword.exe
Token: SeDebugPrivilege	1884	hrsword.exe
Token: SeLoadDriverPrivilege	1884	hrsword.exe
Token: SeDebugPrivilege	1884	hrsword.exe
Token: SeLoadDriverPrivilege	1884	hrsword.exe
Token: SeDebugPrivilege	1884	hrsword.exe
Token: SeLoadDriverPrivilege	1884	hrsword.exe
Token: SeDebugPrivilege	1884	hrsword.exe
Token: SeLoadDriverPrivilege	1884	hrsword.exe
Token: SeDebugPrivilege	1884	hrsword.exe
Token: SeLoadDriverPrivilege	1884	hrsword.exe
Token: SeDebugPrivilege	1884	hrsword.exe
Token: SeLoadDriverPrivilege	1884	hrsword.exe
Token: SeDebugPrivilege	1884	hrsword.exe
Token: SeLoadDriverPrivilege	1884	hrsword.exe
Token: SeDebugPrivilege	1884	hrsword.exe
Token: SeLoadDriverPrivilege	1884	hrsword.exe
Token: SeDebugPrivilege	1340	usysdiag.exe
Token: SeDebugPrivilege	1984	sysdiag-gui.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1340	1884	hrsword.exe	30
PID 1884 wrote to memory of 1340	1884	hrsword.exe	30
PID 1884 wrote to memory of 1340	1884	hrsword.exe	30
PID 1884 wrote to memory of 1340	1884	hrsword.exe	30

C:\Users\Admin\AppData\Local\Temp\hrsword.exe
"C:\Users\Admin\AppData\Local\Temp\hrsword.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Program Files (x86)\Huorong\Sysdiag\bin\usysdiag.exe
  "C:\Program Files (x86)\Huorong\Sysdiag\bin\usysdiag.exe" 644
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1340

C:\Program Files (x86)\Huorong\Sysdiag\bin\sysdiag-gui.exe
"C:\Program Files (x86)\Huorong\Sysdiag\bin\sysdiag-gui.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Huorong\Sysdiag\bin\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\Program Files (x86)\Huorong\Sysdiag\bin\usysdiag.exe

Filesize
298KB

MD5
e6f41c34409e3f57f66013934b7124f0

SHA1
c40f97cb8de9741eb9281ea73e8892fd8af38b85

SHA256
d85c5bf41b9649446b203846192a6d285483bb7b56d4c7f16f668e4f90b93ba0

SHA512
d6cfb253ceffc8e8df7dccf17b7a9e350430a65f2276cd2383a0473f984bbe0343514a5f5c1403f06be01c6298e0d39e06991492b6aac9d4efb275e96d619901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC8.tmp\modern-wizard.bmp

Filesize
150KB

MD5
38285ac84c87b04c3e2a270f6acb1e82

SHA1
9deb41d62253db1b735dbac323639318122ff254

SHA256
92d28b5e13cca4507995ad61a5599370dfb8c770dbaa0582655959fee1142ab9

SHA512
36186afa3cf859455bdfb2b8009086cd96bf4334ea70d2ca599f4f0ef847834cb6e3672d773166e07a3f8a97062c0c6004365f6706e0f79d045978f5092456a4

Download Submit
\Program Files (x86)\Huorong\Sysdiag\bin\daemon.dll

Filesize
297KB

MD5
fe39e5e036b5c86ddb3ef2ada62ba0bf

SHA1
00adcabbca99ae74fda7794cc06af77d9cb3090c

SHA256
54fdaee273829f0b616a7aa61d8a1bc00b3f6e4b16c4c73b778ceffa5c5e47ba

SHA512
bdb6762be72b80d468af9b35c39608badc85184d5db2472acad87e3db496db044df4ba08730b9c7f5543d9f7753617683556786bdf63e6ded966bea86ca5afbf

Download Submit
\Program Files (x86)\Huorong\Sysdiag\bin\sysdiag-gui.exe

Filesize
2.4MB

MD5
8097161ce5b29e81a4d9420ac468ea0e

SHA1
5f53d9ec9cf1f36cf6c2a3fc2076ee8b6073e761

SHA256
ec408b62a2c04d7eca6f408a9dcc9d00e0d580e3642207e15a534912622a4972

SHA512
34743bacf89d3cb2191a8ff183367993febc5e3c8a539be3a19dbac328c6bfc2c9d23f4c20dc01f8ffab139915fc9ee585c13881fcbc3cc421eef0d6772f5b57

Download Submit
\Program Files (x86)\Huorong\Sysdiag\bin\uactmon.dll

Filesize
146KB

MD5
ffae295cc48606ba15fd9ac07c0c112f

SHA1
8c6f34204f8ac213b0fb90aa51ab21d52cbbbc29

SHA256
fad77b24478f5ec8aa7f6018e000cf504d6227fe217d1543d4b4cbe5f8a3b1ac

SHA512
ef4fcb39e9acabf7ebfd03249b99944e75331becd178b969ac9e12fbd94e8c123925a8a916166583f05e7dc5bbc4e0bd16e67d6e6a417d033349646b6c047e8e

Download Submit
\Program Files (x86)\Huorong\Sysdiag\bin\usysdiag.dll

Filesize
376KB

MD5
4c5db6477ea151be370854b1346eeda0

SHA1
4234cc1bc932dd2ab7ee09b83dcf11f1caa87dfa

SHA256
b953561bb3f79136d51e3a23ee96615b68738d7409e034b8955eba6b671a5a3e

SHA512
4972a36b02f246cd132ff6b038604ca938b0a897dbe4222162c93d8f44e3b0fadd64552c2959953cdbbc6d05c0dd8c698a0c59d261d25e01066e74cca6825fde

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDC8.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDC8.tmp\installer-helper.dll

Filesize
145KB

MD5
bfde6b61201b95a2892e63adfce22769

SHA1
7eebee84f7867b4135f361d4a046cdc05a764cdc

SHA256
9f6363712ce45c4a09e5b1c35271eea64ea160f6ed5679bf809ad257cba51bbf

SHA512
1f877e7e90ec1d91667d4da476b83b0a0bea0cf160a97006219332fa1201ab2bf79a65aa54f3e38a1ffd8ba19074c9ac1a0e3a4ca8c20f131a538cccc1fdd9bd

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDC8.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads