59c37c627e60326408c64eeb836bd28fffc5ffd8e888e8219e3a51ca84bcda34

General

Target

DiskGenius v5.6.0.1565 x64 Eng.exe
Size

29.6MB
MD5

bc35ebf394978caf51353f35b6640a6d
SHA1

a954b8c3dea73c2b10df9508a02a45e528d53aeb
SHA256

59c37c627e60326408c64eeb836bd28fffc5ffd8e888e8219e3a51ca84bcda34
SHA512

f1d9a1251d6438d04f6968e79444175647d5eee6e3914d2af9755a8ad83378b9ee5d405fd3520a40d03cc6db4c2ecce6ca351953732523b5c045444e9bd8781a
SSDEEP

786432:7yTP5RS4UMlA5+8eTMuNobUVHmUvi4nDIcf5:7YkMlAre9NZvive

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4024	DiskGenius.exe

Loads dropped DLL 1 IoCs

pid	Process
4024	DiskGenius.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	DiskGenius.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	DiskGenius.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4024	DiskGenius.exe
4024	DiskGenius.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4024	DiskGenius.exe
4024	DiskGenius.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4024	DiskGenius.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	4024	DiskGenius.exe
Token: SeRestorePrivilege	4024	DiskGenius.exe
Token: SeBackupPrivilege	4024	DiskGenius.exe
Token: SeRestorePrivilege	4024	DiskGenius.exe
Token: SeBackupPrivilege	4024	DiskGenius.exe
Token: SeRestorePrivilege	4024	DiskGenius.exe
Token: SeBackupPrivilege	4024	DiskGenius.exe
Token: SeRestorePrivilege	4024	DiskGenius.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4024	DiskGenius.exe
4024	DiskGenius.exe
4024	DiskGenius.exe
4024	DiskGenius.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4024	DiskGenius.exe
4024	DiskGenius.exe
4024	DiskGenius.exe
4024	DiskGenius.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 4024	3928	DiskGenius v5.6.0.1565 x64 Eng.exe	78
PID 3928 wrote to memory of 4024	3928	DiskGenius v5.6.0.1565 x64 Eng.exe	78

C:\Users\Admin\AppData\Local\Temp\DiskGenius v5.6.0.1565 x64 Eng.exe
"C:\Users\Admin\AppData\Local\Temp\DiskGenius v5.6.0.1565 x64 Eng.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

Filesize
27.7MB

MD5
db0ba056da9adea8e8e29ff01b19b006

SHA1
8c10a18881a7989ba43ec8687888365e140b4cb7

SHA256
6d4e0905d1869b754d43a486b79f57d128d8fb9a48482807b90f2e656960d429

SHA512
6a1a211bd6680348f2a4ac99bf2df9549fb9de3bb34fb0e73c11a36f84de93f697996e2b20d4eefd239fcf09510b21aed18c9c7045b8b69e5c137e68d81f0dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\MSIMG32.dll

Filesize
7KB

MD5
159aa9ac5776847a4d92afa9744f768d

SHA1
48d03513f8520ac2e2b7f415f31b533b50031599

SHA256
7212b12cb35bffa2314345bb1e2fa12f47dff15616de3de63612501f7ac0761d

SHA512
ec90beb78cbff0caf5597815f309ebff83e06b565dab0c0216458fc50b169ce53741fe6afb982dde59fe0c8d2d16c7b3c976349c27a61ef8845a139d5de7bee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\Options.ini

Filesize
381B

MD5
47f15bc6d8c718911f6a9995e7d25e42

SHA1
9bc571ae6fb1a9e6cae08a5795555e88cf7ee06c

SHA256
34d56812604cd08049b31c3e14767c744972f26196d0c09e15c86b59710d8be3

SHA512
5592cc6d18a9b1b0e96f6c2107db05577e671e6df09054f36fb70b6c3ad32d57e8e1a6b631b5bc23c8a0e54be0fc43e990029571ee6da88440c620b4f838d4d8

Download Submit
memory/4024-56-0x000007FF7D1A1000-0x000007FF7D1A4000-memory.dmp

Filesize
12KB

Download
memory/4024-57-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

Filesize
24KB

Download
memory/4024-59-0x00007FFC19900000-0x00007FFC19902000-memory.dmp

Filesize
8KB

Download
memory/4024-58-0x00007FFC198F0000-0x00007FFC198F2000-memory.dmp

Filesize
8KB

Download
memory/4024-61-0x0000000140000000-0x0000000143208000-memory.dmp

Filesize
50.0MB

Download
memory/4024-66-0x000007FF7D1A1000-0x000007FF7D1A4000-memory.dmp

Filesize
12KB

Download
memory/4024-67-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads