1b9718d5826acaa26e0529ad2617e32fe712d6f19d6bdd6e0cea5f755516c319

General

Target

HD.exe
Size

823KB
MD5

814cba52bcc8cdd3405c18b867c3d7fb
SHA1

b2850b23609641eaa564f122c66515ffa9ea470a
SHA256

1b9718d5826acaa26e0529ad2617e32fe712d6f19d6bdd6e0cea5f755516c319
SHA512

b3fa116c0376beb0de34189b31d8f8c16e2b435ee578d79145c5b96fcea5fbba6226e90d6202e658173ced216eb558a8cd787c90023193d2d4d4673e4c8ea298
SSDEEP

12288:jPGAAoiHUuGx86EcuswBjWagpTdEse8bjGld4VnlOixp:VGcx86yiawdEseiiop

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
544	HDTunePro.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	HDTunePro.exe
File opened (read-only)	\??\J:	HDTunePro.exe
File opened (read-only)	\??\N:	HDTunePro.exe
File opened (read-only)	\??\P:	HDTunePro.exe
File opened (read-only)	\??\U:	HDTunePro.exe
File opened (read-only)	\??\X:	HDTunePro.exe
File opened (read-only)	\??\Y:	HDTunePro.exe
File opened (read-only)	\??\B:	HDTunePro.exe
File opened (read-only)	\??\D:	HDTunePro.exe
File opened (read-only)	\??\F:	HDTunePro.exe
File opened (read-only)	\??\G:	HDTunePro.exe
File opened (read-only)	\??\I:	HDTunePro.exe
File opened (read-only)	\??\M:	HDTunePro.exe
File opened (read-only)	\??\Q:	HDTunePro.exe
File opened (read-only)	\??\V:	HDTunePro.exe
File opened (read-only)	\??\A:	HDTunePro.exe
File opened (read-only)	\??\O:	HDTunePro.exe
File opened (read-only)	\??\R:	HDTunePro.exe
File opened (read-only)	\??\S:	HDTunePro.exe
File opened (read-only)	\??\H:	HDTunePro.exe
File opened (read-only)	\??\K:	HDTunePro.exe
File opened (read-only)	\??\L:	HDTunePro.exe
File opened (read-only)	\??\T:	HDTunePro.exe
File opened (read-only)	\??\W:	HDTunePro.exe
File opened (read-only)	\??\Z:	HDTunePro.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	HDTunePro.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HDTunePro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegEdit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
5084	RegEdit.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
544	HDTunePro.exe
544	HDTunePro.exe
544	HDTunePro.exe
544	HDTunePro.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
544	HDTunePro.exe
544	HDTunePro.exe
544	HDTunePro.exe
544	HDTunePro.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
544	HDTunePro.exe
544	HDTunePro.exe
544	HDTunePro.exe
544	HDTunePro.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 5084	4436	HD.exe	82
PID 4436 wrote to memory of 5084	4436	HD.exe	82
PID 4436 wrote to memory of 5084	4436	HD.exe	82
PID 4436 wrote to memory of 544	4436	HD.exe	83
PID 4436 wrote to memory of 544	4436	HD.exe	83
PID 4436 wrote to memory of 544	4436	HD.exe	83

C:\Users\Admin\AppData\Local\Temp\HD.exe
"C:\Users\Admin\AppData\Local\Temp\HD.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\SysWOW64\RegEdit.exe
  RegEdit /S C:\Users\Admin\AppData\Local\Temp\{tmp}\HDTunePro.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:5084
- C:\Users\Admin\AppData\Local\Temp\{tmp}\HDTunePro.exe
  C:\Users\Admin\AppData\Local\Temp\{tmp}\HDTunePro.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{tmp}\HDTunePro.exe

Filesize
718KB

MD5
a89e2c78e6dad4b81e8a1884c1e95716

SHA1
813f3c1711ad8cb2f4ea7ab62a1c26d4c744cd74

SHA256
acc68f63823435d26d17724ef073e6941eaebc5c7f80edc04b2063c619c510af

SHA512
c4446e0bbecf073921fda2c48ae8b1cab7e9f1549b4fdbcc4a2e70e5c2a50cf09a4f439831a9f1333e8c96a8a650772fbde8676c0e88e24a9bf53e64d6c67a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\{tmp}\HDTunePro.reg

Filesize
5KB

MD5
73db802896ac1ed656081b2e72f04ea4

SHA1
9d44b78665caa9adfd7dcb743bfe55a02d0b1c2b

SHA256
3dac8ea4621b74f5fed03af283c475b9448a27a650226798b1ee5421e1442e78

SHA512
7523207bb96e75f486326baaf9a917452f206d8ceb0e76516d8be2639c8a97572d85e14c512179966f52544d6e95c996a5098a0310df447c6e15f4a77c9dd290

Download Submit
memory/544-14-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/544-17-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/544-10-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/544-11-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/544-12-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/544-13-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/544-5-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/544-15-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/544-16-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/544-7-0x0000000000830000-0x0000000000833000-memory.dmp

Filesize
12KB

Download
memory/544-18-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/544-19-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/544-20-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/544-21-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/544-22-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/544-23-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/544-24-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads