04f2a8898a764cdf76b13e9953cf92ce8d0804b794beeb6f9e38a51df588bc8f

General

Target

HD Tune Pro 6.00.exe
Size

1.9MB
MD5

9fed1ed409876c05f188a103c416ee60
SHA1

93404c1c03b73c00b71ea1df65891b2cdc0a701e
SHA256

56c10ba46c1fa1eb80cd994c837e48427ec6d8e4f820fd3ab2b90e1754ce85c5
SHA512

841bc072f2357faed751b5740d0d82c7e6740b4af2fc3a291c9a924d330e35821c8a420f80cdbe597418784f6d522702a8893e9cabc5465ef57d0f2065c60ad8
SSDEEP

49152:Q6whCHo0pkxT/ip6DzkNaX+9KhEmJf5XtWQLxpk/:wsHPpkV6pgkLU/fzW

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD Tune Pro 6.00.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	HD Tune Pro 6.00.exe

Executes dropped EXE 1 IoCs

Processes:

HDTunePro.exe

pid	Process
1420	HDTunePro.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HDTunePro.exe

description	ioc	Process
File opened (read-only)	\??\O:	HDTunePro.exe
File opened (read-only)	\??\P:	HDTunePro.exe
File opened (read-only)	\??\U:	HDTunePro.exe
File opened (read-only)	\??\V:	HDTunePro.exe
File opened (read-only)	\??\D:	HDTunePro.exe
File opened (read-only)	\??\H:	HDTunePro.exe
File opened (read-only)	\??\I:	HDTunePro.exe
File opened (read-only)	\??\K:	HDTunePro.exe
File opened (read-only)	\??\Y:	HDTunePro.exe
File opened (read-only)	\??\Z:	HDTunePro.exe
File opened (read-only)	\??\M:	HDTunePro.exe
File opened (read-only)	\??\T:	HDTunePro.exe
File opened (read-only)	\??\B:	HDTunePro.exe
File opened (read-only)	\??\F:	HDTunePro.exe
File opened (read-only)	\??\G:	HDTunePro.exe
File opened (read-only)	\??\J:	HDTunePro.exe
File opened (read-only)	\??\E:	HDTunePro.exe
File opened (read-only)	\??\N:	HDTunePro.exe
File opened (read-only)	\??\R:	HDTunePro.exe
File opened (read-only)	\??\X:	HDTunePro.exe
File opened (read-only)	\??\W:	HDTunePro.exe
File opened (read-only)	\??\A:	HDTunePro.exe
File opened (read-only)	\??\L:	HDTunePro.exe
File opened (read-only)	\??\Q:	HDTunePro.exe
File opened (read-only)	\??\S:	HDTunePro.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

HDTunePro.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	HDTunePro.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4316-0-0x0000000140000000-0x00000001400B0000-memory.dmp	upx
behavioral2/memory/444-10-0x0000000140000000-0x00000001400B0000-memory.dmp	upx
behavioral2/memory/4316-13-0x0000000140000000-0x00000001400B0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

HDTunePro.exe

pid	Process
1420	HDTunePro.exe
1420	HDTunePro.exe
1420	HDTunePro.exe
1420	HDTunePro.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

HDTunePro.exe

pid	Process
1420	HDTunePro.exe
1420	HDTunePro.exe
1420	HDTunePro.exe
1420	HDTunePro.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

HDTunePro.exe

pid	Process
1420	HDTunePro.exe
1420	HDTunePro.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

HD Tune Pro 6.00.exeHD Tune Pro 6.00.execmd.exe

description	pid	Process	procid_target
PID 4316 wrote to memory of 444	4316	HD Tune Pro 6.00.exe	83
PID 4316 wrote to memory of 444	4316	HD Tune Pro 6.00.exe	83
PID 444 wrote to memory of 1408	444	HD Tune Pro 6.00.exe	84
PID 444 wrote to memory of 1408	444	HD Tune Pro 6.00.exe	84
PID 1408 wrote to memory of 1460	1408	cmd.exe	86
PID 1408 wrote to memory of 1460	1408	cmd.exe	86
PID 1408 wrote to memory of 64	1408	cmd.exe	87
PID 1408 wrote to memory of 64	1408	cmd.exe	87
PID 1408 wrote to memory of 2428	1408	cmd.exe	88
PID 1408 wrote to memory of 2428	1408	cmd.exe	88
PID 1408 wrote to memory of 3504	1408	cmd.exe	89
PID 1408 wrote to memory of 3504	1408	cmd.exe	89
PID 1408 wrote to memory of 1348	1408	cmd.exe	90
PID 1408 wrote to memory of 1348	1408	cmd.exe	90
PID 1408 wrote to memory of 2604	1408	cmd.exe	91
PID 1408 wrote to memory of 2604	1408	cmd.exe	91
PID 1408 wrote to memory of 1648	1408	cmd.exe	92
PID 1408 wrote to memory of 1648	1408	cmd.exe	92
PID 1408 wrote to memory of 5048	1408	cmd.exe	93
PID 1408 wrote to memory of 5048	1408	cmd.exe	93
PID 1408 wrote to memory of 1424	1408	cmd.exe	94
PID 1408 wrote to memory of 1424	1408	cmd.exe	94
PID 1408 wrote to memory of 1420	1408	cmd.exe	95
PID 1408 wrote to memory of 1420	1408	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\HD Tune Pro 6.00.exe
"C:\Users\Admin\AppData\Local\Temp\HD Tune Pro 6.00.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Users\Admin\AppData\Local\Temp\HD Tune Pro 6.00.exe
  "C:\Users\Admin\AppData\Local\Temp\HD Tune Pro 6.00.exe" -sfxwaitall:1 "HDTunePro\cmd.cmd"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\HDTunePro\cmd.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "Name" /t REG_SZ /d "Administrator"
      4⤵
      PID:1460
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "Company" /t REG_SZ /d "EFD Software"
      4⤵
      PID:64
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "Test Parameters 1" /t REG_SZ /d "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
      4⤵
      PID:2428
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "Test Parameters 7" /t REG_SZ /d "00 00 00 00 00 00 00 00 08 00 00 0B 00 00 00 00"
      4⤵
      PID:3504
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "Test Parameters 3" /t REG_SZ /d "29 23 6C 64 95 B6 F2 89 F1 50 E8 D6 00 00 00 00"
      4⤵
      PID:1348
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "x1" /t REG_DWORD /d 505
      4⤵
      PID:2604
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "y1" /t REG_DWORD /d 89
      4⤵
      PID:1648
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "x2" /t REG_DWORD /d 1096
      4⤵
      PID:5048
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\EFD Software\HDTunePro" /f /v "y2" /t REG_DWORD /d 764
      4⤵
      PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\HDTunePro\HDTunePro.exe
      HDTunePro.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Writes to the Master Boot Record (MBR)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\HDTunePro\HDTunePro.exe

Filesize
4.8MB

MD5
764c6beb62995a0ba5475228717e8f80

SHA1
34280c3ff82e6af4532839aff894e497916c40d8

SHA256
8c68cb50599a9ee8ff3a41a89dbda8049f92a980259573e9996e50960118aae6

SHA512
261225d437c89b77ac292e9d64155c4d2381e03e78d1576e1c885dc75e2e5787f92fc3f9f05625fd963a354f8c8adddb6ee9e942bdee0a879789eba944c2c91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\HDTunePro\cmd.cmd

Filesize
971B

MD5
2e97e498fb093502076fb7301e3303bf

SHA1
11aa4c777b05ee59d5f7b4999f6e6365d9ca1260

SHA256
9adba7ce963c343d9af2f4b29abacae29354f4e5b39d0901bcaeaed0a049faed

SHA512
08bae67edd43dfc4bc5ecbc24edc0164eb5c223e2d2c122b09f324bc6c509a0b06d391db9514e089d0180d662a302407e287486ef4d7a542624c86dca5aec597

Download Submit
memory/444-10-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/4316-0-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/4316-13-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads