04f2a8898a764cdf76b13e9953cf92ce8d0804b794beeb6f9e38a51df588bc8f

Analysis

max time kernel
140s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HD Tune Pro 6.00.exe
Size

1.9MB
MD5

9fed1ed409876c05f188a103c416ee60
SHA1

93404c1c03b73c00b71ea1df65891b2cdc0a701e
SHA256

56c10ba46c1fa1eb80cd994c837e48427ec6d8e4f820fd3ab2b90e1754ce85c5
SHA512

841bc072f2357faed751b5740d0d82c7e6740b4af2fc3a291c9a924d330e35821c8a420f80cdbe597418784f6d522702a8893e9cabc5465ef57d0f2065c60ad8
SSDEEP

49152:Q6whCHo0pkxT/ip6DzkNaX+9KhEmJf5XtWQLxpk/:wsHPpkV6pgkLU/fzW

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1924	HDTunePro.exe
1180	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
1932	cmd.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	HDTunePro.exe
File opened (read-only)	\??\Z:	HDTunePro.exe
File opened (read-only)	\??\B:	HDTunePro.exe
File opened (read-only)	\??\E:	HDTunePro.exe
File opened (read-only)	\??\L:	HDTunePro.exe
File opened (read-only)	\??\V:	HDTunePro.exe
File opened (read-only)	\??\S:	HDTunePro.exe
File opened (read-only)	\??\T:	HDTunePro.exe
File opened (read-only)	\??\X:	HDTunePro.exe
File opened (read-only)	\??\Y:	HDTunePro.exe
File opened (read-only)	\??\A:	HDTunePro.exe
File opened (read-only)	\??\D:	HDTunePro.exe
File opened (read-only)	\??\P:	HDTunePro.exe
File opened (read-only)	\??\R:	HDTunePro.exe
File opened (read-only)	\??\J:	HDTunePro.exe
File opened (read-only)	\??\M:	HDTunePro.exe
File opened (read-only)	\??\O:	HDTunePro.exe
File opened (read-only)	\??\Q:	HDTunePro.exe
File opened (read-only)	\??\K:	HDTunePro.exe
File opened (read-only)	\??\N:	HDTunePro.exe
File opened (read-only)	\??\U:	HDTunePro.exe
File opened (read-only)	\??\F:	HDTunePro.exe
File opened (read-only)	\??\G:	HDTunePro.exe
File opened (read-only)	\??\H:	HDTunePro.exe
File opened (read-only)	\??\I:	HDTunePro.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	HDTunePro.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2988-0-0x0000000140000000-0x00000001400B0000-memory.dmp	upx
behavioral1/memory/544-9-0x0000000140000000-0x00000001400B0000-memory.dmp	upx
behavioral1/memory/2988-13-0x0000000140000000-0x00000001400B0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1924	HDTunePro.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1924	HDTunePro.exe
1924	HDTunePro.exe
1924	HDTunePro.exe
1924	HDTunePro.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1924	HDTunePro.exe
1924	HDTunePro.exe
1924	HDTunePro.exe
1924	HDTunePro.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1924	HDTunePro.exe
1924	HDTunePro.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 544	2988	HD Tune Pro 6.00.exe	30
PID 2988 wrote to memory of 544	2988	HD Tune Pro 6.00.exe	30
PID 2988 wrote to memory of 544	2988	HD Tune Pro 6.00.exe	30
PID 544 wrote to memory of 1932	544	HD Tune Pro 6.00.exe	31
PID 544 wrote to memory of 1932	544	HD Tune Pro 6.00.exe	31
PID 544 wrote to memory of 1932	544	HD Tune Pro 6.00.exe	31
PID 1932 wrote to memory of 284	1932	cmd.exe	33
PID 1932 wrote to memory of 284	1932	cmd.exe	33
PID 1932 wrote to memory of 284	1932	cmd.exe	33
PID 1932 wrote to memory of 2484	1932	cmd.exe	34
PID 1932 wrote to memory of 2484	1932	cmd.exe	34
PID 1932 wrote to memory of 2484	1932	cmd.exe	34
PID 1932 wrote to memory of 2456	1932	cmd.exe	35
PID 1932 wrote to memory of 2456	1932	cmd.exe	35
PID 1932 wrote to memory of 2456	1932	cmd.exe	35
PID 1932 wrote to memory of 2076	1932	cmd.exe	36
PID 1932 wrote to memory of 2076	1932	cmd.exe	36
PID 1932 wrote to memory of 2076	1932	cmd.exe	36
PID 1932 wrote to memory of 1712	1932	cmd.exe	37
PID 1932 wrote to memory of 1712	1932	cmd.exe	37
PID 1932 wrote to memory of 1712	1932	cmd.exe	37
PID 1932 wrote to memory of 2052	1932	cmd.exe	38
PID 1932 wrote to memory of 2052	1932	cmd.exe	38
PID 1932 wrote to memory of 2052	1932	cmd.exe	38
PID 1932 wrote to memory of 2304	1932	cmd.exe	39
PID 1932 wrote to memory of 2304	1932	cmd.exe	39
PID 1932 wrote to memory of 2304	1932	cmd.exe	39
PID 1932 wrote to memory of 2336	1932	cmd.exe	40
PID 1932 wrote to memory of 2336	1932	cmd.exe	40
PID 1932 wrote to memory of 2336	1932	cmd.exe	40
PID 1932 wrote to memory of 2360	1932	cmd.exe	41
PID 1932 wrote to memory of 2360	1932	cmd.exe	41
PID 1932 wrote to memory of 2360	1932	cmd.exe	41
PID 1932 wrote to memory of 1924	1932	cmd.exe	42
PID 1932 wrote to memory of 1924	1932	cmd.exe	42
PID 1932 wrote to memory of 1924	1932	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\HD Tune Pro 6.00.exe
"C:\Users\Admin\AppData\Local\Temp\HD Tune Pro 6.00.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\HD Tune Pro 6.00.exe
  "C:\Users\Admin\AppData\Local\Temp\HD Tune Pro 6.00.exe" -sfxwaitall:1 "HDTunePro\cmd.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\HDTunePro\cmd.cmd" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "Name" /t REG_SZ /d "Administrator"
      4⤵
      PID:284
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "Company" /t REG_SZ /d "EFD Software"
      4⤵
      PID:2484
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "Test Parameters 1" /t REG_SZ /d "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
      4⤵
      PID:2456
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "Test Parameters 7" /t REG_SZ /d "00 00 00 00 00 00 00 00 08 00 00 0B 00 00 00 00"
      4⤵
      PID:2076
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "Test Parameters 3" /t REG_SZ /d "29 23 6C 64 95 B6 F2 89 F1 50 E8 D6 00 00 00 00"
      4⤵
      PID:1712
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "x1" /t REG_DWORD /d 505
      4⤵
      PID:2052
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "y1" /t REG_DWORD /d 89
      4⤵
      PID:2304
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "x2" /t REG_DWORD /d 1096
      4⤵
      PID:2336
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "y2" /t REG_DWORD /d 764
      4⤵
      PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\HDTunePro\HDTunePro.exe
      HDTunePro.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Writes to the Master Boot Record (MBR)
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\HDTunePro\cmd.cmd

Filesize
971B

MD5
2e97e498fb093502076fb7301e3303bf

SHA1
11aa4c777b05ee59d5f7b4999f6e6365d9ca1260

SHA256
9adba7ce963c343d9af2f4b29abacae29354f4e5b39d0901bcaeaed0a049faed

SHA512
08bae67edd43dfc4bc5ecbc24edc0164eb5c223e2d2c122b09f324bc6c509a0b06d391db9514e089d0180d662a302407e287486ef4d7a542624c86dca5aec597

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\HDTunePro\HDTunePro.exe

Filesize
4.8MB

MD5
764c6beb62995a0ba5475228717e8f80

SHA1
34280c3ff82e6af4532839aff894e497916c40d8

SHA256
8c68cb50599a9ee8ff3a41a89dbda8049f92a980259573e9996e50960118aae6

SHA512
261225d437c89b77ac292e9d64155c4d2381e03e78d1576e1c885dc75e2e5787f92fc3f9f05625fd963a354f8c8adddb6ee9e942bdee0a879789eba944c2c91f

Download Submit
memory/544-9-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/2988-0-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/2988-13-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/2988-14-0x0000000000200000-0x00000000002B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads