8c44c173870c5cdc938e7e13fe92b5a813306368bc331a72a04dcc47a0f77a8a

Analysis

max time kernel
53s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HD_Tune_Pro_v5.00.exe
Size

7.5MB
MD5

14a93cf0f4e1c3239336990f90f18362
SHA1

88bb17f887556e669f721769cbbfac5d5580e60d
SHA256

8c44c173870c5cdc938e7e13fe92b5a813306368bc331a72a04dcc47a0f77a8a
SHA512

24cb9eacf4b5ff2b92b418e23707f261fde9a8a38d77ded3b89e565357720f7b78f32c982209f0e1d4f02736b25b25a58a7e6b3347a0a91d299cb51457a0f210
SSDEEP

98304:B8fgSSdjQelz0XWy3HBKpyhDTOQulLmx5tYIFasOtulKllQ06JBRJU6+HHqIBqUg:yfqDqWy3hZ91AIFasOgMllx6JBXU6vGu

Score

7^/10

bootkit discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1988	HDTunePro.exe

Loads dropped DLL 2 IoCs

pid	Process
1240	HD_Tune_Pro_v5.00.exe
1988	HDTunePro.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	HDTunePro.exe
File opened (read-only)	\??\K:	HDTunePro.exe
File opened (read-only)	\??\P:	HDTunePro.exe
File opened (read-only)	\??\Y:	HDTunePro.exe
File opened (read-only)	\??\E:	HDTunePro.exe
File opened (read-only)	\??\L:	HDTunePro.exe
File opened (read-only)	\??\M:	HDTunePro.exe
File opened (read-only)	\??\U:	HDTunePro.exe
File opened (read-only)	\??\W:	HDTunePro.exe
File opened (read-only)	\??\A:	HDTunePro.exe
File opened (read-only)	\??\H:	HDTunePro.exe
File opened (read-only)	\??\J:	HDTunePro.exe
File opened (read-only)	\??\N:	HDTunePro.exe
File opened (read-only)	\??\R:	HDTunePro.exe
File opened (read-only)	\??\S:	HDTunePro.exe
File opened (read-only)	\??\V:	HDTunePro.exe
File opened (read-only)	\??\X:	HDTunePro.exe
File opened (read-only)	\??\F:	HDTunePro.exe
File opened (read-only)	\??\D:	HDTunePro.exe
File opened (read-only)	\??\G:	HDTunePro.exe
File opened (read-only)	\??\O:	HDTunePro.exe
File opened (read-only)	\??\Q:	HDTunePro.exe
File opened (read-only)	\??\T:	HDTunePro.exe
File opened (read-only)	\??\Z:	HDTunePro.exe
File opened (read-only)	\??\B:	HDTunePro.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	HDTunePro.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1988-61-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/files/0x000700000002349c-59.dat	upx
behavioral1/memory/1988-80-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1988-84-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1988-87-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1988-88-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1988-89-0x0000000000400000-0x00000000004E6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_Tune_Pro_v5.00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HDTunePro.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1240	HD_Tune_Pro_v5.00.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1240	HD_Tune_Pro_v5.00.exe
Token: SeSecurityPrivilege	1240	HD_Tune_Pro_v5.00.exe
Token: SeLoadDriverPrivilege	1240	HD_Tune_Pro_v5.00.exe
Token: SeSystemProfilePrivilege	1240	HD_Tune_Pro_v5.00.exe
Token: SeSystemtimePrivilege	1240	HD_Tune_Pro_v5.00.exe
Token: SeProfSingleProcessPrivilege	1240	HD_Tune_Pro_v5.00.exe
Token: SeIncBasePriorityPrivilege	1240	HD_Tune_Pro_v5.00.exe
Token: SeCreatePagefilePrivilege	1240	HD_Tune_Pro_v5.00.exe
Token: SeShutdownPrivilege	1240	HD_Tune_Pro_v5.00.exe
Token: SeDebugPrivilege	1240	HD_Tune_Pro_v5.00.exe
Token: SeSystemEnvironmentPrivilege	1240	HD_Tune_Pro_v5.00.exe
Token: SeRemoteShutdownPrivilege	1240	HD_Tune_Pro_v5.00.exe
Token: SeUndockPrivilege	1240	HD_Tune_Pro_v5.00.exe
Token: SeManageVolumePrivilege	1240	HD_Tune_Pro_v5.00.exe
Token: 33	1240	HD_Tune_Pro_v5.00.exe
Token: 34	1240	HD_Tune_Pro_v5.00.exe
Token: 35	1240	HD_Tune_Pro_v5.00.exe
Token: 36	1240	HD_Tune_Pro_v5.00.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1988	HDTunePro.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1988	HDTunePro.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1240	HD_Tune_Pro_v5.00.exe
1988	HDTunePro.exe
1988	HDTunePro.exe
1988	HDTunePro.exe
1988	HDTunePro.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1988	1240	HD_Tune_Pro_v5.00.exe	82
PID 1240 wrote to memory of 1988	1240	HD_Tune_Pro_v5.00.exe	82
PID 1240 wrote to memory of 1988	1240	HD_Tune_Pro_v5.00.exe	82
PID 1240 wrote to memory of 1988	1240	HD_Tune_Pro_v5.00.exe	82
PID 1240 wrote to memory of 1988	1240	HD_Tune_Pro_v5.00.exe	82
PID 1240 wrote to memory of 1988	1240	HD_Tune_Pro_v5.00.exe	82
PID 1240 wrote to memory of 1988	1240	HD_Tune_Pro_v5.00.exe	82

C:\Users\Admin\AppData\Local\Temp\HD_Tune_Pro_v5.00.exe
"C:\Users\Admin\AppData\Local\Temp\HD_Tune_Pro_v5.00.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Roaming\VOS\HD Tune Pro\%Program Files (x86)%\HD Tune Pro\HDTunePro.exe
  "C:\Users\Admin\AppData\Roaming\VOS\HD Tune Pro\%Program Files (x86)%\HD Tune Pro\HDTunePro.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\VOS\HD Tune Pro\%Program Files (x86)%\HD Tune Pro\HDTunePro.exe

Filesize
302KB

MD5
b8136653535808a925a576e83d6f932a

SHA1
28bd657086e0d7532f3723512f54ff9f5ca49bde

SHA256
1b3a290b8cca881d10dfc2b87ef82b2dac7b0060e7ed92f035c8401d4a02c57a

SHA512
24b94add8fae2ac8985b6ea62121668c33f50f358852d59e8d83ff7eb6d675b02c7cf3495b212dd6a6f0797cc1389f9a4500aee65bfe321e109666620cada6fc

Download Submit
C:\Users\Admin\AppData\Roaming\VOS\HD Tune Pro\AppVirtDll_HD Tune Pro.dll

Filesize
572KB

MD5
3007d95d7b00061dd72f2bc291e28770

SHA1
6e95093fa99d185bb5c7d12f22bf7d7ce94add2d

SHA256
efe2d2a6fa61e96faae789337daf40346b825d9b9c49c1dcec67bd5abc9b4cf6

SHA512
dff9ef99a56562d102d9748b18efee69e7afeb293d6734094d99f1569dd4ff9fb8a353c55cc1cb51e0185fc6faea6f25c2104b49de818ba4cdc8b64a21c0e2d3

Download Submit
C:\Users\Admin\AppData\Roaming\VOS\HD Tune Pro\VirtFiles.db

Filesize
14KB

MD5
154977c2d1acf2e48c82f9969ce3d397

SHA1
556d4898d0a7cc10d7e30e2b912d379bfd317f70

SHA256
81ef6cbd8c20e4b42eb56afbd365d183a05cc4dee8da5d992706ddbfa558bbb0

SHA512
0e03269ec9d6e78ac98841fd5b7b64020a2d1390ef56a038161bbcee83d8945c6039b2e0af7c854c7a3bffe2ce559dffcb4ca5c6c89309b0b6396168d34defbb

Download Submit
memory/1240-34-0x00000000719D0000-0x00000000719D1000-memory.dmp

Filesize
4KB

Download
memory/1240-47-0x0000000071AC0000-0x0000000071AC1000-memory.dmp

Filesize
4KB

Download
memory/1240-43-0x0000000071630000-0x0000000071631000-memory.dmp

Filesize
4KB

Download
memory/1240-42-0x0000000071640000-0x0000000071641000-memory.dmp

Filesize
4KB

Download
memory/1240-41-0x0000000071A20000-0x0000000071A21000-memory.dmp

Filesize
4KB

Download
memory/1240-40-0x0000000071A30000-0x0000000071A31000-memory.dmp

Filesize
4KB

Download
memory/1240-39-0x0000000071AE0000-0x0000000071AE1000-memory.dmp

Filesize
4KB

Download
memory/1240-38-0x0000000071AF0000-0x0000000071AF1000-memory.dmp

Filesize
4KB

Download
memory/1240-35-0x00000000719C0000-0x00000000719C1000-memory.dmp

Filesize
4KB

Download
memory/1240-33-0x0000000071A50000-0x0000000071A51000-memory.dmp

Filesize
4KB

Download
memory/1240-50-0x0000000071960000-0x0000000071961000-memory.dmp

Filesize
4KB

Download
memory/1240-49-0x0000000071970000-0x0000000071971000-memory.dmp

Filesize
4KB

Download
memory/1240-48-0x0000000071AB0000-0x0000000071AB1000-memory.dmp

Filesize
4KB

Download
memory/1240-67-0x00000000719D0000-0x00000000719D1000-memory.dmp

Filesize
4KB

Download
memory/1240-46-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/1240-45-0x0000000077083000-0x0000000077084000-memory.dmp

Filesize
4KB

Download
memory/1240-56-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1240-58-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1240-57-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1240-31-0x0000000077083000-0x0000000077084000-memory.dmp

Filesize
4KB

Download
memory/1240-60-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1240-30-0x0000000077082000-0x0000000077083000-memory.dmp

Filesize
4KB

Download
memory/1240-74-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1240-32-0x0000000071A60000-0x0000000071A61000-memory.dmp

Filesize
4KB

Download
memory/1240-44-0x0000000077082000-0x0000000077083000-memory.dmp

Filesize
4KB

Download
memory/1240-53-0x0000000077082000-0x0000000077083000-memory.dmp

Filesize
4KB

Download
memory/1240-54-0x0000000077083000-0x0000000077084000-memory.dmp

Filesize
4KB

Download
memory/1240-55-0x0000000076F30000-0x0000000076F31000-memory.dmp

Filesize
4KB

Download
memory/1988-88-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1988-68-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1988-69-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1988-71-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1988-72-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1988-70-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1988-77-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1988-78-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1988-80-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1988-81-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1988-82-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1988-83-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1988-84-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1988-86-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1988-85-0x0000000076F10000-0x0000000077000000-memory.dmp

Filesize
960KB

Download
memory/1988-87-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1988-61-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1988-89-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download