c5beb701e793be49311d476975c0c8b3e453ea5f20d427c64c0d31c3b01a09c1

General

Target

Hfolder/Hfolder.exe
Size

1.2MB
MD5

4aa093d03ac449134ee5fbc4d02ec805
SHA1

8edececa12d46ed6729f122b218ade6d5c677b5a
SHA256

9738641285a96d7b72ed98e1ff0d93217d49a74c1e54d2d08252e00afec7d059
SHA512

70588cdd13471b95371773df2244d98f4c644a6eb8f65a8e2baf830f5336b76402843973727b07694b9c8ab29083360585ca4fa02f8d02a94293a5b3bb6dfb25
SSDEEP

24576:v3g62vnKTHHmn/1Rz+M0BioHkscvi2lLgMcB01fuUhsUl21Vk:I6inKjmPN6itscK2lx7hsWUVk

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
2412	Hfolder.exe
2412	Hfolder.exe
2412	Hfolder.exe
2412	Hfolder.exe
2412	Hfolder.exe
2412	Hfolder.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Hfolder.exe
File opened (read-only)	\??\G:	Hfolder.exe
File opened (read-only)	\??\R:	Hfolder.exe
File opened (read-only)	\??\S:	Hfolder.exe
File opened (read-only)	\??\T:	Hfolder.exe
File opened (read-only)	\??\V:	Hfolder.exe
File opened (read-only)	\??\H:	Hfolder.exe
File opened (read-only)	\??\L:	Hfolder.exe
File opened (read-only)	\??\O:	Hfolder.exe
File opened (read-only)	\??\Z:	Hfolder.exe
File opened (read-only)	\??\I:	Hfolder.exe
File opened (read-only)	\??\J:	Hfolder.exe
File opened (read-only)	\??\K:	Hfolder.exe
File opened (read-only)	\??\M:	Hfolder.exe
File opened (read-only)	\??\N:	Hfolder.exe
File opened (read-only)	\??\P:	Hfolder.exe
File opened (read-only)	\??\U:	Hfolder.exe
File opened (read-only)	\??\X:	Hfolder.exe
File opened (read-only)	\??\Y:	Hfolder.exe
File opened (read-only)	\??\B:	Hfolder.exe
File opened (read-only)	\??\F:	Hfolder.exe
File opened (read-only)	\??\Q:	Hfolder.exe
File opened (read-only)	\??\W:	Hfolder.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Hfolder.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfolder.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2412	Hfolder.exe
Token: SeIncBasePriorityPrivilege	2412	Hfolder.exe
Token: 33	2412	Hfolder.exe
Token: SeIncBasePriorityPrivilege	2412	Hfolder.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2412	Hfolder.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2412	Hfolder.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2412	Hfolder.exe
2412	Hfolder.exe
2412	Hfolder.exe
2412	Hfolder.exe
2412	Hfolder.exe
2412	Hfolder.exe
2412	Hfolder.exe
2412	Hfolder.exe
2412	Hfolder.exe
2412	Hfolder.exe
2412	Hfolder.exe

C:\Users\Admin\AppData\Local\Temp\Hfolder\Hfolder.exe
"C:\Users\Admin\AppData\Local\Temp\Hfolder\Hfolder.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\MBX@96C@1FA1AD0.###

Filesize
2KB

MD5
c323e69530f338ad6e6877e1729fb01c

SHA1
5d0c81fe27b8574f418e1d45165ebec698cb7873

SHA256
84cedc15a8f1a2ca2a633a497cd9f7764e09728b1119d4635b7aa7fb058d2770

SHA512
d7b8cf8ad6dd00f624779d878ba3334f1a5762a3a49be4fb973232f0d0bd299258001d9502158a93913fec8950850f17cf4d6e6814ab0d11e653e2e473b1b7f7

Download Submit
\Users\Admin\AppData\Local\Temp\MBX@96C@1FA1AE0.###

Filesize
2KB

MD5
84bcbaa308beebd413ef963dcc68fec8

SHA1
347b9b2a8cdc80993c71bca2f3299324a7dc58ab

SHA256
70a406dee00412bac45487c5570863dd3a8f7561c89599912eb255f9fb4dad5f

SHA512
d68f92b95f4e6be243ebe0240f347300f21feb2b25b627b4227306ca1098ab906016e1af6314db34908c9a9471828017ddc38984426131b921ae546dd521993a

Download Submit
\Users\Admin\AppData\Local\Temp\MBX@96C@1FA1AF0.###

Filesize
2KB

MD5
6377799c01f8806313e3b56a1fb1a362

SHA1
cc695913a1d18286d8f9af095f595a97361497ac

SHA256
07ae7990b7fa7353f19c20bc65bf64f863837630966980e16cb107a7210359a6

SHA512
68a7085f43af512c42e7abb9226d4fc7604d4b27994d93c9d990ad5a7fc7ec96ff41ea6f30485f52a71730d41a167371c82c3cab1c5febfd75163905bb18c1fa

Download Submit
\Users\Admin\AppData\Local\Temp\MBX@96C@1FA1B00.###

Filesize
2KB

MD5
74187b36b3e0b6cc3baef521a6cfd886

SHA1
6041195118d88fc361eb16da3a45f78f5dc0afcf

SHA256
1bf5e48c72c95cff731468ab64557bd3a71ca032b83acce95ea5ba92ec4a2171

SHA512
685f45995ff435d4e670b3b5772ec9b39460446196b29462f108ac6a16e9f9868248da2e6063593ab7aab4bfb626233e66db0bfebee28f673552d534de9affe6

Download Submit
\Users\Admin\AppData\Local\Temp\MBX@96C@1FA1B10.###

Filesize
2KB

MD5
67fc7843c3110e526e9f5cb89dee8964

SHA1
f92d33c60f71c48c944dc68dbf225f8ea3f07450

SHA256
b91dacba690ca33d0546c08b7b3053085cb402b15f039f9f4a2cb208b890780c

SHA512
f2c96d2a6550cad3acf0bad0199ff6b728222ea20bd1ee998b11543e8e9dc79b0b4a736e902f95e8969b9366f3361dcf267240fa8f8733d67460245c9a5c8f66

Download Submit
\Users\Admin\AppData\Local\Temp\MBX@96C@1FA1B20.###

Filesize
2KB

MD5
ffd9f537ed1e5c03068eec32ab2ea826

SHA1
417be03c847605f47afc9371cb3ee675f40dc241

SHA256
b9872fcd0d9a19e94fbbc09b30b5bc792d26861740e82d9ad711508dbbc0b140

SHA512
eecc798cf1682dcb2448f8bb3d66cdb059112d1bed69a1b537c31671b96b548049ef3b0978228000caeeb13c0bec1e13caa335154a066d9c949ff839089ef41d

Download Submit
memory/2412-28-0x0000000001F70000-0x0000000001F84000-memory.dmp

Filesize
80KB

Download
memory/2412-29-0x0000000001F70000-0x0000000001F84000-memory.dmp

Filesize
80KB

Download
memory/2412-10-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2412-14-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/2412-9-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2412-17-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2412-16-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/2412-15-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/2412-8-0x0000000010000000-0x000000001011F000-memory.dmp

Filesize
1.1MB

Download
memory/2412-21-0x0000000002360000-0x00000000023A4000-memory.dmp

Filesize
272KB

Download
memory/2412-22-0x0000000002360000-0x00000000023A4000-memory.dmp

Filesize
272KB

Download
memory/2412-24-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2412-23-0x0000000002360000-0x00000000023A4000-memory.dmp

Filesize
272KB

Download
memory/2412-6-0x0000000010000000-0x000000001011F000-memory.dmp

Filesize
1.1MB

Download
memory/2412-0-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2412-31-0x00000000004C1000-0x00000000004C3000-memory.dmp

Filesize
8KB

Download
memory/2412-30-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2412-7-0x0000000010000000-0x000000001011F000-memory.dmp

Filesize
1.1MB

Download
memory/2412-2-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2412-37-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2412-35-0x0000000002740000-0x00000000027A2000-memory.dmp

Filesize
392KB

Download
memory/2412-40-0x0000000002740000-0x00000000027A2000-memory.dmp

Filesize
392KB

Download
memory/2412-46-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2412-45-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2412-44-0x00000000025C0000-0x00000000025E2000-memory.dmp

Filesize
136KB

Download
memory/2412-43-0x00000000025C0000-0x00000000025E2000-memory.dmp

Filesize
136KB

Download
memory/2412-42-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2412-1-0x00000000004C1000-0x00000000004C3000-memory.dmp

Filesize
8KB

Download
memory/2412-36-0x0000000002740000-0x00000000027A2000-memory.dmp

Filesize
392KB

Download
memory/2412-47-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2412-50-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/2412-53-0x0000000002740000-0x00000000027A2000-memory.dmp

Filesize
392KB

Download
memory/2412-54-0x00000000025C0000-0x00000000025E2000-memory.dmp

Filesize
136KB

Download
memory/2412-51-0x0000000002360000-0x00000000023A4000-memory.dmp

Filesize
272KB

Download
memory/2412-49-0x0000000010000000-0x000000001011F000-memory.dmp

Filesize
1.1MB

Download
memory/2412-77-0x0000000010000000-0x000000001011F000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads