Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 06:33
Static task
static1
Behavioral task
behavioral1
Sample
89067d7926507a58c377b7690fcb0950N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
89067d7926507a58c377b7690fcb0950N.exe
Resource
win10v2004-20240802-en
General
-
Target
89067d7926507a58c377b7690fcb0950N.exe
-
Size
1.3MB
-
MD5
89067d7926507a58c377b7690fcb0950
-
SHA1
d8e253ac767c1ee90ad0f2e9193794bddd77a3f2
-
SHA256
2c484a04a3681dee4f36459fc9ce5959cf2cdc8b859f1c35ea2abaa234fb2961
-
SHA512
d8d4259a9f8012f9e7737a133632e4f3a9898314d37e2cd0e724745ce7872b31a247cf4d0e17ede4d260fd470ffa6871bbe97e0db8e6687c893d56426ccb16c2
-
SSDEEP
24576:cAiZMV/1db5Agw/qpQLPrPu6VCs7LdCt6JMoM4W+fR+hNqrEH7+:lyP2WLst6JMsfRAC
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0003000000012000-1.dat floxif -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule behavioral1/files/0x0003000000012000-1.dat acprotect -
Executes dropped EXE 1 IoCs
Processes:
HWMonitorPro64.exepid Process 2136 HWMonitorPro64.exe -
Loads dropped DLL 4 IoCs
Processes:
89067d7926507a58c377b7690fcb0950N.exepid Process 2232 89067d7926507a58c377b7690fcb0950N.exe 2232 89067d7926507a58c377b7690fcb0950N.exe 2232 89067d7926507a58c377b7690fcb0950N.exe 2232 89067d7926507a58c377b7690fcb0950N.exe -
Processes:
resource yara_rule behavioral1/memory/2232-3-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/files/0x0003000000012000-1.dat upx behavioral1/memory/2232-65-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2232-69-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2232-73-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2232-77-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2232-83-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2232-85-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
89067d7926507a58c377b7690fcb0950N.exedescription ioc Process File opened (read-only) \??\e: 89067d7926507a58c377b7690fcb0950N.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
HWMonitorPro64.exedescription ioc Process File opened for modification \??\PhysicalDrive0 HWMonitorPro64.exe -
Drops file in System32 directory 2 IoCs
Processes:
HWMonitorPro64.exedescription ioc Process File created C:\Windows\system32\lpcio.dll HWMonitorPro64.exe File opened for modification C:\Windows\system32\lpcio.dll HWMonitorPro64.exe -
Drops file in Program Files directory 5 IoCs
Processes:
89067d7926507a58c377b7690fcb0950N.exedescription ioc Process File created C:\Program Files\Common Files\System\symsrv.dll 89067d7926507a58c377b7690fcb0950N.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll 89067d7926507a58c377b7690fcb0950N.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp 89067d7926507a58c377b7690fcb0950N.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp 89067d7926507a58c377b7690fcb0950N.exe File created \??\c:\program files\common files\system\symsrv.dll.000 89067d7926507a58c377b7690fcb0950N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
89067d7926507a58c377b7690fcb0950N.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89067d7926507a58c377b7690fcb0950N.exe -
Processes:
HWMonitorPro64.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 HWMonitorPro64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 HWMonitorPro64.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
89067d7926507a58c377b7690fcb0950N.exepid Process 2232 89067d7926507a58c377b7690fcb0950N.exe 2232 89067d7926507a58c377b7690fcb0950N.exe 2232 89067d7926507a58c377b7690fcb0950N.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 476 476 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
89067d7926507a58c377b7690fcb0950N.exeHWMonitorPro64.exedescription pid Process Token: SeDebugPrivilege 2232 89067d7926507a58c377b7690fcb0950N.exe Token: SeLoadDriverPrivilege 2136 HWMonitorPro64.exe Token: SeLoadDriverPrivilege 2136 HWMonitorPro64.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
HWMonitorPro64.exepid Process 2136 HWMonitorPro64.exe 2136 HWMonitorPro64.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
HWMonitorPro64.exepid Process 2136 HWMonitorPro64.exe 2136 HWMonitorPro64.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
HWMonitorPro64.exepid Process 2136 HWMonitorPro64.exe 2136 HWMonitorPro64.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
89067d7926507a58c377b7690fcb0950N.exedescription pid Process procid_target PID 2232 wrote to memory of 2136 2232 89067d7926507a58c377b7690fcb0950N.exe 30 PID 2232 wrote to memory of 2136 2232 89067d7926507a58c377b7690fcb0950N.exe 30 PID 2232 wrote to memory of 2136 2232 89067d7926507a58c377b7690fcb0950N.exe 30 PID 2232 wrote to memory of 2136 2232 89067d7926507a58c377b7690fcb0950N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\89067d7926507a58c377b7690fcb0950N.exe"C:\Users\Admin\AppData\Local\Temp\89067d7926507a58c377b7690fcb0950N.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2136
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
416KB
MD52f13191d5f2eade9dd842ec01855610c
SHA18cb84defbb17817270074153f43bd63169feb42c
SHA2566d097a250fb0c3680caffce72834882c19cf436979b1124d4eb7f17a61aab137
SHA512650423080fce49328404b2dde498f0ba4875e18e17460639235531da64e74722c69c9e89c17afa697123a576e2e59a53342fbad160d89c92ef27e99a7eeb49a1
-
Filesize
175B
MD51130c911bf5db4b8f7cf9b6f4b457623
SHA148e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA51294e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0
-
Filesize
2.9MB
MD5c08ebc85e0f04e9768d097733c22a9ab
SHA19264cf6638316af44d0b38052f9c9cf1a79d4712
SHA256c81fbcf64c12450f74c1173aea5d443696d3297f852a177c9d862396ba0fc3a5
SHA512935ce1e01a3deb201dee833884e5e961f5409f2674d9a4e70bc1dab92f1fe501701827b78ada98aee09882f400ee39629756bb52aa494e5904b38f06a3c299f9
-
Filesize
112B
MD58753a6f5df99c053299b89e8139250a4
SHA120503dcba4e1ca2e3e24c722e579196714772275
SHA2565053378813c575af792ccd5942f3a0c2ed9e23c52aae90f82a2066e89c91f68b
SHA51241ca8fa8aff0ca72678d9bc368a43453d1d9a0a817a03227ffea549abba789944cdbc36ee5f2beadaf4ac0a470bc3bd417aefdb34fa60a0367f29443f53e64c9
-
Filesize
416KB
MD5cbb0cfe99fe1ca54335d87515d862ba3
SHA1cb76865ff91152eb6c59dc15564e8959f6c85628
SHA25647b3449820b22e0bb31d6d2ce607c5347483c4c68d9b493305b1d9b61774396c
SHA512797b81e134daab5315dc216fe4844d6420c94da3a393a3847a858fca259560ba72c9c6fc57c5572619feddc5021467581ba087fec52394a2dd858eb17d304f66
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab