Malware Analysis Report

2024-10-18 22:06

Sample ID 240611-tnf5jasgng
Target hwmonitor_1.53.exe
SHA256 c77cb3f7c51d7e2b0b0f5e9fca3bbf67e6cbe4fa0c9099547d2aa14c35629314
Tags
bootkit discovery persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

c77cb3f7c51d7e2b0b0f5e9fca3bbf67e6cbe4fa0c9099547d2aa14c35629314

Threat Level: Shows suspicious behavior

The file hwmonitor_1.53.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Drops file in Program Files directory

Executes dropped EXE

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 16:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 16:12

Reported

2024-06-11 16:12

Platform

win11-20240508-en

Max time kernel

22s

Max time network

26s

Command Line

"C:\Users\Admin\AppData\Local\Temp\hwmonitor_1.53.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files\CPUID\HWMonitor\HWMonitor.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\CPUID\HWMonitor\is-7U21V.tmp C:\Users\Admin\AppData\Local\Temp\is-RP0VU.tmp\hwmonitor_1.53.tmp N/A
File created C:\Program Files\CPUID\HWMonitor\unins000.msg C:\Users\Admin\AppData\Local\Temp\is-RP0VU.tmp\hwmonitor_1.53.tmp N/A
File opened for modification C:\Program Files\CPUID\HWMonitor\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-RP0VU.tmp\hwmonitor_1.53.tmp N/A
File opened for modification C:\Program Files\CPUID\HWMonitor\HWMonitor.exe C:\Users\Admin\AppData\Local\Temp\is-RP0VU.tmp\hwmonitor_1.53.tmp N/A
File created C:\Program Files\CPUID\HWMonitor\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-RP0VU.tmp\hwmonitor_1.53.tmp N/A
File created C:\Program Files\CPUID\HWMonitor\is-7KG6M.tmp C:\Users\Admin\AppData\Local\Temp\is-RP0VU.tmp\hwmonitor_1.53.tmp N/A
File created C:\Program Files\CPUID\HWMonitor\is-LO9SR.tmp C:\Users\Admin\AppData\Local\Temp\is-RP0VU.tmp\hwmonitor_1.53.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RP0VU.tmp\hwmonitor_1.53.tmp N/A
N/A N/A C:\Program Files\CPUID\HWMonitor\HWMonitor.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Program Files\CPUID\HWMonitor\HWMonitor.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Program Files\CPUID\HWMonitor\HWMonitor.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Program Files\CPUID\HWMonitor\HWMonitor.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files\CPUID\HWMonitor\HWMonitor.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RP0VU.tmp\hwmonitor_1.53.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\CPUID\HWMonitor\HWMonitor.exe N/A
N/A N/A C:\Program Files\CPUID\HWMonitor\HWMonitor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\hwmonitor_1.53.exe

"C:\Users\Admin\AppData\Local\Temp\hwmonitor_1.53.exe"

C:\Users\Admin\AppData\Local\Temp\is-RP0VU.tmp\hwmonitor_1.53.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RP0VU.tmp\hwmonitor_1.53.tmp" /SL5="$60068,1271215,58368,C:\Users\Admin\AppData\Local\Temp\hwmonitor_1.53.exe"

C:\Program Files\CPUID\HWMonitor\HWMonitor.exe

"C:\Program Files\CPUID\HWMonitor\HWMonitor.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 download.cpuid.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1540-0-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1540-3-0x0000000000401000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-RP0VU.tmp\hwmonitor_1.53.tmp

MD5 318ac5138773aed192c72971d28c3984
SHA1 3412120f49566f150a5ff112ec66746afef19692
SHA256 1e618c685c04e75291f908e9f7fbe8060f9766e0e9711142abc2a1e3961a63eb
SHA512 dfd7fda59599d1933131b64c5224654c79bb260bb429ff53902426c5d1833b588b9862faefd9af4f556ba97e5024a89f68e3a58d89adf86a77efbff427e213ea

memory/5080-7-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Program Files\CPUID\HWMonitor\HWMonitor.exe

MD5 88ebccaacbfcc25a85b9f3a3ca8af4b7
SHA1 728ec612dbc68792e3e3e8b876f00d0e5ca1971b
SHA256 98efc8fa681d39e3954d9a4e295c42f67ad0c986b7bd3d4b9879b2c3b95b1164
SHA512 8a430490a634467865cdbb59db5d749a47d66a179d5c26991429c8c9e4d3b07961c4c51fb5d1bd72433cea173454a43fe2e96f6aaeeb240ad5c6ea1b7e0481a6

memory/5080-27-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1540-28-0x0000000000400000-0x0000000000415000-memory.dmp