Analysis
-
max time kernel
22s -
max time network
26s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-06-2024 16:12
Static task
static1
Behavioral task
behavioral1
Sample
hwmonitor_1.53.exe
Resource
win11-20240508-en
General
-
Target
hwmonitor_1.53.exe
-
Size
1.5MB
-
MD5
18e9c645a32e634c0ab179b2e4b847de
-
SHA1
d8c9af37656a4ed0892d86c5dd359f7d672d2140
-
SHA256
c77cb3f7c51d7e2b0b0f5e9fca3bbf67e6cbe4fa0c9099547d2aa14c35629314
-
SHA512
fcde0e66d3ca4947e4ff0e36d93a0a50d6e763f98d0a875da32ed1b5c75b4b8ad7230807900fcffcf842d8229a96e4d16931cd94a4c05bf995d848296268061a
-
SSDEEP
24576:kyI2njumSn+b9K2BvK6QJm+Nfit7NTdAs+MOYHXhJbcXsHyExVBpWx58O83TdusU:kyGLnmKYjo/NadNTdAs+S3rbRH7DD0bX
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
HWMonitor.exedescription ioc process File opened for modification \??\PhysicalDrive0 HWMonitor.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 7 IoCs
Processes:
hwmonitor_1.53.tmpdescription ioc process File created C:\Program Files\CPUID\HWMonitor\is-7U21V.tmp hwmonitor_1.53.tmp File created C:\Program Files\CPUID\HWMonitor\unins000.msg hwmonitor_1.53.tmp File opened for modification C:\Program Files\CPUID\HWMonitor\unins000.dat hwmonitor_1.53.tmp File opened for modification C:\Program Files\CPUID\HWMonitor\HWMonitor.exe hwmonitor_1.53.tmp File created C:\Program Files\CPUID\HWMonitor\unins000.dat hwmonitor_1.53.tmp File created C:\Program Files\CPUID\HWMonitor\is-7KG6M.tmp hwmonitor_1.53.tmp File created C:\Program Files\CPUID\HWMonitor\is-LO9SR.tmp hwmonitor_1.53.tmp -
Executes dropped EXE 2 IoCs
Processes:
hwmonitor_1.53.tmpHWMonitor.exepid process 5080 hwmonitor_1.53.tmp 2796 HWMonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
HWMonitor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 HWMonitor.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags HWMonitor.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
hwmonitor_1.53.tmpHWMonitor.exepid process 5080 hwmonitor_1.53.tmp 5080 hwmonitor_1.53.tmp 2796 HWMonitor.exe 2796 HWMonitor.exe 2796 HWMonitor.exe 2796 HWMonitor.exe 2796 HWMonitor.exe 2796 HWMonitor.exe 2796 HWMonitor.exe 2796 HWMonitor.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 688 688 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HWMonitor.exedescription pid process Token: SeLoadDriverPrivilege 2796 HWMonitor.exe Token: SeLoadDriverPrivilege 2796 HWMonitor.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
hwmonitor_1.53.tmppid process 5080 hwmonitor_1.53.tmp -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
HWMonitor.exepid process 2796 HWMonitor.exe 2796 HWMonitor.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
hwmonitor_1.53.exedescription pid process target process PID 1540 wrote to memory of 5080 1540 hwmonitor_1.53.exe hwmonitor_1.53.tmp PID 1540 wrote to memory of 5080 1540 hwmonitor_1.53.exe hwmonitor_1.53.tmp PID 1540 wrote to memory of 5080 1540 hwmonitor_1.53.exe hwmonitor_1.53.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\hwmonitor_1.53.exe"C:\Users\Admin\AppData\Local\Temp\hwmonitor_1.53.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\is-RP0VU.tmp\hwmonitor_1.53.tmp"C:\Users\Admin\AppData\Local\Temp\is-RP0VU.tmp\hwmonitor_1.53.tmp" /SL5="$60068,1271215,58368,C:\Users\Admin\AppData\Local\Temp\hwmonitor_1.53.exe"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5080
-
C:\Program Files\CPUID\HWMonitor\HWMonitor.exe"C:\Program Files\CPUID\HWMonitor\HWMonitor.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2796
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD588ebccaacbfcc25a85b9f3a3ca8af4b7
SHA1728ec612dbc68792e3e3e8b876f00d0e5ca1971b
SHA25698efc8fa681d39e3954d9a4e295c42f67ad0c986b7bd3d4b9879b2c3b95b1164
SHA5128a430490a634467865cdbb59db5d749a47d66a179d5c26991429c8c9e4d3b07961c4c51fb5d1bd72433cea173454a43fe2e96f6aaeeb240ad5c6ea1b7e0481a6
-
Filesize
713KB
MD5318ac5138773aed192c72971d28c3984
SHA13412120f49566f150a5ff112ec66746afef19692
SHA2561e618c685c04e75291f908e9f7fbe8060f9766e0e9711142abc2a1e3961a63eb
SHA512dfd7fda59599d1933131b64c5224654c79bb260bb429ff53902426c5d1833b588b9862faefd9af4f556ba97e5024a89f68e3a58d89adf86a77efbff427e213ea