Analysis

  • max time kernel
    240s
  • max time network
    203s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07/05/2024, 03:43

General

  • Target

    HDTuneProPortable.exe

  • Size

    525KB

  • MD5

    62c5d98777d7f5af0fbb774e979fc6c7

  • SHA1

    642a495b7f310becae78ed3d1ce7d6a78982e7e1

  • SHA256

    6bdea440ff56a7a4c6e637db2534f86f020d77bbe1810cc66958b9d7bbe7dee7

  • SHA512

    323dd85c7a1d818c95a0298d53eb387020d762520aa2ac7b22363155378b7d7b1a6edd9e3a03aab45295794c7847117187d1ed812ef8258a5dc2f86078e3619c

  • SSDEEP

    6144:hEUX/VPTSAD6RVhQ185tST+UuIg7Q+Y9Ifi+ROp5:hEgPGAAoiHUubQzIBG

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HDTuneProPortable.exe
    "C:\Users\Admin\AppData\Local\Temp\HDTuneProPortable.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Users\Admin\AppData\Local\Temp\App\HDTunePro\HDTunePro.exe
      "C:\Users\Admin\AppData\Local\Temp\App\HDTunePro\HDTunePro.exe"
      2⤵
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4548

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nsz4661.tmp\System.dll

          Filesize

          11KB

          MD5

          bf712f32249029466fa86756f5546950

          SHA1

          75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

          SHA256

          7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

          SHA512

          13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

        • C:\Users\Admin\AppData\Local\Temp\nsz4661.tmp\launcher.ini

          Filesize

          624B

          MD5

          99698f530ee6ee494895b7f1b5965baa

          SHA1

          049f5e78f23c8bccc6ca331ce72056132237a53b

          SHA256

          ca81c95d231774e029ec6e166d1e6c2bfc7761dc86f30b8bf80c8df7ff799b72

          SHA512

          506debd024d2bdb08692cfd381625153e6c1ec7d5ca0917ab5119ef1b0e4a3a5024f8c75ff2d55c188109bec23f90f5ba3372d0ddba93dc20d34f2f9fd66a2c6

        • C:\Users\Admin\AppData\Local\Temp\nsz4661.tmp\registry.dll

          Filesize

          29KB

          MD5

          2880bf3bbbc8dcaeb4367df8a30f01a8

          SHA1

          cb5c65eae4ae923514a67c95ada2d33b0c3f2118

          SHA256

          acb79c55b3b9c460d032a6f3aaf6c642bf8c1d450e23279d091cc0c6ca510973

          SHA512

          ca978702ce7aa04f8d9781a819a57974f9627e969138e23e81e0792ff8356037c300bb27a37a9b5c756220a7788a583c8e40cc23125bcbe48849561b159c4fa3